← Back to catalog Threat Detection

Threat Detection Engineering Track

A 12-week role-based path for analysts moving from triage into building and tuning detections.

Duration
12 weeks
Format
Instructor-led + lab
Skill level
Intermediate
Certification
GIAC GCDA
Tuition
₩3,200,000
Next intake
Next intake: 7 April 2026
Request information → Read curriculum approach

About this program

This track focuses on detection content as a craft. Learners write Sigma rules, KQL queries, and Splunk searches against replayed adversary behaviour, then take their detections through a full review-and-tuning loop. Mentor feedback is the load-bearing element — every detection submitted gets reviewed by a working detection engineer. The track closes with a "false-positive negotiation" exercise where you defend tuning decisions to a simulated SOC manager.

What is included

  • Detection-as-code workflow with Git-tracked rule reviews
  • Sigma, KQL, and SPL coverage with side-by-side translations
  • Replayed APT and commodity malware traffic for tuning practice
  • Coverage-gap analysis using ATT&CK navigator
  • Detection lifecycle: research, draft, deploy, monitor, retire
  • Final defence: explain false-positive trade-offs to a mock SOC lead

By the end of the program

  1. 01 Write a Sigma or KQL rule that survives a peer review
  2. 02 Run a coverage-gap analysis without hand-waving
  3. 03 Decide when to tune a detection vs. retire it

Frequently asked questions

About 6 months of analyst work or completion of our SOC Foundations Bootcamp. We will reject self-taught applicants who cannot read a Windows Event Log without a cheat sheet — that is a hard limitation, not a sales gate.

From past cohorts

I came in expecting a rule-writing course and got a thinking-about-rules course. The week-9 false-positive defence exercise was uncomfortable in a useful way.
Detection engineer, mid-career (Google reviews)
The detection-as-code loop felt close to how my team actually works. Good signal-to-noise.
Eun-Ji K. · SOC Tier-2 · enterprise SaaS team
The replay engine is the secret weapon. Wish there was more time on tuning ML-driven detections, but that is a niche and they were honest about it.
Min-Soo H.

Ready to talk through fit?

We do a 30-minute scenario walkthrough with admissions before any paid intermediate or advanced track. We will tell you honestly if a different program — or no program — would serve you better right now.

Request a fit call → Read the FAQ first