Interactive Labs | Ridgeline Cyber Defence

Every lab is embedded in the relevant course subsection — complete them as you work through the modules. Your scores persist between sessions.

Detection Engineering (10 labs)

DE0.10 — CHAIN-HARVEST preview (free)

DE3.12 — CHAIN-HARVEST walkthrough

DE4.5 — AiTM tuning + investigation

DE7.3 — SharePoint bulk download

DE8.8 — Ransomware detection

DE8.11 — CHAIN-MESH

DE3.11 — Initial access triage (6 alerts)

DE4.12 — Credential attack triage (6 alerts)

DE9.4 — Threshold tuning

DE11.5 — Capstone triage (12 alerts)

Practical Incident Response (9 labs)

IR0.4 — Incident preview (free)

IR5.9 — Event log triage (6 items)

IR7.8 — Lateral movement tracing

IR8.8 — Identity compromise investigation

IR9.8 — Email forensics scope

IR13.10 — Ransomware kill chain

IR14.9 — BEC investigation

IR15.9 — Insider threat scope

IR19.9 — Capstone evidence (6 items)

M365 Security Operations (8 labs)

M365 0.1 — CHAIN-HARVEST preview (free)

M365 1.8 — XDR cross-product triage (free)

M365 6.5 — KQL filter precision

M365 6.8 — KQL aggregation

M365 12 — AiTM investigation

M365 12 — Scenario routing (6 alerts)

M365 14 — Token replay tuning

M365 16 — Insider threat tuning

Practical Threat Hunting (8 labs)

TH0.15 — Detection gap demo (free)

TH2.16 — KQL anti-patterns

TH4.13 — Hunt → investigation pivot

TH4.15 — Rare sign-in location

TH8.11 — Exfiltration velocity

TH9.12 — Endpoint threat hunt

TH12.11 — Pre-ransomware hunt

TH13.12 — Insider threat patterns

SOC Operations (7 labs)

S00.1 — CHAIN-HARVEST preview (free)

S02.1 — Detection lifecycle

S03.8 — Identity alert triage (6 alerts)

S05.8 — Endpoint alert triage (6 alerts)

S07.4 — AiTM playbook execution

S07.6 — Ransomware kill chain

S07.8 — Playbook selection (6 alerts)

Mastering KQL (6 labs)

K2.1 — Where filter precision

K3.1 — Aggregation functions

K4.1 — Cross-table investigation

K7.1 — Time-series anomaly

K9.1 — Query performance

K13.2 — Capstone walkthrough

Practical Linux IR (11 terminal labs)

LX0.5 — First Linux investigation (free)

LX4.8 — SSH brute force investigation

LX5.7 — Web application compromise

LX6.8 — Privilege escalation

LX7.10 — Persistence mechanisms (8 types)

LX8.9 — Cryptomining investigation

LX9.7 — Container compromise

LX10.5 — Cloud VM compromise

LX11.7 — Lateral movement

LX12.4 — Memory forensics (Volatility 3)

LX13.5 — Malware analysis

Lab environment setup

All interactive labs run in your browser — no separate platform needed. For hands-on tool exercises, KQL queries against real data, and forensic artifact analysis, set up the full lab environment using the comprehensive Lab Setup Guide — VMware, Windows 11, Ubuntu, M365 E5, Sentinel, and the complete forensic toolchain. For KQL-only exercises, the ADX free cluster with the NE synthetic dataset is sufficient. Download the data generator →