Detection. Triage. Containment. Validation. Ready to Deploy.

Because a GitHub repo with KQL isn't a detection program.

See What's Inside a Playbook →

You Know This Week

Another threat report hits your inbox. New persistence technique. Your coverage: zero.

So you start the cycle again:

Research.

Scattered blog posts. Outdated threat intel. That one Microsoft doc from 2022 that's mostly still accurate.

Build.

Writing KQL from scratch. No template. No validation. No blueprint. Just you and a blinking cursor.

Test.

In production. Because there's no lab. Because there's never a lab.

Tune.

False positives flood the queue. Your analysts are drowning. You're back in the code.

Document.

If there's time. There's never time.

15 to 30 hours. Per detection.

And while you're still researching, the attacker is already inside.

The Math That Keeps You Up at Night

Your coverage sits at 40%. You know this. Leadership knows this. The auditors definitely know this.

But here's what really hurts:

When something slips through (and something always slips through) your name is on the incident report.

Not the vendor's. Not the blogger's whose half-finished KQL you adapted. Yours.

What If the Detection Was Already Built?

Not a blog post with pseudocode. Not a conference talk with "left as an exercise for the reader."

A complete detection playbook:

Ready to deploy in hours.

Get a Complete Detection Playbook — $49

Service Principal Credential Addition Detection:
The persistence technique most teams miss.

What's inside:

  • Detection rule with secondary credential filtering (excludes legitimate new SPs)
  • 60-second triage decision tree (Identity Protection vs. manual baseline methods)
  • True positive / false positive indicators for fast decisions
  • 6-step investigation procedure with copy-paste KQL
  • Baseline comparison queries for dormant SP activation
  • Escalation criteria by severity (Critical / High / Medium)
  • 15-minute containment sequence with evidence preservation
  • PowerShell commands for credential removal
  • Validation mechanism to trigger the rule in your tenant
  • Incident documentation template

Building this yourself: 15-30 hours

Hiring a contractor: $3,000+

This playbook: $49

Get the Playbook — $49

Stop Building Alone

A new detection playbook every month built around the threats that matter most in Azure environments. Founding members get priority input on the roadmap.

$150/month
9 spots left at this price

What founding members get:

  • New detection playbook delivered the 1st of every month
  • You shape the roadmap
    Founding members tell me what they're seeing. February's playbook? You decide.
  • Access to everything
    All current and future playbooks, immediately.
  • Azure lab environment
    Test before you deploy. No more production experiments.
  • Community calls
    Monthly calls with Azure SecOps professionals facing the same threats you are.
  • This price. Forever.
    After founding spots fill, it's $200/month. You keep $150.

This isn't a content subscription. It's your detection gap closing every month.

Become a Founding Member — $150/month

Already Delivered

November 2025: Service Principal Credential Addition Detection

December 2025: Malicious App Registration Detection

January 2026: Illicit OAuth Consent Grant Detection

Shipping Next

February 2026: [Shaped by founding members]

March 2026: [Shaped by founding members]

April 2026: [Shaped by founding members]

Why This Exists

Charles Garrett

Charles Garrett

SecOps Engineer. Author. I got tired of detections that looked great in a demo and useless in production.

I wrote the Cloud Threat Hunting Field Manual: Azure and the Azure Cloud Defense Field Manual—350+ pages of detection engineering, incident response, and MITRE ATT&CK mappings.

I've validated, tuned, and fixed hundreds of detections in financial services environments. I know what survives production, what drowns teams in false positives, and what actually catches threats.

No theory. No blog post speculation.

Just detections that work, documented so you can deploy them today.

What People Are Saying

"An awesome lab environment to level up threat detection and incident response skills."

— IT Infrastructure & Security Executive

"What Charles is putting together is the 'rubber meets the road' part of security that is very important (and often overlooked)."

— Security Architect

FAQ

What format are the playbooks?

Markdown. Easy to reference, easy to adapt, easy to drop into your documentation.

What if I need a specific detection?

Founding members shape what gets built. If you're seeing a threat, tell me. I'll build the detection.

Is $150/month worth it?

One playbook from a contractor: $3,000+

One playbook built yourself: 15-30 hours

This: $150/month. New playbook on the 1st.

When do I get charged?

Day you join, then every 30 days. You get immediate access to the full playbook library.

What happens after 10 founding members?

Price goes to $200/month. You can still request coverage, but founding members get priority.

Need something custom for your environment?

Let's talk →

Ready to Stop Rebuilding From Scratch?

Start here: Get a playbook for $49 and see what production-ready looks like.

Get the Playbook — $49

Already convinced? Lock in founding member pricing before spots fill.

Become a Founding Member — $150/month