Why We Built a Text-Based Security Operations Training Platform
The problem with security training in 2026
There are hundreds of cybersecurity training platforms. Most of them share the same model: record a video, build a sandbox lab, charge a monthly subscription, optimise for watch time and completion rates.
That model works for general cybersecurity education. It does not work for security operations.
A SOC analyst at 02:00 during an active AiTM phishing investigation does not open a video. They open documentation. They search for a KQL query. They need to copy a detection rule, modify it for their environment, and deploy it — right now, not after a 45-minute lecture.
The training industry optimises for the wrong metric. Certification vendors optimise for exam pass rates. Video platforms optimise for watch time. Neither optimises for the metric that actually matters: how fast you can deploy a verified security capability and reduce your mean time to resolve when something goes wrong.
What Ridgeline does differently
Ridgeline is text-based, code-first security operations training. Every module produces deployable artifacts — detection rules, investigation playbooks, hardening checklists, and KQL query packs. You deploy them to your own Microsoft 365 tenant, not a sandbox.
Three things make this different from every other platform:
Your tenant, not a sandbox. Every query runs in your environment. Every detection rule deploys to your Sentinel workspace. When you finish a module, your tenant is more secure than when you started. Nothing disappears when you log out.
Blast radius on every action. Every configuration change includes what it affects, what it costs, what breaks if you get it wrong, and how to roll back in 60 seconds. Because an expert knows how to enable a feature. An operator knows what breaks when they do.
Real incidents, not lab exercises. The investigation modules are based on real attacks investigated in a production SOC. Five-wave AiTM phishing campaigns, BEC with financial fraud, token replay, consent phishing, insider threat — sanitised names, real methodology.
What’s live today
17 modules covering the full Microsoft security stack:
- Defender XDR, Defender for Endpoint, Purview, Defender for Cloud, Security Copilot
- Sentinel workspace configuration, data connectors, Defender for Office 365
- Detection engineering, threat hunting
- Five investigation scenarios: AiTM credential phishing, BEC, token replay, consent phishing, insider threat
Plus 3 hands-on lab exercises, 3 scenario challenges with full solutions, and 15 downloadable assets including 29 deployable KQL detection rules, 5 investigation playbooks, and 5 operational checklists.
Three modules are completely free. Create an account and start building.
Who this is for
SOC analysts working in Microsoft 365 environments. Security engineers building detection and response capabilities. IT administrators transitioning into security roles. Anyone preparing for the SC-200 certification who wants operational skills, not just exam answers.
If you read documentation during incidents instead of watching videos, this platform was built for you.