SecOps Training — Security Operations, Detection Engineering & Incident Response

Who Should Attend

This program is for SOC analysts, security engineers, and IT operations professionals building or maturing security operations capabilities. If your team is overwhelmed by alert volume, incident response is manual and inconsistent, or you’re building a SOC from scratch — this course teaches SecOps: automated detection, orchestrated response, and continuous improvement.

Learning Outcomes

• Deploy and configure a SIEM (Splunk, Elastic, Sentinel) with detection rules mapped to MITRE ATT&CK
• Build SOAR playbooks for automated alert enrichment, containment, and response
• Implement detection-as-code — version-controlled Sigma rules deployed through CI/CD
• Conduct threat hunting using hypothesis-driven methodology
• Automate vulnerability management — scanning, prioritization, ticket creation, patch verification
• Design a SOC operating model — tier structure, shift design, metrics, and reporting

Course Modules

1. SecOps Fundamentals — SOC functions. Detection, response, threat intel, hunting. SecOps vs. DevSecOps. MITRE ATT&CK.
2. SIEM Architecture — Log ingestion. Parsing. Normalization. Storage. Detection rules. Dashboards.
3. Splunk Deep Dive — SPL. Data models. CIM. Enterprise Security. Detection engineering in Splunk.
4. Elastic Security — Elasticsearch, Kibana, Beats. Detection rules. Alerts. Machine learning jobs.
5. Detection-as-Code — Sigma rules. Version control. CI/CD for detection content. Automated testing. Coverage mapping.
6. SOAR Automation — Playbook design. Alert enrichment. Automated containment. Case management. Cortex XSOAR / Tines.
7. Incident Response — IR lifecycle. IR roles. Evidence collection. Chain of custody. Post-incident review.
8. Threat Hunting — Hypothesis-driven hunting. Threat intelligence integration (MISP). Hunting methodologies. Documentation.
9. Vulnerability Management — Scanning (Qualys, Tenable). Risk-based prioritization. SLAs. Patch verification. Reporting.
10. SOC Design — Tier 1/2/3 structure. Shift design. Metrics (MTTD, MTTR, false positive rate). Leadership reporting.
11. Cloud Security Operations — Cloud-native detection (GuardDuty, Azure Defender). Cloud SIEM. Container security monitoring.
12. Capstone: SOC Build — Deploy SIEM, configure detection rules, build SOAR playbooks, conduct a threat hunt.

Hands-on Labs (20 total)

Labs include: “Deploy Elastic Security and ingest Windows event logs with detection rules for common attack techniques,” “Write a Sigma rule for credential dumping, test it, and deploy via CI/CD,” “Build a SOAR playbook that enriches a phishing alert with threat intelligence and auto-contains the affected host.”

Frequently Asked Questions

How does this differ from the DevSecOps course? DevSecOps focuses on shifting security left — integrating security into development pipelines (SAST, DAST, secrets, image signing). SecOps focuses on detecting and responding to threats in production (SIEM, SOAR, threat hunting, IR). They are complementary — most organizations need both capabilities.

Do I need a security background? Basic security concepts (CIA triad, common attack types, networking) are prerequisites. The course builds from there. If you’re completely new to security, start with CompTIA Security+ fundamentals before enrolling.