Sign In

Module 0: The Detection Gap — Why Your SOC Needs Detection Engineering

2-3 hours · Free tier

Your SOC has analytics rules. They fire alerts. Analysts triage them. Incidents get investigated. The workflow looks functional.

But ask the question that matters: what percentage of the MITRE ATT&CK techniques relevant to your threat landscape can your current rules actually detect?

Most organizations cannot answer that question. The ones that can answer it rarely like the number. A typical Microsoft Sentinel deployment with 20-30 analytics rules — many of them Microsoft-provided templates enabled as-is — covers somewhere between 5% and 15% of the ATT&CK enterprise matrix. The other 85-95% is invisible. An attacker operating in that blind spot generates no alerts, triggers no incidents, and moves through your environment undetected until the damage is done.

Detection engineering is the discipline that closes that gap. Not by enabling more templates, not by buying more products, and not by hoping the vendor’s machine learning catches what you missed. Detection engineering builds detection rules from first principles: threat modeling identifies which techniques matter for your organization, KQL translates those techniques into queries against your specific data, testing validates the rules against historical telemetry, and operations maintains them as the environment evolves.

This module makes the case. You will see the gap in concrete terms — a realistic organization with 23 analytics rules, walked through a multi-phase attack that exposes every blind spot. You will understand what detection engineering is, how the Microsoft security stack provides a uniquely powerful detection surface, what metrics justify the investment, and what you will build across the 12 modules of this course.

Module structure

  • DE0.1 The Detection Coverage Illusion
  • DE0.2 CHAIN-HARVEST: AiTM to BEC
  • DE0.3 CHAIN-MESH: Ransomware Across the SD-WAN
  • DE0.4 The Detection Engineering Discipline
  • DE0.5 Why Vendor Detection Is Not Enough
  • DE0.6 The Microsoft Detection Surface
  • DE0.7 The Data You Already Have
  • DE0.8 Measuring What Matters
  • DE0.9 Northgate Engineering — Organization and Infrastructure
  • DE0.10 The Six Attack Chains
  • DE0.11 What This Course Builds
  • DE0.12 Your Detection Engineering Lab
  • Summary Module recap and artifact inventory
  • Check My Knowledge Scenario-based assessment

Sections in this module

DE0.1 The Detection Coverage Illusion

DE0.2 CHAIN-HARVEST: AiTM to BEC

DE0.3 CHAIN-MESH: Ransomware Across the SD-WAN

DE0.4 The Detection Engineering Discipline

DE0.5 Why Vendor Detection Is Not Enough

DE0.6 The Microsoft Detection Surface

DE0.7 The Data You Already Have

DE0.8 Measuring What Matters

DE0.9 The NE Training Universe

DE0.10 The Six Attack Chains

DE0.11 What This Course Builds

DE0.12 Your Detection Engineering Lab

DE0.13 Module Summary

DE0.14 Check My Knowledge

Start: DE0.1 The Detection Coverage Illusion →