The Complete Ridgeline Curriculum: 7 Courses, 84 Modules, 1.17 Million Words of Security Operations Training
One platform, one curriculum
Ridgeline is not a collection of independent courses. It is a unified curriculum where each course connects to the others — sharing concepts, cross-referencing techniques, and building skills that compound across the platform.
KQL is the query language taught in Mastering KQL and applied in M365 Security Operations, SOC Operations, and Practical IR. Detection rules are authored in SOC Operations using the KQL skills from Mastering KQL and deployed in the environments configured in M365 Security Operations. Investigation techniques from M365 Security Operations are the foundation for the deep-dive scenarios in Practical IR. GRC provides the governance framework that turns the operational security outputs from all other courses into the board reports, risk registers, and compliance documentation that leadership needs. Claude for Security Professionals teaches AI-assisted workflows that accelerate work in every other course.
The courses work independently — you can take any single course and gain substantial value. But they are designed to work together, and the learner who completes multiple courses benefits from the deliberate connections between them.
The seven courses
Microsoft 365 Security Operations
17 modules. 474,871 words. The flagship.
The operational manual for the Microsoft security stack. Configures, operates, and investigates using Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, Sentinel, and Entra ID. Phase 1 (4 modules) is free. Mapped to SC-200 exam objectives.
Best for: SOC analysts in M365 environments, IT admins inheriting security, SC-200 candidates.
Mastering KQL
14 modules. 134,437 words.
KQL for security analysts, not data engineers. Every query uses security tables. Every exercise is an investigation scenario. Covers from first query through advanced threat hunting, detection rule authoring, and workbook creation. Phase 1 (4 modules) is free.
Best for: Anyone working in the M365 security stack who needs to query data.
SOC Operations
13 modules. 167,378 words.
The operational discipline that makes a SOC function. 28 detection rules, 3 investigation playbooks, 4 IR report templates, 45 hardening controls, 5 automation templates. Covers the complete SOC lifecycle from alert triage through post-incident improvement.
Best for: SOC analysts building operational maturity, security managers designing SOC processes.
Claude for Security Professionals
11 modules. 92,010 words.
AI-assisted security workflows. Using Claude for detection engineering, incident investigation, report writing, threat analysis, policy development, and architecture review. Grounded in real security workflows with verification patterns and accuracy safeguards.
Best for: Security practitioners who want to use AI as a daily operational tool.
Practical GRC for Security Professionals
17 modules. ~218,000 words.
Governance, risk, and compliance as operational deliverables. Risk registers, compliance frameworks (NIST CSF, NIS2, ISO 27001, SOC 2, GDPR), board reporting, breach notification, and the governance operating model. Phase 1 (3 modules) is free.
Best for: Security practitioners who need GRC skills, security managers reporting to the board.
Practical Incident Response: Windows and M365
20 modules planned, 3 built. 95,639 words and growing.
Full IR methodology using the six-step investigation method. Windows endpoint forensics (KAPE, EZTools, Volatility 3) and M365 cloud investigation (KQL, Purview, Sentinel) as a unified discipline. Free tools at professional depth. Includes four complete investigation scenarios and a comprehensive capstone. Phase 1 (3 modules) is free.
Best for: SOC analysts moving into IR, IR practitioners expanding into M365, security engineers building IR capability.
Claude Essentials for Security Professionals
11 modules. 25,580 words. Entirely free.
The entry point for the platform. Foundation modules (5) cover the M365 security landscape, identity basics, email security basics, endpoint basics, and security monitoring. Security track modules (6) go deeper into investigation, detection, and response fundamentals. No account required.
Best for: Anyone new to M365 security. The free starting point regardless of role or experience level.
Where to start based on your role
SOC analyst in an M365 environment. Start with M365 Security Operations Phase 1 to build foundation knowledge, then M365 Security Operations for the operational depth, then Mastering KQL if you need to strengthen your query skills.
IT admin who just inherited security. Start with M365 Security Operations Phase 1, then M365 Security Operations Phase 1 (free — covers the ecosystem and KQL basics), then progress through the configuration modules in Phase 2.
Security engineer building detection capability. Start with Mastering KQL, then SOC Operations for the detection engineering and playbook modules, then M365 Security Operations for the platform-specific implementation.
IR practitioner. Start with Practical IR (Phase 1 is free and covers the complete toolkit). If you need M365 investigation depth, add M365 Security Operations. If you need the query language, add Mastering KQL.
Security manager or CISO. Start with Practical GRC for the governance and reporting frameworks. Add SOC Operations for the operational metrics and processes that feed the board reports.
By the numbers
7 courses. 84+ modules. 898 pages. Over 1.17 million words. Over 45,000 words of completely free content across Claude Essentials and the free phases of each course. Every module produces deployable artifacts — detection rules, investigation queries, report templates, hardening checklists, and operational procedures. Text-based, searchable, reference-grade. No video. No sandbox. Your environment, your data, your pace.