Sign In
Purple Teaming

For Blue Team Practitioners Validating Detection Coverage Across Microsoft and Open-Source SIEMs

Purple Teaming for Blue Teams

Run the attack. Watch the detection. Fix what is broken. Prove it works.

Validate your detection coverage by walking 61 ATT&CK techniques end-to-end across Windows, Active Directory, Microsoft 365, and Linux. Execute real attack commands in your own lab, observe the telemetry, write or tune the Sigma rule that catches each technique, and document the result across three SIEMs.

Start Free — No Account Needed View Subscription Pricing
Content last updated: April 2026
PURPLE TEAMING — ATT&CK COVERAGE MAP CREDENTIAL ACCESS 8 techniques · LSASS, DCSync, Kerberoasting, browsers Largest module — credential dumping has many distinct attacker variants PERSISTENCE 7 techniques · scheduled tasks, services, OAuth, registry Cross-environment — Windows, AD, M365, Linux all have persistence surfaces DEFENSE EVASION 6 techniques · LOLBins, AMSI bypass, audit log tampering Detection-difficulty rich — where rule design actually matters LATERAL MOVEMENT 6 techniques · RDP, WMI, PsExec, Pass-the-Hash, M365 Chain-aware — Module 9 introduces multi-step emulation DISCOVERY + C2 + EXFIL + IMPACT 16 more techniques across remaining tactics Full kill chain coverage from initial access through impact CAPSTONE — CHAIN-HARVEST Full purple-team report on AiTM credential phishing Multi-stage chain · all techniques · coverage report deliverable 61 techniques 15 modules 3 SIEMs 4 environments From "we have rules" → "I ran the attack and the rule fired"
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Execute 61 ATT&CK techniques end-to-end in a controlled lab environment
Validate detection rules by firing the attack and verifying the alert
Write and tune Sigma rules from observed attack telemetry
Detect across Sentinel, Defender XDR, and Splunk or Elastic simultaneously
Run a continuous purple-team program with measurable coverage metrics

The attack-then-detect rhythm

Every technique sub follows the same pattern. You execute the attack in your lab, observe the raw telemetry it produces, write the Sigma rule that catches it, convert to KQL and your secondary SIEM, tune for false positives, and document the result. Same rhythm, every technique, across all four environments.

By the third or fourth technique the structure becomes invisible — you stop reading the headings and start reading the content. That is the point. The rhythm builds the habit. The habit becomes the programme.

Who this course is for

Blue-team practitioners with detection responsibilities who suspect their detections have gaps but cannot quantify them.

Detection engineers who author rules and ship them to production but do not always know if they fire against the actual technique.

SOC leads building a continuous purple-team rhythm — weekly, monthly, and quarterly cadence that keeps coverage current.

IR practitioners who want to understand attacker telemetry from the source, not backwards from the breach report.

Threat hunters extending into proactive validation — hunting finds the unknown, purple teaming proves the known is actually working.

Anyone with a genuine interest in detection validation. Whatever your background — whether you are transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you are willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

What you will be able to do

1. Execute 61 ATT&CK techniques end-to-end across Windows, Active Directory, Microsoft 365, and Linux in a controlled lab environment — from initial access through impact.

2. Validate detection rules by firing the attack and verifying the alert. Every rule is tested against the actual technique before it goes to production.

3. Write and tune Sigma rules from observed attack telemetry. Full YAML with KQL conversions for Sentinel, Defender XDR Advanced Hunting, and your choice of Splunk SPL or Elastic.

4. Read raw telemetry at the source. Sysmon events, M365 Unified Audit Log entries, auditd records — with the relevant fields highlighted and annotated.

5. Tune detections systematically. Identify false-positive sources, build concrete tuning strategies, and set baseline FP rate expectations for every rule.

6. Run a continuous purple-team programme with measurable coverage metrics — MTTD per technique, FP rates, detection quality scores, and the board report that demonstrates progress.

7. Produce a complete purple-team report. The capstone CHAIN-HARVEST exercise produces a real-world deliverable — multi-stage attack chain validated end-to-end with coverage gaps, tuning recommendations, and prioritised remediation.

Course at a glance

Modules: 15 (PT0–PT14) — foundations, 12 ATT&CK tactics, capstone

Techniques: 61 ATT&CK techniques walked end-to-end

Environments: Windows, Active Directory, Microsoft 365, Linux

SIEMs: Sentinel, Defender XDR Advanced Hunting, Splunk or Elastic

Format: Written content — attack commands, annotated telemetry, Sigma rules, detection tuning, knowledge checks

Free content: PT0–PT1 (2 modules) — no account required

Paid content: PT2–PT14 (13 modules) — Specialist or Team subscription

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs cybersecurity operations across cloud and on-prem security stacks, manage and execute incident engagements across a plethora of cyber investigations. You are in good hands.

The techniques, detection rules, and tuning strategies in this course are drawn from that operational work — adapted for training but grounded in production detection engineering.

Lab environment

Windows endpoint VM: Windows 10/11 with Sysmon (SwiftOnSecurity config). The primary attack target for endpoint techniques.

Active Directory domain controller: Windows Server with AD DS. Target for credential access, persistence, and privilege escalation techniques.

Linux VM: Ubuntu with auditd and Neo23x0 ruleset. Target for Linux-specific techniques.

Microsoft 365 developer tenant (free): E5 licensing for cloud attack scenarios — phishing, OAuth abuse, mailbox persistence, cloud discovery.

SIEM stack: Sentinel (Azure subscription), Defender XDR Advanced Hunting, and your choice of Splunk Free or Elastic as a secondary.

Attack tooling: Atomic Red Team, Caldera, VECTR, ATT&CK Navigator. All free.

The lab is built from scratch in Module 1. No prior lab required.

Course Syllabus

15 modules. PT0–PT1 are free — no account required. Modules 2–13 align to the 12 ATT&CK enterprise tactics. Module 14 is the capstone.

Free Phase 1 — Foundations and Lab Build

PT0
Course Introduction — What this course is, the purple-team mindset, vocabulary of coverage and continuous programmes, the toolkit, and a complete technique preview (T1059.001 PowerShell) showing the full 11-element format.
 PT1
Building Your Purple-Team Lab — Windows endpoint, AD domain controller, Linux VM, M365 developer tenant. Sentinel, Defender XDR, Splunk or Elastic. Atomic Red Team, Caldera, VECTR. Smoke test confirms telemetry lands across all three SIEMs.

Phase 2 — Walking the ATT&CK Kill Chain

PT2
Initial Access — 4 techniques. Phishing payloads, password spray, drive-by compromise, exploit public-facing application. Across Windows, AD, and M365.
 PT3
Execution — 5 techniques. PowerShell, Bash, cmd, WMI, Scheduled Tasks, User Execution, IPC. Detection across Windows, Linux, and M365.
 PT4
Persistence — 7 techniques. Account manipulation, autostart execution, account creation, event-triggered execution, Office startup, scheduled tasks, server software. Cross-environment coverage.
 PT5
Privilege Escalation — 5 techniques. UAC bypass, sudo abuse, token manipulation, domain policy modification, exploitation for privilege escalation.
 PT6
Defense Evasion — 6 techniques. Impair defenses, indicator removal, masquerading, registry modification, obfuscation, LOLBins. The detection-difficulty module.
 PT7
Credential Access — 8 techniques. The largest module. LSASS, SAM, NTDS.dit, DCSync, Kerberoasting, browser credentials, token theft, unsecured credentials.
 PT8
Discovery — 5 techniques. Account discovery, domain trust discovery, network service discovery, BloodHound enumeration, system information discovery.
 PT9
Lateral Movement — 6 techniques. RDP, SMB, WinRM, SSH, Pass-the-Hash, Pass-the-Ticket. The first chain-aware module with multi-step emulation.
 PT10
Collection — 4 techniques. Archive collected data, data from local system, cloud storage abuse, email collection and forwarding rules.
 PT11
Command and Control — 4 techniques. HTTPS beacons, DNS C2, encrypted channels, ingress tool transfer. Beacon-pattern detection and jitter analysis.
 PT12
Exfiltration — 3 techniques. Exfiltration over C2, web service upload, scheduled transfer. Volume baselines and anomaly detection.
 PT13
Impact — 4 techniques. Account access removal, data destruction, ransomware encryption, recovery inhibition. Pre-encryption indicators.

Phase 3 — Capstone

PT14
Capstone — CHAIN-HARVEST — Complete multi-stage AiTM credential phishing chain emulated end-to-end. Detection results across all three SIEMs. Coverage gaps identified, tuning recommendations prioritised, remediation backlog produced. The deliverable is a complete purple-team report.

What you get that you will not find elsewhere

This is not a vendor demo. You execute the attack yourself. You observe the telemetry yourself. You write the rule yourself. Every detection in this course is validated in your own lab against the actual technique — not a screenshot from someone else's environment.

Three SIEMs in every detection. Sigma rule in full YAML, plus KQL for Sentinel, KQL for Defender XDR Advanced Hunting (different schema), and SPL or Elastic for your secondary. You leave with rules you can deploy regardless of your SIEM stack.

61 techniques is not a number — it is a coverage map. Each technique is walked, detected, tuned, and documented. By Module 14 you have evidence-backed detection coverage across the full ATT&CK kill chain, logged in VECTR and reflected in your ATT&CK Navigator heatmap.

A working lab you keep. The four-environment, three-SIEM lab you build in Module 1 is yours permanently — use it for ongoing programme work, team training, or validating new detections as your environment evolves.

Where this course fits

Detection Engineering teaches you to write rules. Threat Hunting teaches you to search proactively. Purple Teaming for Blue Teams teaches you to prove the rules work — and have the evidence to back it up.

Offensive Security for Defenders operates at the campaign level, connecting the techniques this course validates. PT detects the individual event. OD detects the campaign.

Recommended learning path: DE → PT → OD → TH. This is a recommended path, not a dependency chain. A learner can start at any course.

The outcome

You start with rules you hope work. You finish with evidence they do.

61 evidence-backed detections — every one tested in your own lab against the actual technique.

A working three-SIEM, four-environment lab — yours to keep and use for ongoing programme work.

An ATT&CK Navigator coverage heatmap — populated continuously, not retrofitted.

A complete programme template — coverage matrix, MTTD, FP rates, detection quality score, programme cadence.

A capstone purple-team report — the deliverable you present internally, take into an interview, or use as a template for your team's first engagement.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy Sigma rules, KQL queries, and detection configurations from this course in your production environment. You may not redistribute course content, share account credentials, or republish course materials.

Attack techniques: All attack execution is performed in your own isolated lab environment. Do not execute attack techniques against systems you do not own or have explicit written authorization to test.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: April 2026

April 2026 — v1.0: Course complete. 15 modules (PT0–PT14). 61 ATT&CK techniques across 12 tactics. Full kill chain from initial access through impact. Capstone CHAIN-HARVEST exercise. Three-SIEM detection track throughout.

This course is actively maintained. Techniques and detections are updated as the ATT&CK framework evolves and new attack patterns emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Distinction: 90. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.