Detection Engineering for Windows training

Online Specialist Training

Detection engineering is a method to build and improve your detection capabilities. The Detection Engineering for Windows training brings you up-to-speed in 4 half-day sessions.

Trainers: Olaf Hartong and Gijs Hollestelle

Training description:

Building good analytics and automated detection capabilities requires detailed understanding of attackers and their modus operandi. By understanding the different tools and techniques used by attackers and what indicators can be extracted, better detection capabilities can be developed. This process is called Detection Engineering and it is a crucial aspect to be truly effective at discovering attackers in your network.

This instructor-led training focuses on the entire detection engineering cycle. Guiding participants in defining analytics, researching the relevant techniques, building the detection logic, investigating which logs can be utilized, and validating resilience against bypassing.

We have included several hands-on exercises for the students to get used to the detection engineering methodology and to start implementing this in their organizations. These hands-on exercises can be performed using either Splunk or Azure Sentinel.

To allow maximum flexibility with your busy schedules, we planned the training in 4 consecutive half-day sessions!

The training qualifies for 16 hours of CPE credit hours.


The training takes place online from 9-12 November 2020 in four 4-hour training blocks. We will schedule these where possible in accordance to the timezones of the participants; currently we are aiming for a start at 14.00 CET (Amsterdam), ending at 18.00 CET each day.


Students should be familiar with Windows and have basic PowerShell experience. Experience with Splunk or Azure Sentinel is not mandatory. Students should be able to use Microsoft RDP (Remote Desktop Protocol) to connect to lab systems via the Internet on port 3389 TCP. Last but not least: the training will be facilitated via Discord.

Signing up:

The cost for this training is EUR 1500, excl. VAT. If you register using this form before October 1, 2020, you will be eligible for the Early Bird Special, a discounted price of EUR 1300 excl. VAT. Payment can be done via various methods including European bank transfer or credit card.

To sign up use this form and we will contact you shortly.

Do you have any questions or inquiries? Please contact us at

Overview of training contents:

  • Introduction
  • MITRE Caveats
  • Detection engineering principles & theory
  • Information resources and using threat information
  • Understanding your data
  • Developing hypothesis
  • Researching technology and techniques
  • Detection techniques
  • Creating analytics
  • (Open source) tooling
  • Resilient detections
  • Detection improvement and validation

Tools used:

  • Loads of Windows applications
  • PowerShell scripts
  • Splunk / Sentinel
  • Windows 10 Virtual Machine
  • Sysmon