Sign In

Close One Capability Gap This Week.

Full courses build complete disciplines. Short courses close the specific gap that's been holding you back — the forensic collection you've been faking with screenshots, the detection rule format you copy-paste without understanding, the authentication configuration you've been meaning to fix for six months. Four to eight hours of focused depth. You finish with a capability you own.

One capability to professional ownership · Built in your environment, against your data · Included with Premium & Specialist

You own this capability now

You don't finish with notes about a tool. You finish having done the work — collected the evidence, written the rule, fixed the configuration. The next time it needs doing, you're the one who does it.

Your environment, your proof

Every worked example runs against your systems, your data, your tenant. The output is yours. The configuration is yours. You can show your manager what you built because it's running in production.

The complete workflow, not just steps

Each course ends with you running the full process end-to-end against a realistic scenario. You don't just know the commands — you know when to use them, what the output means, and what to do when it doesn't look right.

DFIR & Investigation

The Analyst Who Can Collect, Parse, and Report

After these courses, you're the person who collects forensic evidence without second-guessing the collection profile. You investigate endpoints across a fleet and know what the output means. You triage a binary and give your team a confident answer. You write YARA rules that find what the AV missed. You read a PCAP and tell the IR lead exactly what left the network.

Short Course
KAPE and EZ Tools Mastery
KAPE · MFTECmd · PECmd · AmcacheParser · Timeline Explorer
DFIR Tools
What you'll deploy Production KAPE collection profile, parsed MFT timeline, endpoint triage report
  • 6 sections · 1 free section
  • 6 hours · 8 CPE
Start Free → See What You'll Deploy →
Short Course
Velociraptor for Endpoint Investigation
Velociraptor · VQL · Notebooks · Artifact Exchange
DFIR Tools
What you'll deploy Velociraptor deployment, VQL hunt queries, fleet-wide artifact collection
  • 9 sections · 1 free section
  • 8 hours · 10 CPE
Start Free → See What You'll Deploy →
Short Course
Malware Triage
PEStudio · strings · VirusTotal · ANY.RUN · YARA · STIX
DFIR Tools
What you'll deploy Triage workflow with PEStudio, YARA rules, and automated sandbox analysis
  • 5 sections · 1 free section
  • 4 hours · 6 CPE
Start Free →See What You'll Deploy →
Short Course
YARA Rule Writing for DFIR
YARA · THOR Lite · Velociraptor · yarGen · PE headers
DFIR Tools
What you'll deploy Custom YARA rules deployed via Velociraptor and THOR for malware detection
  • 6 sections · 1 free section
  • 6 hours · 8 CPE
Start Free →See What You'll Deploy →
Short Course
Wireshark for Security Analysis
Wireshark · tshark · Display Filters · Protocol Dissectors
Network Analysis
What you'll deploy Wireshark display filters, protocol analysis workflow, capture configuration
  • 5 sections · 1 free section
  • 4 hours · 6 CPE
Start Free →See What You'll Deploy →
Short Course
Log Analysis with Regex
grep · sed · awk · PowerShell · regex101
Log Analysis
What you'll deploy Regex patterns for log parsing across grep, PowerShell, and Python
  • 5 sections · 1 free section
  • 4 hours · 6 CPE
Start Free →See What You'll Deploy →
Security Engineering

The Engineer Who Designs, Automates, and Defends

After these courses, your Conditional Access policies are an architecture you can explain and defend. Your email authentication passes DMARC enforcement because you understand every record. Your PowerShell scripts automate the investigation steps that used to take your team hours. Your detection rules are version-controlled with CI that validates before deploy. You're the engineer who builds the infrastructure, not the admin who follows the guide.

Short Course
Conditional Access Design
Entra ID · Conditional Access · Named Locations · Device Compliance
Identity Security
What you'll deploy Conditional Access policy architecture with named locations and device compliance
  • 6 sections · 1 free section
  • 6 hours · 8 CPE
Start Free →See What You'll Deploy →
Short Course
Email Authentication Masterclass
SPF · DKIM · DMARC · DNS · M365 · Google Workspace
Email Security
What you'll deploy SPF, DKIM, and DMARC deployed and passing enforcement across your domain
  • 5 sections · 1 free section
  • 5 hours · 6 CPE
Start Free →See What You'll Deploy →
Short Course
PowerShell for Security Operations
PowerShell · WinRM · Get-WinEvent · Microsoft Graph
Security Operations
What you'll deploy PowerShell investigation scripts, Graph API automation, WinRM remote collection
  • 7 sections · 1 free section
  • 6 hours · 8 CPE
Start Free →See What You'll Deploy →
Short Course
Sigma Rule Writing
Sigma · sigmac · pySigma · YAML · ATT&CK
Detection Engineering
What you'll deploy Sigma detection rules with pySigma conversion to KQL, SPL, and XDR queries
  • 6 sections · 1 free section
  • 6 hours · 8 CPE
Start Free →See What You'll Deploy →
Short Course
Sysmon Configuration & Deployment
Sysmon · XML Config · SwiftOnSecurity · GPO · Intune · Sigma
Detection Engineering
What you'll deploy Production Sysmon configuration with detection-optimized event filtering
  • 6 sections · 1 free section
  • 4 hours · 6 CPE
Start Free →See What You'll Deploy →
Short Course
Git for Security Teams
Git · GitHub · VS Code · CI/CD · Sigma
Security Operations
What you'll deploy Git repository with CI pipeline for detection rule version control
  • 5 sections · 1 free section
  • 4 hours · 6 CPE
Start Free →See What You'll Deploy →

You're one day away from owning a capability you don't have today.

Pick the gap that's been bothering you. Finish the course. Walk into work tomorrow as the person who can do this. Every short course is included with your Premium or Specialist subscription.

See Pricing Browse Full Courses