Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Blue Team / SOC Operations · modules
How defenders actually work. SOC structure, SIEM, detection engineering, EDR, and malware triage.
Module 19 · SOC Metrics That Actually Drive Improvement
The bad metrics Total alerts processed — measures volume, not value. Encourages keeping noisy rules. Alerts per analyst per shift — encourages superficial triage. Closed-without-investigation rate — encourages closure, not analysis. Mean-time-to-acknowledge alone — encourages clicking without thinking. The good metrics For analysts Mean Time To Detect (MTTD): from compromise to detection. Hard to measure […]
Module 20 · Purple Team — Operationalising Adversary Emulation
Red vs purple — what differs Red team Purple team Adversary emulation, blue blind Adversary emulation, blue collaborating Goal: demonstrate impact Goal: improve detection Output: detailed report; blue may not see techniques used Output: detection rules + visibility-gap remediation Annual or quarterly engagement Continuous or monthly cadence The purple-team operating model Red team executes a […]
Module 17 · Threat Hunting Operationalised — Hypotheses, Pivots, Dashboards
What threat hunting is Proactive search for adversary presence based on hypothesis, not alert. The defender assumes a sophisticated attacker may already be present and searches for traces that current detection rules would miss. The hunt cycle Hypothesis: state what you’re looking for. “Adversaries may be using WMI for lateral movement.” Data sources: identify what […]
Module 18 · Detection Engineering — Sigma, ATT&CK Coverage, Validation
What detection engineering is Design rules that fire on adversary behaviour, not noise. Test rules against historical data and red-team data. Tune to acceptable signal-to-noise. Deploy with documentation. Maintain — update when adversary techniques evolve. The detection-engineering lifecycle Source: hunt finding, TI report, red-team exercise, ATT&CK coverage gap. Hypothesis: state what the rule should catch. […]
Module 16 · SOAR — Security Orchestration, Automation, Response
What SOAR does Orchestration: connect security tools via API; trigger actions across them. Automation: execute repeatable workflows without human intervention. Case management: structured incident workflow with audit trail. Playbook execution: pre-defined response runbooks triggered by alert type. The platforms Splunk SOAR (formerly Phantom), Palo Alto XSOAR (Demisto), IBM QRadar SOAR, Microsoft Sentinel SOAR, Tines, Torq. […]
Module 12 · DNS-Based Detection Strategy
Why this module exists. Almost every internet attack starts with a DNS query — beaconing to C2, exfiltration via DNS tunneling, phishing-link resolution, malware updating itself. DNS logs are the highest-signal-per-byte log source in your environment, and most SOCs underuse them. What DNS logs reveal Beaconing — same source contacting same destination at fixed intervals […]
Module 13 · SOC Metrics & MTTR Reduction
Why this module exists. “Is our SOC effective?” CISOs need a measurable answer. Common metrics — alert volume, ticket count — measure activity, not effectiveness. The metrics that matter are MTTD (mean time to detect), MTTR (mean time to respond), false-positive rate, and ATT&CK technique coverage. Each has a target; each has specific operational levers. […]
Module 14 · Threat Intelligence Operations
Why this module exists. Threat intelligence is one of the most-purchased and least-utilised security investments. Companies subscribe to feeds that nobody reads, vendor reports that nobody actions. Done well, TI shapes detection, prioritisation, and strategy. Done badly, it’s expensive noise. The three altitudes of TI Type Audience Outputs Cadence Strategic Executives, board Threat landscape, risk-driven […]
Module 15 · Purple Teaming Methodology
Why this module exists. Red teams find what defenders missed. Blue teams build detections. Purple teams put both in the same room — making a single exercise simultaneously a test, a learning event, and a detection-engineering session. The output: detections that work for the techniques attackers actually use. What purple team isn’t Not “let’s all […]
Module 8 · Log Management at Scale — Patterns and Pitfalls
Why this module exists. Logs are the SOC’s primary data. Bad log architecture means missed detections, slow investigations, and impossible audit response. Good architecture means hunts complete in seconds and forensic timelines reconstruct in hours. The difference is mostly upfront planning. The log-management problem in 2026 numbers A medium Indian enterprise (5,000 endpoints, 200 servers, […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.