Advanced Defensive Engineering in the Enterprise training
Advanced Defensive Engineering in the Enterprise training
Need help?
Overview:
This training offers a comprehensive, modern approach to defensive engineering for an enterprise, shifting from our previous attack-class-focused curriculum to a broader defensive skillset. This includes detection strategy, telemetry management, analytics, and automation. You will learn to prioritize detections by combining risk, likelihood, and detectability with a deep understanding of their operational environment. The training will then guide you through the entire lifecycle of development, tuning, maintenance, and potential deprecation. The training is very hands-on and based on our experience supporting many detection and response teams in large multinationals.
We dive into log ingestion decision-making (what to collect, how to process, and how to track data completeness), the internals of EDR telemetry, how it gathers data, covering Event Tracing for Windows, and addressing telemetry gaps.
The advanced detection engineering topic is a substantial part of the curriculum, covering the research and design of realistic and current attacks in an enterprise. You will execute several attacks and research the generated telemetry to build detections based on your findings. Additionally, we will cover implementation and differentiate between scheduled, near-real-time, and threat hunt-based approaches, including baseline development best practices.
Participants gain practical guidance on crafting performant KQL queries, leveraging graphs (including OpenCypher) for enrichment, attack path visualization, and incident correlation, as well as developing alert enrichments (attack paths, local context, identity data) and risk-based scoring.
Automation is addressed through playbooks and AI-based agentic workflows, while dashboarding and reporting modules cover cost management, detection and data health monitoring, performance metrics, and tuning suggestions. This training equips you with the tools and frameworks needed to build, maintain, and evolve a proactive security program.
The training is very hands-on, with about 50% of the time spent in labs.
Key takeaways:
- Building solid detections that will catch threat actors that are evading out of the box detections.
- Deep understanding of the full lifecycle management of detections and other detection components.
- The ability to automate incident handling and enrichment.
Who should take this training:
- Detection Engineers
- SOC Engineers
- Red Team professionals
Requirements:
- KQL experience is a prerequisite, knowledge of other query languages is equally useful
- Inquisitive mindset.
- Students should bring their own laptop. To connect to our student lab environment, students should be able to use Microsoft RDP (Remote Desktop Protocol) via the internet on port 3389 TCP.
Training date:
This training is facilitated in 4 full-day sessions on:
- Monday September 28
- Tuesday September 29
- Wednesday September 30
- Thursday October 1
Each day from 9:00 to 17:00 PM. The training will be facilitated in English.
The training will be facilitated at the following location:
- Aristo Meeting Center Utrecht, the Netherlands
- https://aristo.nl/vergaderlocatie-utrecht-centraal-station
Lunch:
Lunch will be provided at the training venue.
Signing up and payment:
Interested in this training? Sign up on this page!
The following pricing is applicable to this training:
- General ticket: EUR 4.235 (incl. applicable VAT).
Note: all prices listed are including applicable VAT. Latest ticket sales date is September 14, 2026 at 17:00.
- Payments can be done by iDeal or credit card, right on our TicketTailor event page.
Overview of training contents:
Detection Engineering
- Research
- Development
- Deciding on the implementation type
- Scheduled detection
- Near real-time detection
- Threat hunting
Detection coverage/prioritization
- How to choose which detection(s) to build first.
- Risk × Likelihood × Detectability
- Knowing your environment
Detection lifecycle management
- Performance Optimization and Tuning
- Maintenance
- Deprecation
Log ingestion
- Deciding what logs to ingest, where to store it and how long to retain them
- How should they be processed
- Data completeness (ingestion gaps, latency, parsing errors)
EDR Internals
- How does the EDR collect its data
- Event Tracing for Windows
- Telemetry gap mitigation
Baseline development
- Baseline design
- Caveats
- Implementation options
KQL best practices and Graphs in detection and response
- Performance recommendations
- Query design principles
- KQL graph and OpenCypher
- Graphs for enrichment
- Attack path management
- Incident correlation
- Visualize attack paths in queries
Alert enrichments
- Enrichment strategies
- Entity enrichment
- Attack Paths
- Local contextual information (CMDB/IPAM)
- Entra ID / Active Directory
- Correlation strategies, making use of enrichments
- Risk-based scoring
Automation
- Investigation and response playbooks.
- Use agentic workflows (AI).
Dashboarding / Reporting
- Cost management
- Detection and data health overviews
- Performance metrics
- Tuning suggestions