Sign In

Build the Security Capability Your Organization Needs

Every course produces operational artifacts you deploy at work the same week — detection rules that fire on real attacks, investigation playbooks tested against realistic incidents, architecture decisions documented well enough for a board presentation. You don't just learn. You build. And you leave with proof your organization is more secure.

Start Free — No Account Needed See What You'll Build

Every course produces artifacts you keep and use.

Architecture decisions, detection rules, and playbooks you deploy at work
Hands-on labs in your own environment — persistent, never expire
Verification scripts confirm your work before you move on
Written by practicing security engineers · 34 courses & skills · New content added regularly
From $179/year — every course includes free modules. See pricing →

The Gap Between Certification and Capability

Most security training teaches you what things are. Very little teaches you how to build, deploy, and operate them in your own environment. You pass the exam but can't design a Conditional Access framework, write a detection rule that fires on a real attack, or investigate a compromised identity end-to-end. Ridgeline exists to close that gap — every course produces the artifacts that prove you can do the work, not just describe it.

You Don't Just Learn. You Build.

Every course produces operational artifacts — the deliverables your organization actually needs. Deploy them at work. Take them into interviews. They're yours permanently.

Architecture Decisions

30+ Architecture Decision Records, decision matrices, a risk register, and an executive summary. A complete security architecture package you present to your CISO or take to your next role.

Detection Rules

Production-ready KQL and Sigma rules you deploy into Sentinel, Defender XDR, or Splunk. Tuned, tested, and validated against realistic attack data.

Investigation Playbooks

IR procedures, evidence collection workflows, timeline templates, and response frameworks. Built on NIST SP 800-61 Rev 3 methodology and tested against realistic scenarios.

Your Lab Is a Deliverable

You build a complete security operations lab on your own hardware — Windows, Linux, M365, Sentinel, and a full forensic toolchain. It's yours permanently. Nothing expires.

What a real module looks like

Detection Rule — BEC Mailbox Forwarding

OfficeActivity | where Operation in ("New-InboxRule", "Set-InboxRule") | where Parameters has_any ("ForwardTo", "RedirectTo", "DeleteMessage") | project TimeGenerated, UserId, Operation

Deploy as a Sentinel analytics rule. Copy, paste, deploy. This is what you build in every module.

KQLSentinelCopy-Paste Ready

Lab — Investigate Compromised Identity

1Query SigninLogs for the user's last 7 days. Identify the first sign-in from an unfamiliar IP.
2Check AuditLogs for MFA method registration in the same 30-minute window.
3If a new MFA method was registered from the attacker IP — that's persistence. Document the method and timestamp.

Run this in your own environment against real telemetry. The lab is yours permanently.

Hands-OnYour InfrastructurePermanent

Verification — Detection Rule Deployed

Analytics rule created — BEC_Forwarding_Rule
Query syntax validated — 0 errors
Test against sample data — 3 matches found
False positive check — review IT-admin@contoso.com

Verification scripts confirm your work is correct before you move on.

AutomatedPass/FailProduction-Ready

Written by Practicing Security Engineers

Ridgeline's content is written by cybersecurity practitioners with over fifteen years of experience in DFIR, detection engineering, and threat hunting across production M365, Azure, Windows, and Linux environments. The detection rules we teach are rules we've deployed and tuned in production. The investigation methods are extracted from real forensic engagements. The architecture decisions are ones we've made and defended in front of CISOs and auditors.

CISSP-ISSAP CISM CCSP CEH CHFI SC-200 SC-300 SC-400 AZ-500 CCNP
About the team →
Who This Is For

For Practitioners Who Need Depth — At Any Stage.

Whether you're securing an M365 tenant today or building toward a security role, the content is the same — professional-grade, structured, and designed to produce results you can show.

M365 admins handed security responsibility who need to design Conditional Access, configure Defender, and present an architecture to leadership — not just enable features.

SOC analysts moving into specialized roles — detection engineering, threat hunting, DFIR, or security architecture. The structured depth that makes the transition real.

Security engineers and IR practitioners building operational depth in forensics, identity security, memory analysis, or detection validation that certification prep doesn't cover.

IT professionals transitioning into security who want professional-grade material from day one — not another beginner overview. Start with the free Admin to Defender course and progress into any specialization.

Career-changers building a portfolio of production-grade security artifacts they can demonstrate in interviews — architecture packages, detection rules, investigation reports.

Individual practitioners investing in their own development because their employer won't fund the specialist training they need. Every course at a price you can justify yourself.

What You'll Build

Courses That Produce Operational Results

Each course is structured around the artifacts you produce — not content you consume. You finish with deliverables you deploy at work or take into interviews.

M365 Security Architecture

You'll build: 30+ Architecture Decision Records, decision matrices, a risk register, architecture diagrams, and a board-ready executive summary
Your next architecture review has documented, defensible decisions instead of verbal justifications — and your CISO has a package they can present to the board.
15 modulesSpecialist40 CPE
2 free modulesSee what you'll build →

Detection Engineering

You'll build: A detection program from coverage gap analysis through production-deployed Sigma and KQL rules with a CI pipeline
Threats that used to slip through your SIEM undetected are now caught by rules you wrote, tested, and deployed yourself — with a pipeline that keeps them current.
13 modulesPremium36 CPE
Free modules availableSee what you'll build →

Practical Incident Response

You'll build: Investigation playbooks, evidence collection procedures, timeline templates, and a complete response framework
Incidents that used to take days to investigate are triaged and contained in hours — because your team has battle-tested playbooks, not ad-hoc guesswork.
20 modulesPremium40 CPE
Free modules availableSee what you'll build →

Purple Teaming for Blue Teams

You'll build: Validated detection rules for 136 ATT&CK techniques with Sigma rules and SIEM conversions
Your blue team knows exactly what real attacks look like and how to stop them — because they just executed, detected, and documented every one.
14 modulesSpecialist136 techniques
Free modules availableSee what you'll build →
View all courses →
Learning Paths

Choose Your Path

Each path progresses from foundational to advanced. Every path has free starting points.

Not sure which path? Find yours in 30 seconds →

Security Engineer

Endpoint hardening → Identity architecture → Detection program → Automation
After this path: design and operate the endpoint, identity, and detection stack across an M365 environment.
Endpoint SecurityEntra IDDetection EngineeringAutomation
4 coursesView path →

Detection & Hunting Engineer

KQL mastery → Detection rules → Threat hunting → Automation
After this path: build and operate a detection program with production KQL rules, hunt campaigns, and automated response.
KQL71 RulesATT&CKSentinel
4 coursesView path →

Investigation & Response

Triage → Windows/M365 forensics → Linux forensics → Memory forensics
After this path: conduct end-to-end forensic investigations on Windows, M365, and Linux, producing court-defensible reports.
KAPEEZ ToolsVolatility 3KQL
5 coursesView path →

Transitioning Into Security

Admin to Defender (free) → KQL → SOC Operations → Specialize
After this path: transition from IT administration into a security engineering or SOC analyst role with hands-on M365 security skills and a portfolio of artifacts to prove it.
Free StartM365IdentityEndpoint
Structured transitionStart free →
Prove Your Work

Verifiable Credentials and CPE Credits

Complete a course, pass the scenario-based exam, and earn a verifiable credential with CPE credits. Share it with employers, include it in CPD logs, reference it in job applications.

Scenario-Based Exams

Triage (20pts) → Investigation (50pts) → Response (30pts). Tests operational judgment, not memorization. Pass at 70.
80% completion requiredRealistic scenarios

CPE Credits & Public Verification

36–40 CPE credits per course. Public verification page at /verify/ — share with employers and include in CPD logs. Credentials are permanent.
36–40 CPEPublic verificationPermanent
Start Here

See the Depth Before You Commit

Every paid course includes free foundation modules. Read the content, run the exercises, and decide if this is the right investment for your development. No account required.

Free Courses & Modules

Admin to Defender — complete free course. Every paid course includes free foundation modules you can work through without signing up.

Full Free Course28+ Free ModulesNo Account
Browse free content →

Reference Tools

KQL reference, ASR rule reference, triage scorecard, event ID reference, PowerShell for security operations, DFIR runbooks.

KQLASRForensicsPowerShell
View free tools →

Blog

Weekly security engineering insights — detection techniques, architecture patterns, and operational judgment from production experience.

WeeklyDetectionArchitecture
Read the blog →

Start With the Free Content.

Read the free modules, run the exercises, and decide if this is the right investment for your development. No account required. No credit card. Just content.

Browse All Courses Free Content

Weekly Security Engineering Insights

Detection techniques, architecture patterns, and operational judgment — delivered to your inbox every Tuesday.

No spam. Unsubscribe anytime.