Blue Team & SOC Ops

Blue Team & SOC Operations

Detection engineering and incident response, the modern way.

A four-day track that turns analysts into detection engineers - Sigma, Elastic, Wazuh, MITRE ATT&CK, threat hunting and live incident-response drills against a realistic adversary playbook.

Enroll now All tracks
4 days
Duration
≤ 15
Cohort size
Intermediate
Level
Verifiable
Certificate

What you'll walk away with

  • Author Sigma + Elastic detections mapped to MITRE ATT&CK
  • Run a structured threat hunt with a hypothesis you can defend
  • Triage and escalate alerts under realistic pressure
  • Execute an IR runbook from detection through post-mortem
  • Tune your SIEM to lower false-positives without losing signal
  • Write incident reports that engineering will actually act on

Who this is for

Designed for the prerequisites below - but motivated learners outside the profile are welcome with a short pre-call.

  • Familiarity with SIEM concepts (Splunk / Elastic / Wazuh)
  • Networking + TCP/IP fundamentals
  • Basic Linux shell + Windows event-log literacy
  • Some exposure to common attacker techniques

Curriculum

Day-by-day breakdown

Day 1

Foundations & telemetry

  • The detection engineer mindset
  • Windows + Linux + cloud log sources
  • Pipeline: agent → ingest → search
  • Setting up Wazuh + Elastic stack
Day 2

Detection engineering

  • Sigma rule structure + translation
  • MITRE ATT&CK mapping in practice
  • Writing high-fidelity rules
  • Reducing false-positives without losing coverage
Day 3

Threat hunting

  • Hypothesis-driven hunting
  • Hunt cycles + lessons-learned loops
  • Pyramid-of-pain thinking
  • Hunting credential abuse + lateral movement
Day 4

Incident response live

  • Triage + severity + escalation
  • Containment + eradication + recovery
  • Writing the post-mortem
  • Live IR exercise with the red-team scenario

Hands-on labs

Realistic, isolated environments - you break things safely and rebuild them harder.

  • Pre-built SOC stack tenant per learner
  • Replayable attack scenarios (red-team telemetry)
  • MITRE ATT&CK coverage dashboard
  • Sigma → Elastic detection authoring sprints
  • Live IR exercise on Day 4

Tools you'll use

No proprietary kit - everything is industry-standard.

WazuhElastic / KibanaSigma + sigmacMISPTheHive + CortexSysmonOSQueryVelociraptorSuricata

Your instructor

Senior SOC Lead / Detection Engineer

Detection engineer with experience running 24×7 SOCs across SaaS and finance. Writes rules, ships them, and watches them fire in production - then teaches what worked and what didn't.

Practitioner firstLab-drivenOffice hours after class

Reserve your seat

Cohorts are small on purpose. Email us to confirm dates, request a corporate cohort, or ask anything about the curriculum.

Next cohort: On request - quarterly cohorts
Enroll Other tracks