Learning path
Threat Detection and Incident Response
Skill Level
Intermediate
Duration 12 hours 30 minutes
Updated May 20, 2025
About this learning path
It was a quiet Friday night when the alerts hit—rogue Kerberos tickets spiking from a Pass-the-Hash attack. With 14 years in the SOC trenches, I, Shoaib Mohammed Shahapuri, saw my Tier 1 analyst, Morgan, catch the first anomaly, but it was Riley, our red teamer, who nearly owned the domain—stopped just in time. That close call inspired this Intermediate Threat Detection & Incident Response Learning Path—a 13-hour journey designed to elevate your career from Tier 1 to Tier 2/3. You'll master early-stage detection with Falcon XDR and Security Onion to catch initial access like hash captures; escalate alerts with Morgan and Alex using SOAR; track APT29-style campaigns with Alex and Taylor through Falcon Intelligence; defend Active Directory from Kerberoasting with Falcon ITDR; and fine-tune noisy detections from fileless malware using XDR and network-based tools. Each hands-on lab simulates Riley's full attack chain—credential theft, privilege escalation, lateral movement—so you can build the skills that lead to promotions and high-paying roles. Ready to outsmart Riley and level up your SOC career? Let's dive in.
Your instructors
Shoaib Mohammed ShahapuriWorld Wide TechnologyTechnical Solutions Architect
Kendall AhernWorld Wide TechnologySolutions Development Intern
Prerequisites
- ✅ We recommend completing our Foundation Learning Path on Threat Detection and Incident Response Essentials for a strong starting point
- ✅ General awareness of MITRE ATT&CK, including basic attack tactics and techniques
- ✅ Basic knowledge of working with Windows and Linux systems, including simple navigation
What you'll learn
- 🧨 Simulate real-world attacks using tools like Responder, Mimikatz, and obfuscated PowerShell to understand adversary behavior from the inside out
- 🧠 Detect and investigate threats using Falcon XDR and Security Onion by correlating behavioral, identity, and network telemetry
- ⚙️ Respond and contain incidents with Falcon SOAR through host isolation, credential resets, and automated playbooks
- 📉 Fine-tune detection rules and document incidents to reduce false positives and improve SOC response effectiveness