Detection Engineering & Threat Hunting

AWS Certified Security — Specialty (SCS-C02)

Deep AWS security: IAM, data protection, detection, incident response within AWS primitives.

Microsoft Certified: Azure Security Engineer Associate

Azure-native security engineering: Entra ID, network controls, Defender, Sentinel.

Security Blue Team Level 1

The BTL1 is one of the most practical entry-level certifications in the defensive area of cybersecurity. The exam is a complete 24-hour incident response scenario in a real lab environment – not a multiple-choice test. For career changers and entry-level professionals, it is a credible proof of competency that offers employers more meaningful value than many purely knowledge-based certificates. The course covers phishing analysis, SIEM, digital forensics, threat intelligence, and incident response. The certificate never expires, making it attractive long-term.

Security Blue Team Level 2

Security Blue Team Level 2

Certified CyberDefender

Certified CyberDefender

Certified Cybersecurity Operations Analyst

ISACA certification for SOC analysts with hybrid exam of multiple choice and performance-based questions. Focus on incident detection, response, and threat analysis. New since 2024.

Cisco Certified CyberOps Professional

Cisco Certified CyberOps Professional

Certified Information Systems Security Professional

Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.

CrowdStrike Certified Falcon Administrator

Day-to-day administration of the market-leading EDR platform — sensor deployment, policy authoring, and detection triage in Falcon.

EC Council Certified SOC Analyst

EC Council Certified SOC Analyst

ISACA Cybersecurity Practitioner

ISACA Cybersecurity Practitioner

EC Council Certified Threat intelligence Analyst

EC Council Certified Threat Intelligence Analyst

CompTIA Cybersecurity Analyst+

SOC analyst skills: triage, log analysis, vulnerability management basics.

Elastic Certified Engineer

Stands up and operates Elastic Stack clusters — search, observability, and security-analytics workloads on a real cluster.

Fortinet Certified Professional - Security Operations

Fortinet Certified Professional - Security Operations

Fortinet Certified Solution Specialist - Security Operations

Fortinet Certified Solution Specialist - Security Operations

GIAC Certified Detection Analyst

GIAC Certified Detection Analyst

GIAC Certified Enterprise Defender

GIAC Certified Enterprise Defender

GIAC Certified Intrusion Analyst

Packet and log analysis, detection engineering fundamentals.

GIAC Cloud Threat Detection

GIAC Cloud Threat Detection

GIAC Cyber Threat Intelligence

Structured threat intel production, ATT&CK, analytic tradecraft.

GIAC Defending Advanced Threats

GIAC Defending Advanced Threats

GIAC Continuous Monitoring

GIAC Continuous Monitoring

GIAC Network Forensic Analyst

GIAC Network Forensic Analyst

GIAC Reverse Engineering Malware

Static + dynamic malware analysis, unpacking, custom RE tooling.

GIAC Security Expert

The GIAC Security Expert (GSE) is the highest distinction in the GIAC certification system and was fundamentally reformed in 2023/2024: Instead of a single exam, it is now awarded as a portfolio certification. Those who demonstrate six Practitioner and four Applied Knowledge certifications (hands-on, proctored lab exams) automatically receive GSE status. The model enforces genuine breadth and depth – which increases credibility compared to earlier pure knowledge tests. However, the effort (cost, time, multiple exams) is considerable; the GSE is therefore clearly aimed at experienced experts pursuing SANS/GIAC as a career path. In Europe, awareness outside the SANS community is still limited.

GIAC Security Operations Certified

SOC operations, alert triage, metrics, SOAR.

Hack the Box Certified Defensive Security Analyst

Hack the Box Certified Defensive Security Analyst

MITRE ATT&CK Defender — ATT&CK Fundamentals

Introductory course to the MITRE ATT&CK framework. Mandatory prerequisite for all advanced MAD20 tracks. 18 lectures, 1 hands-on lab, 1 range scenario. Covers fundamentals of ATT&CK: tactics, techniques, groups, software and mitigations. Badge upon completion (2 CPE hours).

MITRE ATT&CK Defender — Purple Teaming

MAD20 track for Purple Teaming with ATT&CK methodology. 32 lectures, planning and execution walkthroughs. Covers coordination between red and blue teams using the ATT&CK framework. Badge upon completion (13 CPE hours).

MITRE ATT&CK Defender — SOC Assessment

MAD20 track for assessing SOC capabilities using the ATT&CK framework. 17 lectures, heatmap and defensive recommendation walkthroughs. Teaches methodology for systematic assessment of detection coverage. Not a traditional certificate, but a badge upon course completion (9 CPE hours).

MITRE ATT&CK Defender — Threat Hunting and Detection Engineering

MAD20 track for Threat Hunting and Detection Engineering with ATT&CK. 28 lectures, complete analytics walkthroughs, 60+ range scenarios. Covers systematic development of detection rules and hunting hypotheses based on ATT&CK techniques. Badge upon completion (9 CPE hours).

Offensive Security Defense Analyst

Offensive Security Defense Analyst

Palo Alto Networks Certified Detection and Remediation Analyst

Palo Alto Networks Certified Detection and Remediation Analyst

Microsoft Certified: Security Operations Analyst Associate

The SC-200 is Microsoft's role-based certification for Security Operations – with clear focus on its own product ecosystem (Microsoft Sentinel, Defender XDR, Security Copilot). It is not a vendor-neutral SOC certificate, but specifically validates the ability to detect and respond to threats in Azure and M365 environments. For teams already heavily invested in Microsoft technologies, it is very practical and relevant to the job market. Outside this stack, it loses significant weight. The exam will be updated on April 16, 2026 – candidates should review the current Study Guide.

Splunk Core Certified User

Foundational SPL fluency — search, filter, and report on Splunk data without breaking it.

Splunk Enterprise Security Certified Admin

Operates and tunes Splunk Enterprise Security — content, correlation searches, notable events, and risk-based alerting.