LIFETIME ACCESS

Practical Threat Hunting and Detection Engineering

Become the analyst who catches what others miss. Hands-on hunting. Real detections. Production-ready skills. Pre-Sale Now Open — Save 40%.
Write your awesome label here.

Practical Threat Hunting & Detection Engineering

Learn how modern hunters find, analyze, and detect adversary behaviors - step by step.
Learn to Detect Threats Using TTP-Based and Behavioral Techniques

Pre-Sale Now Open — Save €200.

Coming Soon

Advanced Threat Hunting & Detection Engineering in the Enterprise

Learn how to build high-order behavioral detections for Windows and Entra ID attack activity that remain resilient to evasion and can be adapted across tools, clouds, and enterprise environments.

Coming Soon

  • Around 20 advanced behavioral detections
  • Realistic labs with false positives and full attack chains
  • Vendor-agnostic logic transferable across platforms

The course is currently in beta with a few users, and will be released in May/June 2026

Launch Price: €1199

Join the waitlist for launch updates and early access.

Thank you for joining the waitlist!

A Course Built for Serious Defenders

This course is designed for security professionals who want to move beyond conventional detections and develop a deeper, more durable approach to detection engineering. You will learn how to build high-order behavioral detections that identify meaningful adversary activity across Windows and Entra ID environments, while also gaining insight into how modern attackers operate in real enterprise scenarios.

What You’ll Gain

Learn to develop around 20 advanced behavioral detections covering a wide range of attack techniques
Understand the detection logic step by step, not just the final query or rule
Gain exposure to how adversaries operate through command-and-control infrastructure using C2 implants and beacons
Learn how attackers steal Entra ID tokens from compromised machines and abuse them for malicious activity
Build a foundation you can apply across tools, products, and environments

What Makes This Course Exceptional

Focused on resilient detections designed to withstand common evasion techniques
Built around vendor-agnostic principles that can be transferred to other platforms
Includes a single behavioral detection approach that can help cover both stolen token abuse and adversary-in-the-middle attacks
Shares a sample design showing how this detection logic can be implemented across cloud environments, regardless of SIEM or XDR platform
Structured to teach enduring detection logic rather than product-specific shortcuts

Designed for Real Enterprise Conditions

Hands-on labs use Microsoft Defender, Entra ID, and Windows telemetry as the primary learning environment
Full attack chains and adversary behaviors are emulated in realistic scenarios using C2 frameworks. 
Labs include real false positives you are likely to encounter in production, along with guidance for interpreting and handling them
Scenarios are designed to help you understand not only what can be detected, but where visibility gaps exist

Beyond Detection Content Alone

This course goes beyond writing detections. Throughout the training, you will also learn where important detection gaps can emerge and how to address them with compensating detections. A dedicated module focused on identifying and closing these gaps is planned for the course release thereafter.

Beyond a Single Ecosystem

The detection methods taught in this course are designed to extend beyond Microsoft environments. With the right telemetry, the same principles can be adapted to Linux, macOS, Azure, AWS, and GCP.
Join the waitlist for launch updates and early access.
Thank you for joining the waitlist!

What You Will Learn

By the end of this course, you will:
  • Understand the foundational concepts of databases and logging.
  • Be proficient in crafting and optimizing KQL queries for security data analysis.
  • Be able to understand hundreds of publicly shared KQL queries and easily customize them to implement in your environment.
  • Gain expertise in manipulating and combining datasets for comprehensive analysis.
  • Learn how to use threat intelligence feeds efficiently
  • Master various investigation techniques to find what you want easily and quickly. For instance:
    • Time series visualization for quick triage and spotting anomalies.
    • Geospatial visualization for quick triage and spotting anomalies, which is extremely useful for AiTM and other Identity focused attacks.

  • Learn rapid triage and investigation techniques.
  • Learn fundamental anomaly detection methods used in threat hunting and detection engineering
  • Master time series anomaly detection for threat hunting and detection engineering
  • Learn a novel method to detect attack flows and infection chains
  • Learn how to use KQL graph semantics for threat hunting and detection engineering 
  • Test your knowledge with a final capstone that covers a full chain attack

Hands-On Examples

Exercises

COURSE CREDITS

Course Lessons (WIP)

Frequently asked questions

Who should take the course?

This course is ideal for:
  • SOC Analysts and Incident Responders who want to improve their investigation skills
  • Cybersecurity professionals seeking to deepen their data analysis skills.
  • IT professionals and analysts interested in specializing in security data analysis using KQL.
  • Beginners who are keen to learn KQL in the context of cybersecurity.

Are there any prerequisites?

A basic understanding of databases and a keen interest in cybersecurity data analysis are recommended, but the course begins with foundational concepts, making it accessible to all enthusiastic learners.

Does the course contain video content?

No. While the course is text-based, the content is supported by screenshots with explanations. This approach makes it easy to follow and understand the content. You may check the free "Introduction to KQL for Security Analysis" course to see how it looks.

Are there any prerequisites or lab requirements?

No additional software and hardware is required. You will access the lab environment via a web browser. The lab environment is an Azure Data Explorer instance where you will analyze the logs of a simulated organization.

Can I get a certificate of completion?

Yes, you will receive a certificate of completion.

What is Lemon Squeezy?

Lemon Squeezy is a Merchant of Record that processes payments and handles taxes. You may see its name on your card statements. 

Coming Soon

Created by

Mehmet Ergene

Mehmet brings over 15 years of experience in cybersecurity, with a unique blend of expertise in KQL, threat hunting, detection engineering, and data science to his courses to help others advance their skills. Recognized four times as a Microsoft Security MVP, he is renowned for adapting the RITA beacon analyzer to KQL and for his insightful presentations at key conferences like the SANS DFIR Summit.