You know the stuff.
You just can't prove it.

Every detection engineering interview ends the same way. "Show me something you've built." Not a cert. Not a course completion. A detection. The logic, the testing, the reasoning behind it.

Most people freeze. Not because they can't do it. Because they've never had the environment to do it in.

This is that environment.

11 hands-on labs. 11 portfolio-ready detections. Real techniques from APT29, Scattered Spider, LAPSUS$, and Silk Typhoon. Every one mapped to MITRE ATT&CK. Every one built on production-grade infrastructure.

Here's what nobody tells you about breaking into detection engineering.

You can study for months. Read every blog. Watch every conference talk. Get your certs. And you'll still walk into an interview with nothing to show.

Nobody gives you an environment to build in. Not your SOC. Not your employer. Not any course you've taken. So you sit there while the interviewer asks you to walk through a detection you built.

And you have nothing.

Not because you couldn't do it. Because you never had the chance.

Meanwhile, people with half your knowledge are landing roles. They can point to something real. A detection. A write-up. A portfolio that says "I built this. Here's how it works. Here's why it fires."

That's the gap this closes.
Charles Garrett

Built by someone who does this every day.

I'm Charles Garrett. I build and test detections in production at financial services companies. Not the kind that look good in a blog post and fire 500 false positives a day. The kind that actually survive tuning and catch things.

I wrote the Cloud Threat Hunting Field Manual and the Azure Cloud Defense Field Manual. Every week I publish a breakdown of what's happening in Azure and M365 security, along with detection content for the threats that matter.

I built the open-source Adversary Lab so anyone could stand up a detection environment. The Pro course is what I wish existed when I was coming up. Real reps. Real threat actors. Real detections you walk away with.

Here's everything inside Adversary Lab Pro.

Real Breach Stories That Drive Every Module

Each module starts with the real attack. APT29 inside Microsoft for months using OAuth apps. LAPSUS$ social engineering their way to Global Admin. Silk Typhoon pivoting from on-prem Exchange into Azure Key Vaults. You learn how the breach happened before you build the detection for it. Context first. KQL second.

Threat Research Foundations

Before you build anything, you learn how detection engineers actually think. You'll navigate MITRE ATT&CK, cross-reference techniques with Microsoft's Azure Threat Research Matrix, and map a full attack chain from initial access to data exfiltration. This is the framework behind every detection you'll write.

KQL From Scratch

You don't need to know KQL before you start. Module 2 takes you from your first query to parsing nested JSON in Azure logs. Four patterns cover every log source you'll touch in the course. By the end of the module, you're writing detection queries on your own.

Security bootcamps charge $2,000 to $5,000 for less hands-on work than this.

11 Guided Detection Labs

Each lab walks you through a real-world threat technique. You execute the attack in your own Azure environment using Stratus Red Team. You find the evidence in the logs. You write the detection query. You tune it for production with allowlists and false positive management. These aren't walkthroughs you watch. You build them yourself.

Interview coaching runs $150 to $300 an hour. One session won't build you a portfolio. This will.

Portfolio Template With a Completed Example

Every lab produces a finished portfolio entry. The threat actor. The MITRE ATT&CK mapping. The KQL. The tuning rationale. The evidence screenshots. You get the exact template and a fully completed example so you know what good looks like. This is what you hand to an interviewer.

Production-Grade Lab Environment

The open-source Adversary Lab gives you a full Azure environment. Microsoft Sentinel. Sysmon. Data collection rules. Stratus Red Team integration. Attack trigger scripts for every lab. This is the same tooling used in real SOCs. You're not learning on toy infrastructure.

SANS courses are $8,780 for just the course.

Community Access

You're inside a private community of detection engineers building alongside you. Ask questions. Share detections. Get feedback. This isn't a Discord server with 10,000 lurkers. It's a small group of people doing the work.

Weekly Azure and M365 Security Breakdowns

Every week I break down what's happening in the Azure and M365 threat landscape. What changed. What's being exploited. What you should actually care about. Plus detection breakdowns you can learn from.

Monthly Content Updates

This isn't a static course you finish and forget. Every month there's new content. A new detection. A new threat technique. A new write-up. The lab keeps growing, and so does your portfolio.

Here's what the first lab actually looks like.

January 2024. APT29 inside Microsoft's corporate environment for months. Not through a zero-day. Through OAuth applications.

That's how every lab starts. The real breach. Then you map the technique to MITRE ATT&CK, execute it in your own Azure environment, and build the detection from scratch. The KQL. The tuning. The write-up.

When you're done, you have a finished portfolio entry you can hand to an interviewer and walk them through every decision you made. That's one lab.

You've seen what everything else costs.

Adversary Lab Pro is $150 a month.

An entire lab environment, 11 guided detection builds, portfolio-ready write-ups, community access, weekly threat breakdowns, and new content every month. If you land a detection engineering role, and the average salary is over $130,000, you make back your entire investment in less than a day on the job.

This is founding member pricing. It won't stay at $150 a month. Only 10 founding member spots exist. 3 are already taken. Once the remaining spots fill, the price increases. If you're in now, you lock in the founding rate for as long as you're a member.

Complete 3 labs in your first 60 days. Build 3 real detections. If you don't feel more prepared walking into a detection engineering interview, I'll refund you. Full amount. No questions.

You already know what the interview looks like.

They're going to ask you to show something you built. Not talk about it. Not explain a concept. Show the detection. Walk through the logic. Explain why it fires and what it catches.

You can keep studying and waiting for someone to give you a chance to build detections on the job. That might work. Eventually.

Or you can start building them now. So when that interview comes, you open your portfolio and say "here's eleven."

Either way, the interview is coming. The only question is what you'll have ready when it does.

Start Building Your Portfolio