I recently finished the Detection Engineering for Beginners course by TCM Security, taught by Anthony Isherwood. As always, I’ll keep this post short and focused just like the course claimed to be “for beginners”… more on that below.
My Thoughts
Let’s start with this: not every course is for everybody and that’s perfectly fine. The first part of this course really worked for me. It covered detection fundamentals, SIEMs, MITRE ATT&CK, and the detection engineering workflow. It was clear, structured, and easy to grasp even if you’re not already deep into detection engineering.
But the second half? Not really for me. That doesn’t mean it was bad far from it. It just focused on tooling and workflows (Elastic Stack, TOML, GitHub automation, etc.) that don’t play a big role in my current work. That part is definitely for people already working in detection engineering or who are planning to.
That leads me to a key point: the course is called “for beginners”, but I’d argue it’s more “beginner-friendly for people on the detection engineering path”. If you’re brand new to cybersecurity or mostly doing SOC analyst work, expect to hit a steep learning curve after the fundamentals.
That said, Anthony Isherwood is next level when it comes to explaining complex detection engineering concepts. He clearly knows what he’s doing and how to teach it. If you want to build a strong foundation in this area, his guidance is gold.
Also, set aside a few extra days for the labs. This isn’t the kind of course you can just watch passively. To actually get good at this, you need to get hands-on. The labs are technical, practical, and time-consuming in a good way.
If you’re thinking about taking Security Operations – SOC 101 as well, I’d say this course goes hand in hand with it.
Highlights
Here’s what stood out to me:
- Solid theory section: The early modules on SIEMs, workflows, detection quality, and MITRE ATT&CK were spot-on and approachable.
- Hands-on lab work: Expect to invest time. This isn’t click-through content it’s real work. But it’s worth it.
- Attack simulation and detection creation: Full attack chains and the process of writing and confirming alerts made this feel real.
- TOML and GitHub automation: Great content if you’re already on a team building structured detections at scale.
- Metrics and dashboards: This was a nice bonus, showing how to track and visualize detection quality in a real-world way.
Final Verdict
The Detection Engineering for Beginners course is a strong offering. But don’t let the title mislead you this isn’t for complete security newbies. It’s best suited for people transitioning into or already working in detection-focused roles. (My thoughts)
Would I recommend it? Absolutely if you’re working toward becoming a detection engineer.
Just be ready to get your hands dirty in the lab, and give yourself enough time to actually practice. Theory alone won’t cut it in this field.
And if you’re also planning to take SOC 101, these two courses complement each other really well.
Course Curriculum
Here’s the full list of topics included in the course. Note that just watching the videos isn’t enough budget extra days for the labs if you want to truly grasp and apply everything. I think it is 11 hours of video.
Introduction
- Welcome! (7:00)
Theory
- Security Operations (11:38)
- Role Variety (4:54)
- Security Incident and Event Management (7:27)
- The Detection Engineering Workflow (14:05)
- What Makes a Good Detection (4:18)
- Technology Stack for Detection Engineering (17:05)
- MITRE ATT&CK Framework (4:33)
- Navigating the MITRE ATT&CK Matrix (8:08)
Lab Setup
- Lab Overview (3:13)
- File Downloads (2:31)
- Importing ParrotOS, Windows 11, and Ubuntu into VirtualBox (~12 min total)
- Creating VM Snapshots and Configurations (~5 min)
- Installing Zeek (5:42)
Elastic Setup
- Elastic Overview and Setup (~30 min total)
- Zeek and Sysmon Logging Verification (~30 min)
- Improving PowerShell Visibility (4:14)
Attack Scenarios
- Scenario 1: Setup to Detections (~40 min)
- Scenario 2: Multi-step Attack and Alerts (~50 min)
- Scenario 3: Full Chain Execution and Detection (~1 hour)
Atomic Red Team
- Introduction and Running Atomics (~25 min)
TOML
- From Basics to Advanced Validation and Templates (~2+ hours total)
Elastic API
- API Key Usage and Rule Management (~1.5 hours)
GitHub & Automation
- GitHub Actions, Validation, and Elastic Sync (~1.5+ hours)
Metrics
- Generating CSV, MD, ATT&CK Navigator JSON, and Badges (~1.5 hours)
Conclusion
- Farewell (4:00)
The End
Keep Hacking!
//Roger
Tips and Tricks 
Leave a comment