Purple Team Detection Engineering
Back to courses
Security

Purple Team Detection Engineering

Attack. Detect. Prove It.

56 lessons
16 hours
10 modules
$149

One-time purchase

This course includes:

  • 56 lessons
  • 16 hours of content
  • Full lifetime access

About This Course

Stop guessing whether your detections work. Build the lab, run the attack, and prove it.

This course teaches you the full adversary emulation to verified detection pipeline — not as a concept, but as a repeatable engineering practice you build with your own hands. You will architect an isolated Active Directory lab, deploy Elastic SIEM with Sysmon telemetry, run structured attack campaigns with Caldera and Atomic Red Team, and write production-grade Sigma rules that you know fire — because you triggered them yourself.

  • 10 modules covering the full purple team lifecycle — from lab build to capstone attack

  • Hands-on challenges, quizzes and assignments to validate your understanding

  • Credential access, AD attacks, LOLBins, lateral movement, and web app exploitation

  • Capstone: deploy DVWA, attack it from Kali, write the detection, and build proof that it works

Course Content

10 modules • 56 lessons

Module 1: Welcome

Meet your instructor, learn how the platform works, and get oriented before diving into Purple Team Detection Engineering.

Module 2: The Purple Team Mindset

Why purple teaming changes everything. The philosophy behind treating detections as code and adversary behavior as test cases.
1
Purple Team Detection Engineering
12 min
2
Red vs Blue vs Purple
8 min
3
Knowledge Check: Purple Team Fundamentals
5 min
4
Discussion: What Does Your Current Detection Coverage Look Like?
0 min

Module 3: Building Your Detection Lab

Architect and deploy a fully isolated purple team lab with Active Directory, SIEM, and full telemetry.
1
Lab Architecture
18 min
2
Setting Up VMware Workstation Pro & Building Your Virtual Machines
45 min
3
Troubleshooting Your Lab: Common Issues & Fixes
15 min
4
Deploying pfSense & Network Setup
30 min
5
SIEM — Architecture Overview
15 min
6
SIEM Script Walkthrough
20 min
7
Deploying Sysmon
22 min
8
Populating Active Directory with BadBlood
10 min
9
Navigating Elastic SIEM & Kibana: Your Command Center
10 min
10
pfSense at a Glance: Firewall Logs and Network Visibility
9 min
11
Reading Sysmon Like a Book: Event IDs That Matter
10 min
12
Active Directory Orientation: What BadBlood Built and Why It Matters
0 min
13
Your Lab Checklist: Confirming Everything Works Together
0 min
14
Assignment: Deploy and Document Your Lab
0 min

Module 4: Emulation Frameworks & Tooling

Master MITRE Caldera, Atomic Red Team, and Sliver C2 for structured adversary emulation.
1
MITRE Caldera: Building Adversary Profiles
35 min
2
Atomic Red Team: Unit Testing for Detections
30 min
3
Sliver C2: Realistic Command and Control
35 min
4
Knowledge Check: Emulation Frameworks
5 min
5
Discussion: Choosing the Right Tool for the Job
10 min

Module 5: The Detection Engineering Pipeline

From technique selection to Sigma rule deployment — build a repeatable, version-controlled detection workflow.
1
Step 1: Technique Selection & Threat Modeling
15 min
2
Step 2: Emulate and Verify Telemetry
18 min
3
Step 3: Writing Sigma Detection Rules
28 min
4
Step 4: Test, Validate, Iterate
10 min
5
Knowledge Check: Detection Engineering Pipeline
5 min

Module 6: Credential Access & Identity Attacks

Emulate and detect credential dumping, token theft, OAuth abuse, and identity-first attack chains.
1
LSASS Credential Dumping: Three Methods, One Detection
30 min
2
Identity-First Attacks: OAuth Abuse & Token Theft
28 min
3
Knowledge Check: Credential Access & Identity
5 min

Module 7: Living-off-the-Land & Persistence

Detect LOLBin abuse, scheduled task persistence, registry run keys, and service manipulation.
1
LOLBin Detection: certutil, mshta, rundll32, and Beyond
32 min
2
Scheduled Task Persistence: A Complete Purple Team Exercise
35 min
3
Assignment: Build a LOLBin Detection Pack
0 min
4
Knowledge Check: LOLBins & Persistence
5 min

Module 8: Active Directory & Lateral Movement

Detect Golden Ticket, DCSync, Kerberoasting, pass-the-hash, and lateral movement techniques.
1
Kerberoasting & AS-REP Roasting Detection
38 min
2
Golden Ticket, DCSync, and Domain Persistence
38 min
3
Lateral Movement: Pass-the-Hash & SMB Abuse
40 min
4
Knowledge Check: AD Attacks & Lateral Movement
5 min

Module 9: Operationalizing Purple Team Programs

Track coverage with VECTR, build CI/CD for detection rules, measure MTTD, and report to leadership.
1
Tracking Coverage with VECTR
40 min
2
CI/CD for Detection Rules
40 min
3
Measuring What Matters: MTTD, Coverage, and False Positive Rates
40 min
4
Building the Culture: Blameless Retrospectives & Continuous Practice
40 min
5
Final Assignment: Your 30-Day Purple Team Roadmap
0 min
6
Final Knowledge Check: Purple Team Operations
8 min

Module 10: Capstone: Web Application Attack & Detection

Deploy a vulnerable web application, attack it from Kali, collect the evidence, and prove you can detect it. This is where everything you have built gets tested.
1
The Capstone: What You Are About to Prove
8 min
2
Deploying DVWA: Your Vulnerable Target
20 min
3
The Log Layers of a Web Application
15 min
4
The Attack: Manual Exploitation from Kali
25 min
5
Collecting and Forwarding the Evidence
18 min
6
Capstone Assignment: Detect the Intrusion
0 min
Purple Team Detection Engineering | Malvik Security