Courses That Close the Gap Between Certification and Capability.
You passed the exam but can't build the detection, investigate the incident, or present the architecture. These courses produce the artifacts that prove you can do the work — deployed in your environment, not a sandbox.
Every course produces artifacts you deploy at work.
Detection rules that fire on real attacks, playbooks that contain real incidents, architectures your CISO approves
Built in your own environment — persistent labs that never expire
Verification scripts confirm your work is production-ready before you move on
Written by practicing security engineers
·
34 courses
·
New modules added regularly
From $179/year — every course includes free modules. See pricing →
Security Engineering
Identity, Endpoint & Platform Security
After these courses, your Conditional Access framework is documented and defensible, your endpoints are hardened to a verifiable baseline, and your M365 security stack is configured the way it should have been from day one — not the way the defaults left it.
Advanced
Premium
Endpoint Security Engineering
ASR · AV · EDR · Custom Detections · Forensic Readiness · Cross-Platform
What you'll deployEndpoint hardening baselines, ASR rules, and Defender for Endpoint detection configs you can push today
ES · Endpoint Security
Start Free Module →See What You'll Deploy →
Advanced
Premium
Microsoft Entra ID Security
Conditional Access · Token Security · PIM · Workload Identity · Detection
What you'll deployProduction-ready Conditional Access policies + identity threat detection rules you can deploy immediately
EI · Identity Security
Start Free Module →See What You'll Deploy →
Essentials
Premium
Microsoft 365 Security Operations
Defender XDR · Sentinel · Purview · Copilot · Investigation Scenarios
What you'll deployFull M365 security operations playbook + live Sentinel + Defender XDR detections
M365 · Platform Security
Start Free Module →See What You'll Deploy →
Detection & Hunting
Detection Engineering, KQL & Threat Hunting
After these courses, threats that used to slip through your SIEM undetected are caught by rules you wrote, tested, and deployed. You produce 71 production KQL rules, execute 10 complete hunt campaigns, and build a detection-as-code pipeline that keeps your coverage current.
Advanced
Premium
Detection Engineering
71 KQL Rules · 6 Attack Chains · ATT&CK Mapped · Detection-as-Code
What you'll deploy71 production KQL detection rules + 6 full ATT&CK-mapped attack chains you can deploy today
DE · Detection
Start Free Module →See What You'll Deploy →
Essentials
Premium
Mastering KQL for Cybersecurity
Operators · Joins · Time-Series · Anomaly Detection · Performance
What you'll deploy68 production-grade KQL exercises + reusable query library you can use in every hunt
K · Query Language
Start Free Module →See What You'll Deploy →
Advanced
Premium
Practical Threat Hunting in Microsoft 365
10 Hunt Campaigns · Hypothesis-Driven · Identity · OAuth · Exfiltration
What you'll deploy10 complete hypothesis-driven hunt campaigns + Sentinel playbooks ready for your environment
TH · Threat Hunting
Start Free Module →See What You'll Deploy →
Essentials
Premium
Security Automation and Orchestration
Sentinel Playbooks · Auto-Containment · Evidence Collection · Orchestration
What you'll deployFully built Sentinel + Logic Apps playbooks for auto-containment and evidence collection
SA · Automation
Start Free Module →See What You'll Deploy →
Offensive Operations
Offensive Security & Campaign Analysis
After these courses, you understand how attackers plan and execute campaigns — infrastructure, payloads, movement, evasion — and you translate that operational logic into detection strategy. Your detections catch campaigns, not just individual alerts.
Investigation & Response
Incident Triage, Forensics & IR
After these courses, incidents that used to take days to investigate are triaged and contained in hours. You produce investigation playbooks, evidence collection procedures, containment workflows, and forensic timelines that hold up under legal scrutiny.
Advanced
Premium
Master Incident Triage and First Response
Cloud · Windows · Linux · KAPE · Velociraptor · KQL · Containment
What you'll deployComplete triage-to-containment playbook + KAPE + Velociraptor lab environment
TR · Triage
Start Free Module →See What You'll Deploy →
Advanced
Premium New
Network Detection and Forensics
Zeek · Suricata · Wireshark · tcpdump · PCAP · DNS · TLS · NetFlow
What you'll deploy5 full network investigation scenarios + Zeek/Suricata + Wireshark/PCAP analysis artifacts
NF · Network Forensics
Start Free Module →See What You'll Deploy →
Advanced
Premium
Practical Incident Response: Windows & Microsoft 365
KAPE · EZ Tools · Volatility 3 · Ransomware · BEC · Insider · APT
What you'll deploy4 complete Windows + M365 investigation scenarios + Volatility + BEC + ransomware response playbooks
IR · Forensics
Start Free Module →See What You'll Deploy →
Advanced
Premium
Practical Incident Response: Linux Systems
Filesystem · Memory · Logs · Containers · Cloud VMs · Persistence
What you'll deployFull Linux forensic investigation toolkit + Volatility + Log2Timeline labs on your own hardware
LX · Linux Forensics
Start Free Module →See What You'll Deploy →
Specialist
Advanced Specialist Courses
After these courses, you operate at depth most practitioners never reach — complete M365 security architecture with 30+ ADRs, detection validation against 136 ATT&CK techniques, applied memory forensics with learner-captured images, and offensive campaign analysis that informs your detection program.
Specialist
Specialist
M365 Security Architecture
Entra ID · Conditional Access · PIM · Purview · Intune · Sentinel · Defender XDR
What you'll deploy30+ ADRs, decision matrices, risk register, architecture diagrams, and an executive summary — a complete, portfolio-grade architecture package
MSA · M365 Security Architecture
Start Free Module →See What You'll Deploy →
Specialist
Specialist
Identity and Access Management in Microsoft 365
Entra ID · Entra ID Governance · Conditional Access · PIM · Graph API · PowerShell
What you'll deployA governed identity program where every identity — human and machine — has an owner, a lifecycle, and compliance evidence
IAM · Identity and Access Management
Start Free Module →See What You'll Deploy →
Specialist
Specialist New
Advanced Windows Forensic Analysis
MFT · USN Journal · ShellBags · Amcache · Prefetch · SRUM · Registry · Event Logs
What you'll deploy2 full capstone investigations + court-ready forensic reports and testimony artifacts
WF · Windows Forensics
Start Free Module →See What You'll Deploy →
Specialist
Specialist
Applied Memory Forensics: Attack, Capture, Analyse
Metasploit · Mimikatz · Volatility 3 · MemProcFS · WinDbg · YARA
What you'll deploy7 real attack techniques + 11 learner-captured memory images you can analyze end-to-end
DFIR · Memory
Start Free Module →See What You'll Deploy →
Specialist
Specialist
Purple Teaming for Blue Teams
Sigma · KQL · Sentinel · Defender XDR · Splunk · Elastic · Atomic Red Team · Caldera · VECTR · ATT&CK Navigator
What you'll deploy61 ATT&CK techniques walked end-to-end across 4 environments + 3 SIEMs (Sigma + KQL + Splunk)
DH · Purple
Start Free Module →See What You'll Deploy →
Operational Security
GRC, SOC Operations & AI Security
After these courses, your security program has the operational backbone that ties technical controls to business outcomes — GRC frameworks that survive audits, SOC playbooks your analysts actually follow, and AI-assisted workflows that make the team faster without creating new risk.
Essentials
Premium
SOC Operations
SOC Workflow · Detection Libraries · IR Playbooks · Metrics · Automation
What you'll deploySOC operational playbooks for triage, escalation, and shift handover you can implement this week
S · SOC Operations
Start Free Module →See What You'll Deploy →
Essentials
Premium
Practical GRC for Security Professionals
ISO 27001 · NIST CSF · SOC 2 · GDPR · CMMC · Audit Management
What you'll deployGRC program framework with risk registers, policy templates, and audit evidence
G · Governance
Start Free Module →See What You'll Deploy →
Essentials
Premium
Claude for Security Professionals
Investigation · Detection · Automation · Governance · Team Deployment
What you'll deployAI-powered security investigation and documentation workflows
C · AI Security
Start Free Module →See What You'll Deploy →
Free Courses
Start Here — Entirely Free
Complete courses with no subscription required. No account needed. Start learning immediately and progress into any specialization when you’re ready.
100% Free
Free
M365 Security: From Admin to Defender
MFA · Conditional Access · Email · Devices · Monitoring · Governance
What you'll deploySecurity mindset and M365 security fundamentals for IT admins transitioning to security
AD · Free Course
Start Course →See What You'll Deploy →
100% Free
Free
Claude Essentials for Security Professionals
Prompts · Investigation · Detection · Documentation · Automation · Governance
What you'll deployAI-assisted security workflows with Claude for investigations and documentation
CE · Free Course
Start Course →See What You'll Deploy →
12 Focused Skills
One Capability. Production-Ready.
Not every capability needs a 15-module course. Ridgeline Skills give you the same depth standard in a focused 4–8 hour format — one tool, one technique, one deployable outcome. Included with your subscription.
Same quality as full courses
4–8 hours to completion
Deploy what you build immediately
DFIR & Investigation
Skill
KAPE and EZ Tools Mastery
KAPE · MFTECmd · PECmd · AmcacheParser · Timeline Explorer
What you'll deployKAPE collection profiles + EZ Tools parsing pipeline for endpoint triage
DFIR Tools
Start Skill →See What You'll Deploy →
Skill
Velociraptor for Endpoint Investigation
Velociraptor · VQL · Notebooks · Artifact Exchange
What you'll deployVelociraptor deployment + hunt workflows for endpoint investigation
DFIR Tools
Start Skill →See What You'll Deploy →
Skill
Malware Triage
PEStudio · strings · VirusTotal · ANY.RUN · YARA · STIX
What you'll deployMalware triage workflow from initial sample through behavioural analysis
DFIR Tools
Start Skill →See What You'll Deploy →
Skill
YARA Rule Writing for DFIR
YARA · THOR Lite · Velociraptor · yarGen · PE headers
What you'll deployCustom YARA rules for malware detection and threat hunting
DFIR Tools
Start Skill →See What You'll Deploy →
Skill
Wireshark for Security Analysts
Wireshark · tshark · tcpdump · BPF · Display Filters
What you'll deployWireshark filters and analysis techniques for security investigations
Network Analysis
Start Skill →See What You'll Deploy →
Detection & Hunting
Skill
Sigma Rules for Detection Engineers
Sigma · sigma-cli · KQL · SPL · Elastic · ATT&CK
What you'll deploySigma detection rules convertible to KQL, SPL, and Elastic
Detection Engineering
Start Skill →See What You'll Deploy →
Skill
Sysmon Configuration and Tuning
Sysmon · XML Config · SwiftOnSecurity · GPO · Intune
What you'll deployProduction Sysmon configuration with detection-optimised event filtering
Detection Engineering
Start Skill →See What You'll Deploy →
Skill
Log Analysis with Regex
grep · sed · awk · PowerShell · regex101
What you'll deployRegex patterns for parsing security logs across Windows, Linux, and network devices
Log Analysis
Start Skill →See What You'll Deploy →
Security Engineering
Skill
Conditional Access Design
Entra ID · Conditional Access · Named Locations · Device Compliance
What you'll deployConditional Access policy designs covering the common attack paths
Identity Security
Start Skill →See What You'll Deploy →
Skill
Email Authentication Masterclass
SPF · DKIM · DMARC · DNS · M365 · Google Workspace
What you'll deploySPF, DKIM, and DMARC configuration for your email domains
Email Security
Start Skill →See What You'll Deploy →
Skill
PowerShell for Security Operations
PowerShell · WinRM · Get-WinEvent · Microsoft Graph
What you'll deploySecurity-focused PowerShell scripts for M365 administration and forensics
Security Operations
Start Skill →See What You'll Deploy →
Skill
Git for Security Teams
Git · GitHub · VS Code · CI/CD · Sigma
What you'll deployGit workflows for detection-as-code and security team collaboration
Security Operations
Start Skill →See What You'll Deploy →
Read the free modules. Then decide.
Every paid course opens with free foundation modules — no account, no email, no gate. Read the content, run the queries, and see for yourself whether this is the depth that closes the gap between where you are and where you need to be.