Your Environment. Your Artifacts. Nothing Expires.

Every lab runs in an environment you own — your M365 tenant, your Linux VMs, your forensic workstation. The detection rules, playbooks, and configurations you build are production artifacts, not sandbox exercises that vanish when the timer runs out.

Browse Courses Start Free — No Account Needed

59 interactive labs · 7 courses with labs · 6 simulation engines · Persistent — never expires

Why Build Your Own

The lab you build is the lab you keep.

Pre-built labs give you a sanitized environment that disappears when the course ends. You learn the buttons but not the deployment. Ridgeline courses use a Build Your Own Tenant model — you set up the environment, deploy the configurations, and keep everything permanently. The gap between "I did it in a lab" and "I can do it at work" doesn't exist.

Nothing expires

Pre-built labs expire after 4–8 hours. Your developer tenant renews every 90 days with active use. Your forensic VMs persist until you delete them. Detection rules you deploy keep running.

Real telemetry, real results

Sample data packs generate realistic sign-in patterns, email flow, and endpoint activity. Your KQL queries return real results from real tables — not pre-staged screenshots or synthetic data.

Portable to production

You learn in the same portals, the same PowerShell cmdlets, the same KQL tables as your production environment. Copy your detection rules, playbooks, and configurations directly to work.

Your security starter kit

By the end of a course, your environment contains deployed detection rules, hunting queries, protection policies, investigation playbooks, and hardening configurations. They're yours permanently.

Lab Environments

Each course type has its own lab setup — all free or near-free.

Every course includes a lab setup module that walks you through the environment step by step. Most environments cost nothing. The ones that cost money are clearly documented with budget estimates.

M365 Tenant + Sentinel

M365 E5 developer tenant (25 licences), Azure Log Analytics + Sentinel, Defender XDR connectors. Used by: MSA, M365 Security Ops, Detection Engineering, Threat Hunting, SOC Ops, Entra ID Security.

$0 — free developer program
See setup guide →

Forensic Workstation

Windows VM with KAPE, EZ Tools, Volatility 3, Timeline Explorer. Used by: Practical IR (Windows), Triage, Windows Forensic Analysis, Applied Memory Forensics.

$0 — runs on your hardware
See setup guide →

Linux Investigation VMs

Ubuntu/RHEL VMs for filesystem forensics, memory analysis, log examination, container investigation. Used by: Linux IR.

$0 — runs on your hardware
See setup guide →

Endpoint Lab

Windows client + Intune + MDE + Sysmon. ASR rules, compliance policies, configuration baselines. Used by: Endpoint Security Engineering.

$0 — included with E5 developer tenant
See setup guide →

Attack + Detect Lab

Attacker VM + Defender environment for executing techniques and validating detections. Used by: Purple Teaming, Offensive Operations.

$0 — runs on your hardware
See setup guide →

Memory Forensics Lab

Attack VM + target VM for learner-captured memory images. Volatility 3, MemProcFS, WinDbg, YARA. Used by: Applied Memory Forensics.

$0 — runs on your hardware
See setup guide →

Four Layers of Practice

Not just labs. Four different ways to prove you can do the work.

Labs are one practice layer. Every course also includes interactive simulations, scenario challenges, and verification scripts — so you're tested on judgment, not just procedure.

Interactive Simulations

Alert triage simulators, investigation engines, terminal emulators, and architecture exercises built into the course content. 6 simulation engines across 59 exercises. Practice decision-making without leaving the module.

Hands-On Labs

Deploy in your own environment. Every command is copy-paste-ready with expected output shown. You run the query, see the result, compare against the expected output, and verify with a script. Your artifacts stay deployed.

Scenario Challenges

Investigation scenarios with incident briefs. You investigate independently, then compare your findings against a detailed walkthrough. Tests methodology and judgment, not just tool knowledge.

Verification Scripts

After you build something, a verification script confirms it's correct — analytics rule deployed, query syntax validated, test data matched, false positives flagged. Pass/fail confirmation before you move on.

Scenario-Based Exams

Triage (20pts) → Investigation (50pts) → Response (30pts). Timed simulations that test operational judgment under pressure. Pass at 70. CPE credits and verifiable credentials.

Lab Packs & Downloads

Detection rule packs, KQL query libraries, investigation templates, and cheatsheets. Download and deploy directly — or use them as references alongside the course.

View Scenario Challenges → View Lab Packs & Downloads →

Using a Production Tenant?

Every course works in production environments too.

If you work in an M365 environment with Security Reader access, you can follow investigation modules against your production telemetry. Configuration modules clearly identify required roles, blast radius, rollback procedures, and verification steps — because we assume some learners are deploying to production, not a sandbox. The developer tenant is recommended for configuration practice; production is fine for investigation and analysis.

Build something real this week.

Pick a course. Set up the lab. Deploy your first detection rule, investigate your first incident, or document your first architecture decision. Every course starts with free modules.

Start Free — No Account Needed Browse All Courses