90-Day Program

90 days to
detection
engineer.

Build 11 production-grade Microsoft Sentinel detections mapped to real threat actors. Real KQL, real logs, real triggers. A GitHub portfolio that proves you can do the job.

Deploy the Free Lab → Book a Call

Rules analyzed

312

Defense evasion

29%

Lateral movement

41%

Initial Access
82%
Priv Escalation
74%
Lateral Movement
41%
Defense Evasion
29%
About Charles
Charles Garrett
Charles Garrett
Principal Detection Engineer · Founder, Purple Shell Security

I know what bad detections look like from the inside. I spent years on the defensive side of financial services. Validating controls, reviewing detection logic, tuning rules in AWS and GCP production environments. Azure is where I went deeper on my own. Adversary Lab is how I built it in public.

Adversary Lab is the detection content arm of Purple Shell Security. Need it deployed? Purple Shell builds detection programs for teams →

What You'll Build
Everything you need to
build your first detection.
🛠️
Free Lab Setup Course
Before week one starts you get a free course that deploys your Azure lab and verifies your logs are flowing. When week one begins your environment is ready and you can focus on the actual work.
FREE
🎯
11 Sentinel Detections
APT29, Scattered Spider, Silk Typhoon, Lace Tempest, and Octo Tempest. Real tradecraft from public incident reporting translated into KQL you deploy in your own Sentinel workspace.
INCLUDED
💬
GitHub Portfolio
Every detection documented and deployed. A polished GitHub portfolio you own when the program ends. Proof you can do the job before you walk into an interview.
INCLUDED
The Program
What 90 days
actually looks like.

One lesson per week. Every week builds on the last. 5 to 7 hours of hands-on work. Ship something every single week or you're falling behind.

01
Phase 1 — Foundations (Weeks 0-3)
Deploy the lab, verify logs are flowing, and build your KQL foundation. Week 3 is threat research and actor tracking — understanding how APT29, Scattered Spider, and others actually operate before you try to detect them.
02
Phase 2 — Build the Detections (Weeks 4-9)
Six weeks of detection building. Identity labs, privilege escalation, RBAC and lateral movement, defense evasion, runbooks, Key Vault. 11 production-grade Sentinel detections mapped to real threat actor techniques. Week 9 is the critical one.
03
Week 10 — Red Team Your Detections
You try to break the 11 detections you just built. Run evasions in your lab, document what fires and what doesn't, improve what failed. Most candidates show detections they built. Almost none show detections they tried to bypass. That's where the interview invitations live.
04
Weeks 11-12 — Build the Portfolio
Week 11 you personalize the pre-built scaffold — 11 detection folders, MITRE mappings, KQL, trigger scripts, screenshots. Week 12 you write a full investigation walkthrough. Most candidates skip this. The ones who don't get senior offers.
05
Week 13 — Ship It
Public repo. LinkedIn updated. Targeting companies. You started with zero detections in a live environment. You're ending with 11 production Sentinel detections, a red team document, and an investigation walkthrough that most senior candidates don't have.
This Is For You
Built for practitioners
ready to do the work.
SOC Analyst
Escape the alert queue
Done triaging alerts someone else wrote. In 90 days you go from analyst to detection engineer with 11 production detections and a GitHub portfolio to prove it.
Security Consultant
Build detections. Don't just recommend them.
Detection engineering separates consultants who advise from those who deliver. The Accelerator gives you the hands-on skills to build detections yourself. Need a custom engagement for a client? Let's talk.

Book a scoping call →
Security Engineer
Add detection engineering depth
Detection engineering is the highest leverage skill in security right now. The Accelerator gives you 11 production Sentinel detections mapped to real threat actors. Hands-on depth you can point to in any conversation.
Detection Engineer Accelerator
Start with the free lab.
Enroll when you're ready.

Deploy your Azure detection lab for free and see exactly what the program looks like before you pay anything. When you're ready to build the detections, $497 gets you the full 13-week program.

11 production-grade Sentinel detections
5 real threat actors — APT29, Scattered Spider, Silk Typhoon, Lace Tempest, Octo Tempest
GitHub portfolio ready for interviews
Certificate of completion
30-min 1:1 with Charles — founding members only, first 15 seats
Self-paced. Start anytime.
$497
founding price
15 seats · 1:1 included
Deploy the Free Lab →
Free to start. Enroll inside.
Teams & Organizations
Need it done for you?

Purple Shell Security designs and deploys detection engineering programs for organizations that need production-ready detections without the full-time headcount. Threat-informed, environment-specific, and built to last.

Book a Call →