Get Started Free

0.1 Mission, Course Structure, and Who This Is For

45 minutes · Module 0 · Free

Mission, Course Structure, and Who This Is For

This course exists because the gap between Microsoft Learn and production SOC work is enormous. Microsoft Learn teaches you what buttons to click. This course teaches you what to do when an alert fires at 2am, your CISO wants a report by 8am, and the attacker is still in the environment.

What this course will make you

By the time you complete all 15 modules, you will be able to:

  • Write KQL from scratch — not copy-paste queries from documentation, but construct queries for scenarios you have never seen before, debug them when they return unexpected results, and optimize them when they run slowly
  • Investigate any M365 security incident — from the first alert through containment, eradication, evidence collection, and executive reporting, using Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Purview
  • Configure the complete protection stack — Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, Defender for Identity, Defender for Cloud, and Microsoft Sentinel analytics rules, with the operational judgment to know which settings matter and why
  • Hunt for threats proactively — design hypotheses from threat intelligence, execute hunts using KQL and MITRE ATT&CK, and document findings that improve your organization’s detection posture
  • Pass the SC-200 exam — every module maps to specific SC-200 exam objectives (January 2026 update), and every subsection tells you which exam skills it covers
  • Operate as a SOC analyst on day one — the unique investigation modules (11-15) teach skills that no certification exam tests but every SOC requires: real incident investigation, CISO reporting, evidence handling, and detection engineering

Who this course is for

Primary audience: career-changers and early-career SOC analysts. You have some IT experience — maybe you have administered an M365 tenant, worked a help desk, or completed a foundational certification like CompTIA Security+ or SC-900. You understand basic networking and know what Active Directory is. You have not yet worked in a Security Operations Center, or you have worked in one for less than a year and want to build deep competence.

Secondary audience: experienced IT professionals expanding into security. You manage an M365 environment and have been told you are now responsible for security. You know how to create users and assign licenses. You do not know how to investigate a phishing incident or write a detection rule. This course takes you from “I manage the tenant” to “I defend the tenant.”

Not the right fit if: You have never used a computer in a professional context. This course assumes you can navigate a web browser, use a command line at a basic level, and understand concepts like IP addresses, DNS, and user accounts. If you need to build that foundation first, start with CompTIA IT Fundamentals or Microsoft SC-900 before returning here.

Course structure

The course has 16 modules organized into three tiers:

Modules 0-10: Core SC-200 content. These 11 modules mirror the official Microsoft learning paths for the SC-200 certification. They cover every exam objective at teaching depth — not the surface-level walkthroughs you find on Microsoft Learn, but the deep, worked-example, scenario-based instruction that builds real competence. If your goal is to pass the SC-200 exam and operate effectively in a SOC, these modules are sufficient.

Modules 11-15: Real-world investigation skills. These 5 modules are what makes this course different from every other SC-200 resource. They are based on real incidents, teach the professional skills that no exam tests, and build the operational judgment that separates a certified analyst from a competent one. Module 11 (AiTM Credential Phishing) walks through a real 5-wave phishing campaign from first alert to final CISO report. Module 14 (IR Reporting) teaches you to write incident reports that executives actually read. Module 15 (Detection Engineering) teaches you to convert investigation findings into permanent defenses.

Every module ends with two mandatory sections:

  • Module Summary — key takeaways, skill checklist (“I can now…”), SC-200 objectives covered, and a bridge to the next module
  • Check My Knowledge — 15-20 scenario-based questions that test whether you can apply what you learned, not whether you can recall a definition

How modules connect

This is not a collection of independent topics. Each module builds on the ones before it:

  • Module 0 (this module) sets up your lab and learning approach
  • Module 6 (KQL) is the foundation — every subsequent module uses KQL
  • Modules 1, 7, 8 teach you the Defender XDR and Sentinel platforms
  • Modules 4, 5, 9 teach you to configure protections and detections
  • Module 10 teaches proactive threat hunting
  • Modules 2, 3 cover Security Copilot and Purview
  • Modules 11-15 apply everything to real-world investigation

If you skip Module 6 (KQL) and jump to Module 9 (Detections), you will not understand the analytics rules. If you skip Module 1 (Defender XDR) and jump to Module 11 (AiTM), you will not understand the investigation portal. Follow the build order. The course is designed as a progression, not a reference library.

← 0.1 Mission and Course Blueprint 0.2 SC-200 Exam Overview and Study Strategy →