There are three specific failures in how the industry trains security operators:
The first failure is passive consumption. Video courses create an illusion of competence. You watch someone configure a conditional access policy and feel like you understand it. Then you sit down at your own tenant and cannot remember which blade it is in, what the blast radius of the policy is, or what breaks when you enable it. Watching is not doing.
The second failure is synthetic environments. Ephemeral web-based labs where you click predefined buttons in a preconfigured sandbox and the environment is destroyed when you log out. You retain nothing. You cannot deploy what you practiced into your employer's environment because nothing you built persists.
The third failure is greenfield assumptions. Every training environment starts clean — no legacy applications, no service accounts with basic authentication dependencies, no conditional access policies that conflict with each other, no budget constraints on data ingestion. The real world has all of these. An expert knows how to enable a feature. An operator knows what will break when they do, and how much it will cost.
This platform solves all three.
What Ridgeline is
Ridgeline is an operational readiness simulator for Microsoft 365 security operations. The output of this course is not a certificate of completion. It is a repository of production-ready assets — KQL detection queries, PowerShell deployment scripts, investigation playbooks, IR report templates, and hardening checklists — that you built, tested, and verified in your own M365 tenant.
Every module follows the BYOT (Bring Your Own Tenant) model. You deploy configurations into your own environment. You run KQL queries against your own data. You build detection rules that fire against your own log sources. When you complete this course, your tenant is more secure than it was when you started — and you have the artifacts to prove it.
The SC-200 certification aligns with this course because the SC-200 tests the same operational skills. You will be able to pass the exam. But the exam is the side effect of operational competence, not the objective. The objective is: you can investigate an incident, contain the attacker, write the report, build the detection rule that catches it next time, and justify every configuration to a GRC auditor by citing the specific NIST, ISO, or SOC 2 control it satisfies.
What you will leave with
By the time you complete all modules, you will possess:
A production-ready detection library. KQL analytics rules you wrote, tested against your own data, and deployed in your own Sentinel workspace. Not theoretical queries from a textbook — rules that are actively detecting threats in your environment. Each rule includes: the detection logic, entity mappings, alert grouping configuration, MITRE ATT&CK mapping, and the compliance framework control it satisfies.
A library of investigation playbooks. Step-by-step decision trees for the most common M365 incident types: AiTM credential phishing, business email compromise, OAuth consent phishing, token replay, insider threat, and ransomware pre-encryption indicators. Each playbook is a binary decision tree — "if A, do B; if not A, do C" — not a narrative description. You will use these during real incidents.
Operational KQL fluency. Not copy-paste competence — the ability to construct queries for scenarios you have never seen before, debug them when they return unexpected results, and optimize them when they run too slowly against production datasets. Module 6 builds this from first principles. Every subsequent module reinforces it with progressively complex real-world queries.
End-to-end investigation capability. From first alert through scoping, containment, eradication, evidence collection, and executive reporting. You will correlate data across email, identity, endpoint, and cloud application tables to construct a complete attack narrative. The investigation scenarios in Modules 11-15 are based on real incidents investigated in a production SOC — sanitized names, real methodology.
The ability to justify every configuration to a GRC auditor. Every security control you deploy maps to its corresponding NIST CSF 2.0, ISO 27001, and SOC 2 control. You do not just configure conditional access — you can state that the policy satisfies NIST CSF PR.AC-7, ISO 27001 A.8.5, and SOC 2 CC6.1, and explain why the specific configuration parameters meet the control requirements. This transforms you from a technician who configures controls into an engineer who directly supports organizational compliance.
The SC-200 certification. Every module maps to specific SC-200 exam objectives (January 2026 update). The course covers all four exam domains. But you earn the certification because you have the operational competence it is designed to validate — not because you memorised exam answers.
Who this course is for
Primary audience: career-changers and early-career SOC analysts. You have some IT experience — maybe you have administered an M365 tenant, worked a help desk, managed endpoints with Intune, or completed a foundational certification like CompTIA Security+ or SC-900. You understand what Active Directory is, you know the difference between authentication and authorization, and you can navigate a web portal without a tutorial. You have not yet worked in a Security Operations Center, or you have worked in one for less than a year and want to build deep competence fast.
This course takes you from "I know what security tools exist" to "I can investigate an incident, contain the attacker, write the report, and build the detection rule that catches it next time." The progression is deliberate: Module 0 sets up your lab, Module 6 teaches you the query language, Module 1 teaches you the investigation platform, and every subsequent module builds deeper skills in a specific area. By Module 12, you are investigating a real AiTM phishing campaign with the confidence and methodology of a senior analyst.
Secondary audience: experienced IT professionals expanding into security. You manage an M365 environment and have been told you are now responsible for security too. You know how to create users, assign licenses, configure Intune compliance policies, and manage Exchange Online. You do not know how to investigate a phishing incident, write a detection rule, or explain to your CISO what happened during a security event. This course bridges that gap — it meets you where your M365 administration knowledge ends and builds the security investigation skills on top.
You will find that your existing M365 administration knowledge is a significant advantage. When Module 7 covers Sentinel workspace configuration, you already understand Azure resource groups and RBAC. When Module 8 covers data connectors, you already understand the M365 services that produce the data. When Module 1 covers the Defender XDR portal, you already know what Exchange Online and Entra ID are. The course does not waste time teaching you M365 fundamentals you already know — it teaches you the security operations layer that sits on top.
Tertiary audience: MSP technicians responsible for client security. You manage security across multiple M365 tenants for your clients. You need to understand how to configure protections efficiently across tenants, investigate incidents for clients who expect professional-grade response, and produce reports that justify the security services you sell. The operational efficiency taught in Module 1 subsection 7 (SOC Workflow) and the reporting skills in Module 15 are directly applicable to MSP service delivery.
This course is not the right fit if you have never used a computer in a professional context. The course assumes you can navigate a web browser, use a command line at a basic level, and understand concepts like IP addresses, DNS, user accounts, and file systems. If these concepts are unfamiliar, start with CompTIA IT Fundamentals or Microsoft SC-900 and return here once you have that foundation. The course also assumes basic English reading proficiency — technical content at this depth cannot be skimmed.
Prerequisite knowledge inventory
Before starting Module 1, you should be comfortable with the following. If more than two items on this list are unfamiliar, invest time in the prerequisite resources before continuing.
Networking fundamentals. You understand what an IP address is (both IPv4 and IPv6), what DNS does (translates domain names to IP addresses), what ports are (TCP 443 for HTTPS, TCP 25 for SMTP), and what a VPN does (encrypts traffic and masks your IP). You do not need to be a network engineer — you need to understand enough that when the course says "the attacker signed in from IP 203.0.113.47 on port 443," you know what that means.
Identity fundamentals. You understand what authentication is (proving who you are) versus authorization (what you are allowed to do). You know what multi-factor authentication is and why it matters. You have heard of Active Directory and understand that it stores user accounts, groups, and computer objects. You know what a password hash is at a conceptual level (a one-way transformation of the password that can be verified but not reversed).
M365 fundamentals. You know that Microsoft 365 is a cloud platform that includes Exchange Online (email), SharePoint Online (files), Teams (collaboration), and Entra ID (identity). You have used at least one of these services as an administrator or end user. You understand that M365 has an admin center (admin.microsoft.com) where you manage users and licenses.
Operating system fundamentals. You can navigate a Windows file system, understand what a process is (a running program), and know the difference between a user-mode application and a system service. You have seen a command prompt or PowerShell window, even if you have not written scripts.
Security fundamentals (helpful but not required). Understanding of phishing (tricking users into revealing credentials or executing malware), malware (software designed to harm or exploit), encryption (scrambling data so only authorized parties can read it), and the principle of least privilege (giving users only the access they need). If you completed CompTIA Security+ or SC-900, you have this. If not, the course introduces these concepts as they become relevant.
Course structure
The course has 17 modules organized into three tiers:
Modules 0-10: Core SC-200 content. These 11 modules mirror the official Microsoft learning paths for the SC-200 certification. They cover every exam objective at teaching depth — not the surface-level walkthroughs you find on Microsoft Learn, but deep, worked-example, scenario-based instruction that builds real competence. Each module maps to a specific SC-200 learning path, and each subsection tells you which exam skills it covers.
Module 0 is this introduction — lab setup, study strategy, and learning approach. Module 1 teaches the Defender XDR platform and investigation methodology. Module 2 covers Defender for Endpoint deployment, configuration, and advanced investigation. Module 3 covers Microsoft Purview for audit, DLP, insider risk, and eDiscovery. Module 4 covers Defender for Cloud for Azure and hybrid workload protection. Module 5 covers Microsoft Security Copilot for AI-assisted investigation. Module 6 teaches KQL from first principles — this is the foundation every subsequent module depends on. Module 7 covers Sentinel workspace design, configuration, and the unified portal experience. Module 8 covers data connectors, ingestion strategy, and Data Collection Rules. Module 10 covers analytics rules, automation rules, playbooks, and the full detection-to-response pipeline. Module 11 covers proactive threat hunting with MITRE ATT&CK, bookmarks, search jobs, and archived data.
Modules 11-15: Real-world investigation skills. These five modules are what makes this course different from every other SC-200 resource on the internet. They are based on real incidents, teach the professional skills that no exam tests, and build the operational judgment that separates a certified analyst from a competent one.
Module 12 (AiTM Credential Phishing) walks through a real five-wave AiTM phishing campaign — from the first alert through containment, eradication, campaign tracking across multiple waves, CISO reporting, hardening recommendations, and detection engineering. Every KQL query, every investigation decision, every containment action is based on what actually happened in a production SOC. Names and domains are sanitized; the methodology is real.
Module 13 (BEC and Financial Fraud) covers business email compromise investigation — the attack type that causes more financial damage than any other, and the one most likely to involve law enforcement and legal teams.
Module 14 (Token Replay and Session Hijacking) covers the advanced persistence technique where attackers steal session tokens that survive password resets and MFA re-registration — the technique that makes AiTM attacks so dangerous.
Module 15 (Incident Response Reporting) teaches the writing and communication skills that no technical course covers — how to write incident reports that executives understand, how to present technical findings to non-technical audiences, and how to structure recommendations so they get funded.
Module 16 (Detection Engineering) teaches you to close the loop — converting investigation findings into production analytics rules, testing them against historical data, tuning them to minimize false positives, and documenting them so they survive analyst turnover.
Every module ends with two mandatory sections:
Module Summary provides key takeaways, a skill checklist ("I can now..."), SC-200 objectives covered, and a bridge to the next module that explains how the current module's skills will be applied.
Check My Knowledge contains 15-20 scenario-based questions that test whether you can apply what you learned, not whether you can recall a definition. The questions present realistic situations and ask what you would do — the same format as the SC-200 exam.
How modules connect
This is not a collection of independent topics. Each module builds on the ones before it, and the build order matters.
Module 0 (this module) sets up your lab environment and learning approach. Module 6 (KQL) is the foundation skill — every module after it uses KQL for investigation, detection, and hunting. Module 1 (Defender XDR) teaches the investigation platform where you spend most of your operational time. Modules 7 and 8 (Sentinel workspace and data connectors) build the SIEM infrastructure that Modules 9, 10, and 11-15 depend on. Module 10 (detections and investigations) teaches you to build the analytics rules that generate the alerts you triage in Module 1. Module 11 (threat hunting) teaches proactive investigation that goes beyond waiting for alerts. Modules 11-15 apply everything from the previous modules to real-world investigation scenarios.
If you skip Module 6 (KQL) and jump to Module 10 (Detections), you will not understand the analytics rules because they are written in KQL. If you skip Module 1 (Defender XDR) and jump to Module 12 (AiTM Investigation), you will not understand the investigation portal, the incident queue, or the response actions. Follow the recommended build order: M0 → M6 → M1 → M7 → M8 → M9 → M4 → M10 → M2 → M3 → M5 → M11-15. The course is designed as a progression, not a reference library.
There are hundreds of SC-200 preparation resources available — Microsoft Learn (free), Pluralsight, Udemy, Coursera, practice exam sites, and dozens of blog post series. Here is why Ridgeline is a different product category.
You build in your own tenant, not a sandbox. Every configuration, every query, every detection rule is executed in your own M365 environment. When you finish a module, the configurations persist. The detection rules are running. The hunting queries are saved. Your tenant is measurably more secure than it was before you started. No other training platform produces this outcome — they give you a temporary sandbox that disappears when you log out.
Every action includes its blast radius. Other platforms teach you how to enable a conditional access policy. This platform tells you that the policy affects every user authenticating to Exchange Online including service accounts, that basic auth clients will break, how to identify those clients before enabling, how much the change costs in ingestion volume, and how to roll back in 60 seconds if something fails. An expert knows how to turn a feature on. An operator knows what will break when they do, and what it costs.
Every control maps to a compliance framework. When you deploy a conditional access policy, you know it satisfies NIST CSF PR.AC-7, ISO 27001 A.8.5, and SOC 2 CC6.1. When you configure a Sentinel analytics rule, you know it satisfies NIST CSF DE.AE-2 and ISO 27001 A.8.16. This mapping is inline at the point of implementation — not in a separate appendix you never read. You leave the course able to justify every technical decision to a GRC auditor.
Real incident investigation, not synthetic exercises. Modules 11-15 are based on real incidents investigated in a production SOC. Module 12 walks through a five-wave AiTM credential phishing campaign — from the first phishing email through containment, CISO reporting, and detection engineering. Every KQL query, every investigation decision, every containment action is drawn from operational experience. No other SC-200 resource provides this.
Written by a practising SOC analyst. The author operates as a CSOC analyst in a Microsoft 365 environment with Defender for Office 365 Plan 2, Sentinel, Entra ID, and a managed SOC partner. The investigation scenarios are based on real incidents. The detection rules are based on rules running in production. This is operationally validated, not theoretical.
Text-based for operational fidelity. Security operators read documentation during deployments and incidents. They do not watch videos. This format matches the job. Every KQL query is copy-pasteable. Every configuration step includes a verification command. Every investigation step is documented in a format you can follow during a real incident at 2am.
