Hands-On Detection engineering: Blueprint
RCCE students will learn how to build, test, and maintain high-fidelity detection rules across SIEM, EDR, and cloud security platforms. RCCE students will learn to translate threat intelligence and MITRE ATT&CK techniques into detection logic, write detection rules using query languages (SPL, KQL, Sigma), reduce false positive rates through rule tuning, implement detection-as-code workflows, version control detection content, measure detection coverage gaps, and build automated testing pipelines that validate detection rules against simulated attack data before production deployment. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. Starting from foundational concepts, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- SOC Analysts and Incident Responders
- Detection Engineers and SIEM Content Authors
- Threat Hunters improving adversary coverage
- Security Operations Team Leads
- Professionals implementing Hands-On Detection engineering: Blueprint
- Build detections and response workflows for privilege escalation
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn
- Build detections and response workflows for privilege escalation, including Translate threat intel to, and Write rules in SPL, KQL,.
- Execute hands-on tasks for applied engineering — covering Reduce false positives.
- Execute hands-on tasks for operational maturity — covering detection coverage.
- Execute hands-on tasks for course approach — covering Practice-intensive with lab exercises and real-world scenarios, Skills transfer directly to professional SOC roles.
- Execute hands-on tasks for why it matters
- Execute hands-on tasks for key outcomes — covering Systematic creation of, Reduces mean time to detect.
| Module 01 | Hands-On Detection Engineering |
| Module 02 | Build, Test, and Maintain High-Fidelity Detection Rules |
| Module 03 | Course Overview |
| Module 04 | What You Will Learn |
| Module 05 | Detection Fundamentals |
| Module 06 | Applied Engineering |
| Module 07 | Operational Maturity |
| Module 08 | Course Approach |
| Module 09 | What Is Detection Engineering? |
| Module 10 | Why It Matters |
| Module 11 | Key Outcomes |
| Module 12 | Detection Engineering Lifecycle |
| Module 13 | Plan & Research |
| Module 14 | Build & Test |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on detection engineering: blueprint by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Build detections and response workflows for privilege escalation
- Lab 3: Explain Course Overview fundamentals
- Lab 4: Execute hands-on tasks for what you will learn
- Lab 5: Build detections and response workflows for privilege escalation
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On Detection engineering: Blueprint, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI