Roadmap

SOC Analyst — Tier 1

The frontline defender of a Security Operations Center. Monitors alerts, triages threats, and escalates incidents before they become breaches.

OPTIMISTIC 6 monthsREALISTIC 12–18 months

Stage 00

Computer & IT Fundamentals

Start here regardless of background. Every security concept assumes this knowledge exists. Skipping this stage means hitting a wall in Stage 2.

Computer Hardware

CPU — cores, threads, clock speed, role in processing
RAM — volatile storage, why it matters for forensics and memory analysis
Storage types — HDD vs SSD vs NVMe, how data persists
NIC — network interface, MAC address origin
Motherboard — bus architecture, how components communicate
Physical vs virtual machines — hardware abstraction

Number Systems

Binary (base-2) — reading and converting, why computers use it
Hexadecimal (base-16) — reading memory addresses, file hashes, color codes
Decimal to binary to hex conversions
Bit vs byte vs kilobyte vs megabyte — data size literacy

How Operating Systems Work

What an OS does — abstraction layer between hardware and software
Kernel vs user space — privilege separation
Processes and threads — what they are, how the OS manages them
Memory management — virtual memory, paging, RAM allocation
File systems — NTFS (Windows), ext4 (Linux), FAT32
System calls — how programs communicate with the OS
Boot process — BIOS/UEFI → bootloader → kernel → init/systemd

Software Basics

How programs compile and execute
Static vs dynamic libraries
Environment variables and PATH
What a service/daemon is vs an application

Virtualization

Type 1 hypervisor (bare metal) vs Type 2 (hosted)
VMware, VirtualBox, Proxmox, Hyper-V
Virtual machines vs containers — key distinctions
Snapshots — why they matter for lab work and forensics

Resources

CS50 Introduction to Computer Science (Harvard, free)
Professor Messer CompTIA A+ (free YouTube)
TryHackMe Pre-Security path (free)

Stage 01

Operating Systems in Depth

SOC analysts investigate Windows machines 80% of the time. Linux runs most security tools and servers. You need both before any security tooling makes sense.

Windows

Directory structure — C:\Windows, C:\Users, C:\Program Files, C:\ProgramData, C:\Temp
Registry — hives (HKLM, HKCU, HKCR, HKU), keys, values — what lives where and why attackers abuse it
Windows services — start types, service accounts, SCM (services.msc)
Task Scheduler — structure, how attackers use it for persistence
User account types — local, domain, administrator, SYSTEM, service accounts
Windows permissions — NTFS ACLs, inheritance, effective permissions
Windows Firewall — profiles (domain/private/public), inbound/outbound rules, netsh
Group Policy basics — what it enforces, where settings live (SYSVOL, Local vs Domain GPO)
WMI (Windows Management Instrumentation) — what it does, why attackers love it for persistence and lateral movement
PowerShell — execution policy, command history, logging, common cmdlets (Get-Process, Get-Service, Get-EventLog, Invoke-Expression)
Windows Event Log — structure, log types (Security, System, Application, Sysmon, PowerShell)
4624 — Successful logon
4625 — Failed logon
4634 — Logoff
4648 — Logon with explicit credentials
4688 — Process creation
4698 — Scheduled task created
4720 — User account created
4732 — Member added to security-enabled local group
4776 — Domain controller credential validation
7045 — New service installed
Prefetch, Shimcache, Amcache — forensic artifacts, what they record
Windows Defender — logs, detections, exclusion abuse

Linux

Filesystem hierarchy — /etc, /var, /tmp, /home, /proc, /sys, /bin, /usr/bin, /sbin
Terminal navigation — cd, ls, cat, grep, find, less, head, tail, chmod, chown, mv, cp, rm
File permissions — rwx, octal notation (755, 644), setuid/setgid/sticky bit
Users and groups — /etc/passwd, /etc/shadow, /etc/group structure
Process management — ps aux, top, htop, kill, nice, pgrep
Package management — apt (Debian/Ubuntu), yum/dnf (RHEL/CentOS)
Systemd — units, services, journalctl -u, systemctl status/start/stop/enable
Cron jobs — crontab syntax, /etc/cron.d, /etc/crontab, attacker persistence via cron
Log locations — /var/log/auth.log, /var/log/syslog, /var/log/kern.log, /var/log/apache2/
Bash basics — pipes (|), redirection (>, >>), variables, loops, scripts
SSH — key-based auth, ~/.ssh/config, known_hosts, authorized_keys, how attackers abuse it
sudo — /etc/sudoers, NOPASSWD entries, privilege abuse patterns

Resources

TryHackMe Windows Fundamentals 1/2/3 (free)
TryHackMe Linux Fundamentals 1/2/3 (free)
OverTheWire Bandit (free Linux terminal practice)
SS64 command reference (free)

Stage 02

Networking Fundamentals

Network traffic is your primary evidence source in a SOC. Every alert references IPs, ports, and protocols. Interviewers report 60% of SOC technical questions come from networking. Nothing in Stage 3 onward makes full sense without this.

OSI Model

Layer 1 Physical — cables, fiber, signals, hubs, bit transmission
Layer 2 Data Link — MAC addresses, switches, ARP, frames, VLANs, 802.1Q
Layer 3 Network — IP addresses, routers, routing tables, ICMP, packets
Layer 4 Transport — TCP vs UDP, ports, segments, flow control
Layer 5 Session — session establishment and teardown, NetBIOS
Layer 6 Presentation — encoding, encryption, compression (where TLS context lives)
Layer 7 Application — HTTP, DNS, SMTP, FTP, RDP, SMB
Where attacks happen at each layer — ARP poisoning (L2), IP spoofing (L3), SYN flood (L4), DNS poisoning (L7)

TCP/IP

TCP 3-way handshake — SYN, SYN-ACK, ACK (what each means)
TCP 4-way teardown — FIN, FIN-ACK, ACK
TCP flags — SYN, ACK, FIN, RST, PSH, URG and what each signals in traffic analysis
Half-open connections and SYN flood attacks
UDP — connectionless, no handshake, used for DNS/DHCP/NTP/VoIP/streaming
ICMP — ping, traceroute, unreachable messages, ICMP tunneling as a C2 technique

IP Addressing

IPv4 — octets, address classes (A/B/C), why classes matter less now
Subnetting — CIDR notation, subnet masks, network vs host portions, calculating ranges
Private ranges — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (instant recognition)
Loopback — 127.0.0.1 / ::1
APIPA — 169.254.x.x (what it means when you see it)
IPv6 basics — address format, link-local (fe80::), global unicast, why you see it in logs now
NAT — source NAT, PAT, impact on log source attribution

Protocols — Deep Knowledge Required

DNS — A, AAAA, MX, CNAME, TXT, PTR, NS record types; recursive vs iterative resolution; zone transfers; DNS over HTTPS; why DNS is a top exfiltration and C2 channel
DHCP — DORA process (Discover, Offer, Request, Acknowledge); DHCP starvation attack
HTTP — methods (GET, POST, PUT, DELETE, OPTIONS, HEAD), headers (Host, User-Agent, Cookie, Authorization, Content-Type), status codes (200, 301, 302, 400, 401, 403, 404, 500, 503), request/response structure
HTTPS/TLS — handshake process, certificates, SNI field (visible in cleartext), cipher suites, TLS 1.2 vs 1.3
SMB — ports 139/445, file sharing, authentication, NTLM relay, why it is a primary lateral movement protocol
RDP — port 3389, NLA vs non-NLA, session hijacking, brute force exposure
SSH — port 22, key exchange, tunneling, SOCKS proxy via SSH
FTP/SFTP — ports 20/21/22, active vs passive mode, cleartext credential risk
SMTP/IMAP/POP3 — email flow, ports 25/465/587/143/993/110/995, header analysis
SNMP — ports 161/162, community strings, v1/v2c vs v3 security differences
NTP — port 123, time synchronization, why accurate timestamps are critical for log correlation
Kerberos — port 88, TGT and service ticket flow, AS-REQ/AS-REP, how Kerberoasting and AS-REP Roasting work at a conceptual level
LDAP/LDAPS — ports 389/636, directory queries, enumeration risk
WinRM — port 5985/5986, remote management, lateral movement vehicle

Common Ports — Full Reference

20/21 FTP | 22 SSH/SFTP | 23 Telnet | 25 SMTP | 53 DNS | 67/68 DHCP | 80 HTTP | 88 Kerberos | 110 POP3 | 143 IMAP | 389 LDAP | 443 HTTPS | 445 SMB | 465/587 SMTP TLS | 636 LDAPS | 993 IMAPS | 995 POP3S | 1433 MSSQL | 3306 MySQL | 3389 RDP | 5432 PostgreSQL | 5985/5986 WinRM | 6379 Redis | 8080/8443 alt HTTP/HTTPS | 27017 MongoDB

Network Infrastructure

Switches — MAC address tables, port mirroring/SPAN (critical for passive traffic capture)
Routers — routing tables, static vs dynamic routing, default gateway
Firewalls — stateful vs stateless, ACL rule order, zones (LAN/WAN/DMZ), implicit deny
Next-Gen Firewalls (NGFW) — application awareness, integrated IPS, SSL inspection, user-ID
IDS vs IPS — signature-based vs anomaly-based, inline vs passive/tap mode
VPN — IPsec (tunnel vs transport mode), SSL/TLS VPN, split tunneling, always-on VPN
Proxies — forward proxy (outbound filtering), reverse proxy (inbound protection), transparent vs explicit
DMZ — what lives there (public-facing servers), why it is segmented, traffic flow rules
VLANs — logical segmentation, inter-VLAN routing, trunk vs access ports, VLAN hopping attacks
Load balancers — Layer 4 vs Layer 7, relevance to web app traffic analysis

Wireless

WEP (broken), WPA, WPA2 (CCMP/AES), WPA3 — weaknesses and attack relevance
Evil twin attacks, deauthentication attacks, rogue access points
802.1X — enterprise wireless authentication, RADIUS

Network Troubleshooting Tools

ping — ICMP reachability testing
tracert/traceroute — path analysis, hop-by-hop latency
nslookup/dig — DNS query testing, record lookup
netstat/ss — active connections, listening ports, process association
arp — ARP cache inspection, detecting ARP poisoning
ipconfig/ip addr — interface configuration, IP/MAC enumeration
nmap — port scanning, service detection, OS fingerprinting (basic usage at this stage)
Wireshark — introduced here, deep dive in Stage 4

Resources

Professor Messer Network+ (free YouTube)
TryHackMe Pre-Security networking modules (free)
Cisco Packet Tracer (free simulation)
subnettingpractice.com (free)
Professor Messer practice exams ($15)

Stage 03

Security Fundamentals

The language of the entire field. Security+ is your target cert here and the single most required credential in T1 postings. Nothing in Stages 4–9 makes full sense without this foundation.

Core Concepts

CIA Triad — Confidentiality, Integrity, Availability (how every attack maps to one or more)
AAA — Authentication, Authorization, Accounting (distinctions matter)
Non-repudiation — definition, forensic importance
Threat vs vulnerability vs risk vs exposure — precise definitions, not interchangeable
Attack surface — definition, reduction strategies, enumeration
Defense in depth — layered controls, why single controls always fail
Least privilege — principle, implementation, common violations
Zero trust — never trust always verify, microsegmentation, identity-centric
Separation of duties — why it exists, where it applies
Security through obscurity — why it is not a control

Authentication & Identity

Something you know / have / are — MFA factor categories
Password hashing — MD5, SHA-1, SHA-256, bcrypt (why salting matters)
Pass-the-Hash — what it is, why NTLM credential storage is dangerous
Token-based auth — JWT structure, OAuth 2.0 flow, SAML assertions
SSO — how it works, why it is a high-value target for attackers
Certificate-based authentication — PKI, X.509, CA chains, certificate validation
Kerberoasting and AS-REP Roasting — conceptual understanding at this stage

Cryptography Fundamentals

Symmetric encryption — AES (128/256), DES/3DES, key management challenges
Asymmetric encryption — RSA, ECC, public/private key pairs, use cases
Hashing — MD5, SHA-1 (both deprecated), SHA-256, SHA-3 (collision resistance)
Digital signatures — signing process, verification, non-repudiation
PKI — Certificate Authorities, root vs intermediate CAs, certificate lifecycle, revocation (CRL, OCSP)
TLS — handshake steps, forward secrecy (ECDHE), deprecated versions (SSL, TLS 1.0, TLS 1.1)
Encryption at rest vs in transit vs in use

Malware Types & Behavior

Virus — requires host file, self-replicating
Worm — self-propagating, no host needed, spreads via network
Trojan — disguised as legitimate software, no self-replication
Ransomware — encryption mechanism, C2 for key storage, double extortion model, RaaS
Spyware / adware — data collection, persistence methods
Rootkit — kernel-level, hides presence and other malware, detection evasion
Keylogger — input capture, exfiltration methods
Botnet / RAT — C2 infrastructure, command channels, lateral movement capability
Fileless malware — lives in memory only, PowerShell/WMI abuse, no disk artifact
Dropper / loader / stager — malware delivery chain stages, how they relate
Backdoor — persistent remote access mechanism

Attack Types

Phishing, spear phishing, whaling, vishing, smishing — distinctions
Social engineering — pretexting, impersonation, baiting, quid pro quo
Brute force vs credential stuffing vs password spraying — critical differences, detection signatures differ
DDoS — volumetric, protocol (SYN flood), application layer (HTTP flood) variants
Man-in-the-Middle — ARP poisoning, SSL stripping, LLMNR/NBT-NS poisoning
SQL injection — in-band, inferential/blind, out-of-band
Cross-Site Scripting (XSS) — reflected, stored, DOM-based
Cross-Site Request Forgery (CSRF)
Buffer overflow — stack vs heap
Directory traversal / path traversal
Command injection
DNS poisoning / DNS spoofing
VLAN hopping — switch spoofing, double tagging
Pass-the-Hash, Pass-the-Ticket
Kerberoasting
Living off the Land (LotL) — LOLBAS, using built-in OS tools maliciously

Defensive Controls

Antivirus vs EDR vs XDR — evolution of endpoint protection
SIEM — log aggregation, correlation, alerting (deep dive Stage 6)
SOAR — automation, orchestration, playbook execution
DLP — data loss prevention, content inspection, policy types
IDS/IPS — placement, tuning, signature vs anomaly
Honeypots and honeynets — deception technology, attacker attribution
Network segmentation — VLANs, DMZ, microsegmentation
Patch management — CVE format, CVSS v3 scoring (base/temporal/environmental), patch priority logic
Vulnerability scanning vs penetration testing — fundamental differences
Security hardening — CIS Benchmarks, DISA STIGs
Backup and recovery — 3-2-1 rule, RTO vs RPO

Frameworks & Standards

NIST Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, Recover
MITRE ATT&CK — overview at this stage, deep dive Stage 8
Cyber Kill Chain — Lockheed Martin 7 phases, overview at this stage
CIS Controls v8 — top 18, implementation groups
ISO 27001 — ISMS standard, overview
NIST SP 800-53 — control catalog, overview
SOC 2 — trust service criteria, what it means for an organization you are protecting
PCI-DSS — cardholder data environment, why it triggers specific SOC alerting requirements
HIPAA — PHI protection, why healthcare SOCs have strict alert thresholds
DoD 8570/8140 — IAM categories, why Security+ is a hard requirement for federal and defense SOC roles

Incident Response Overview

NIST IR lifecycle — Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident
SANS PICERL — Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
True positive vs false positive vs true negative vs false negative — definitions and triage implications

Resources

Professor Messer Security+ SY0-701 (free YouTube)
Jason Dion Security+ (Udemy, ~$15 on sale)
TryHackMe Jr. Security Analyst path (free tier)
SANS Cyber Aces (free)
OWASP Top 10 (owasp.org, free)

Stage 04

Traffic Analysis & Packet Inspection

Stages 0–3 are now complete. The security-specific work starts here. Before you operate a SIEM, you need to understand what traffic looks like at the packet level. The SIEM shows abstractions; Wireshark shows you the truth.

Wireshark

Capture interfaces — choosing the correct interface
Promiscuous mode vs monitor mode — distinction and when each applies
Capture filters (BPF syntax) vs display filters — critical operational distinction
ip.addr == x.x.x.x / ip.src / ip.dst
tcp.port == 443 / udp.port == 53
http / dns / smb / ftp
tcp.flags.syn == 1 / tcp.flags.reset == 1
!(arp or dns or icmp) — noise reduction
frame contains "password" — string search in payload
Following TCP streams — reassembling full sessions from packets
Following UDP streams — DNS, DHCP reconstruction
Exporting objects — extracting files transferred over HTTP, SMB, FTP from a capture
IO graphs — visualizing traffic volume and spikes over time
Protocol hierarchy — quick composition view of what is in a capture
Statistics → Conversations and Endpoints — identifying top talkers
Expert Information panel — automated anomaly flagging

What to Identify in PCAPs

Normal TCP handshake and teardown vs abnormal (RST, incomplete handshakes)
TCP RST storms — what causes them, what they indicate
Port scans in Wireshark — SYN scan pattern (SYN only, no ACK back), NULL scan (no flags), XMAS scan (FIN/PSH/URG), UDP scan patterns
ARP anomalies — gratuitous ARP, ARP poisoning (duplicate IPs in ARP responses)
DNS anomalies — high NX domain volume (DGA malware), unusually long subdomain names, high-frequency TXT queries (exfiltration), PTR lookup storms
HTTP cleartext credentials — Basic auth header decoding, form POST data in plaintext
HTTPS traffic — what you can see (SNI, certificate, size/timing), what you cannot (payload)
ICMP tunneling — payload size larger than normal ping, data in ICMP echo fields
C2 beaconing — regular interval connections to external IP, consistent byte sizes, jitter patterns
Data exfiltration patterns — large sustained outbound transfers, unusual destination, off-hours timing
Lateral movement — internal-to-internal SMB auth attempts, RDP connections between workstations, WMI/WinRM traffic
Cleartext protocol exposure — FTP credentials, Telnet sessions, unencrypted SMTP

Supporting Tools

tcpdump — command-line packet capture, writing to .pcap, reading .pcap, BPF filter syntax
NetworkMiner — passive network forensics, automatic file/credential/host extraction from PCAP
Zeek (formerly Bro) — network analysis framework producing structured logs: conn.log, dns.log, http.log, ssl.log, files.log, weird.log
Suricata — IDS/IPS/NSM, rule syntax (action, protocol, src, dst, msg, sid), alert.log, eve.json
Snort — original IDS, rule format similar to Suricata, still common in enterprise
nmap — port scanning (-sS SYN scan, -sV service version, -O OS detection, -A aggressive, -p port range, --script NSE)
netstat / ss — active connections, listening ports, process-to-port mapping

Resources

TryHackMe Wireshark rooms (free)
Malware-Traffic-Analysis.net (free real-world PCAP exercises)
Chris Greer Wireshark YouTube channel (free)
TryHackMe Snort room (free)
TryHackMe Zeek room (free)

Stage 05

Log Analysis

Log analysis is the core daily work of Tier 1. Master reading logs manually before touching a SIEM. Analysts who understand raw logs are significantly more effective at triage and far harder to fool by false positives.

Log Fundamentals

What a log is — structured record of an event: who, what, when, where, result
Log formats — syslog (RFC 5424), JSON, CEF (Common Event Format), LEEF, W3C
Syslog severity levels — 0 Emergency, 1 Alert, 2 Critical, 3 Error, 4 Warning, 5 Notice, 6 Informational, 7 Debug
Timestamps — UTC vs local time, epoch/Unix time, ISO 8601 format. Log correlation requires normalized time across all sources.
Log forwarding — syslog forwarding, Winlogbeat, Splunk Universal Forwarder, NXLog, Filebeat
Log rotation and retention policies — why logs disappear, how to set retention
Log integrity — why logs can be tampered with and how to detect it (forward logging, WORM storage)

Windows Event Logs — Deep Dive

Event Log structure — EventID, Source, Level, TimeCreated, Computer, UserID, Message body
Security log — authentication, privilege use, object access, account management, policy change
System log — service start/stop, driver failures, unexpected shutdowns
Application log — application-specific errors and info
EID 1 — Process creation with full command line, parent process, hash
EID 3 — Network connection with process name, src/dst IP and port
EID 7 — Image (DLL) loaded — DLL hijacking detection
EID 8 — CreateRemoteThread — process injection indicator
EID 10 — ProcessAccess — credential dumping detection (LSASS access)
EID 11 — FileCreate — new file written to disk
EID 13 — Registry value set — persistence detection
EID 22 — DNS query with queried domain name
EID 25 — Process tampering — hollowing/herpaderping detection
PowerShell logging — Script Block Logging (EID 4104 captures deobfuscated script content), Module Logging (EID 4103), Transcription logs
WMI event subscription logs — attacker persistence via WMI consumer/filter/binding

Linux Logs — Deep Dive

/var/log/auth.log — SSH logins, sudo usage, PAM events, failed auth
/var/log/syslog — general system messages, cron execution, daemon messages
/var/log/kern.log — kernel messages, hardware errors, module loads
/var/log/secure — RHEL/CentOS equivalent of auth.log
/var/log/apache2/access.log — fields: client IP, ident, auth, timestamp, request line, status, bytes, referrer, user-agent
/var/log/apache2/error.log — PHP errors, permission denials, module errors
/var/log/nginx/access.log — similar to Apache, slightly different format
journalctl — systemd journal querying: -u (unit), -p (priority), --since, --until, -f (follow), -n (lines)
/var/log/wtmp and /var/log/btmp — login history (last) and failed logins (lastb)
/var/log/cron — cron job execution history
Auditd — Linux audit daemon, audit.log, ausearch, aureport — process/file/syscall auditing

Firewall Logs

Standard fields — timestamp, action (allow/deny/drop), protocol, source IP, source port, destination IP, destination port, interface in/out, rule/policy matched, bytes
Reading pfSense/OPNsense logs
Reading Palo Alto traffic logs — session end reason, application identification, threat logs
Reading Windows Firewall logs — C:\Windows\System32\LogFiles\Firewall\pfirewall.log
Identifying port scans — sequential port hits from single source IP in short timeframe
Identifying C2 callbacks — repeated outbound connections to same external IP/domain on unusual ports
Identifying lateral movement — internal-to-internal RDP/SMB/WMI traffic between workstations
Firewall deny storms — what causes them, recon vs misconfiguration

Web Server / Proxy Logs

HTTP access log field-by-field breakdown
Status code patterns — 401/403 spikes (auth bypass attempts), 404 spikes (enumeration), 500 spikes (injection/crash attempts)
SQLi patterns in URI — %27 (apostrophe), UNION+SELECT, OR+1%3D1, SLEEP(), BENCHMARK()
XSS patterns in URI — %3Cscript%3E, alert(), javascript:, onerror=
Directory traversal patterns — /../, %2F..%2F, ..%5C, /etc/passwd, /windows/system32
Command injection patterns — ;id, |whoami, &&cat /etc/shadow, $(command)
User-agent analysis — curl/, python-requests/, nikto, sqlmap, dirbuster, empty user-agent
Scanning behavior — high 404 volume from single IP, sequential path enumeration
Web shell indicators — POST requests to unusual PHP/ASPX files, short URI with large POST body

DNS Logs

Query record fields — client IP, query name, query type, response code (NOERROR, NXDOMAIN, SERVFAIL, REFUSED), answer, TTL
NXDOMAIN storms — DGA malware generating high volumes of random domain lookups
High-frequency queries to single domain — C2 polling or DNS tunneling
Long subdomain names — data encoding in DNS labels for exfiltration
Unusual record type queries — TXT (exfiltration), NULL, ANY (reconnaissance)
DNS tunneling tools — iodine, dnscat2 — traffic signatures
PTR lookup patterns — reverse DNS recon

Resources

TryHackMe Log Analysis rooms (free)
LetsDefend SOC analyst path log modules (free tier)
CyberDefenders blue team labs (free)
Blue Team Labs Online (free tier)
SANS Reading Room log analysis papers (free)
SwiftOnSecurity Sysmon config (GitHub, free)

Stage 06

SIEM Operations

SIEM proficiency appears in 78% of SOC analyst job postings. Splunk leads at 37% of all postings. This is where Stages 0–5 converge into your daily operational workflow.

SIEM Fundamentals

What a SIEM does — collection, normalization, indexing, correlation, alerting, reporting, retention
Log ingestion pipeline — agent-based vs agentless, syslog forwarding, API ingest, S3/blob ingestion
Normalization — Common Information Model (CIM), field mapping, parsing (why it matters for cross-source queries)
Correlation rules — logic combining multiple events into a single alert
Alert fatigue — why it happens, cost of poor tuning, false positive rate management
Use cases — compliance reporting, threat detection, forensic investigation, user behavior analytics
Hot/warm/cold data tiers — search performance vs storage cost tradeoffs

Splunk

Architecture — indexers, search heads, forwarders (universal vs heavy), deployment server
Basic search — keywords, field=value, wildcards, NOT, OR, AND
Time modifiers — earliest=-24h, latest=now, relative vs absolute
Pipes — chaining commands left to right
stats — count, dc (distinct count), sum, avg, min, max, by field
table — select fields to display
sort — asc/desc by field
dedup — remove duplicate field values
eval — calculated fields, if/case logic, string functions
rex — regex field extraction
rename — field aliasing for readability
transaction — grouping events by shared field with time window
lookup — enriching events with external CSV or KV store data
where vs search — where operates on computed fields, search operates on raw events
timechart — time-bucketed statistics for visualizations
Indexes, sourcetypes, hosts — the three core search dimensions
Saved searches — scheduling, alert thresholds, throttling
Dashboards — panels, time range tokens, drilldowns, dynamic inputs
Splunk Common Information Model (CIM) — normalized field names (src, dest, user, action) for cross-sourcetype queries
Splunk Apps — Enterprise Security (ES), BOTS dataset for practice
Failed logon threshold by source IP (brute force)
Successful logon after multiple failures (credential stuffing success)
PowerShell encoded command execution (EID 4688 + -enc flag)
Scheduled task creation (EID 4698)
New service installation (EID 7045)
Lateral movement — internal-to-internal RDP spike
Large outbound data transfer (data exfiltration indicator)
LSASS access by non-system process (credential dumping)

Microsoft Sentinel

Architecture — Log Analytics Workspace, data connectors, analytics rules, playbooks
search, where, project, extend, summarize, order by
bin() — time bucketing for trend analysis
join — inner, leftouter, on field
let statements — variable assignment and reuse
parse — field extraction from strings
render — barchart, timechart, piechart
ago() — relative time (ago(1d), ago(7d))
datetime and between() — time range filtering
Data connectors — Microsoft 365 Defender, Azure AD, Syslog/CEF, Windows Security Events
Analytic rules — scheduled queries, Microsoft Security (from Defender alerts), ML Behavioral Analytics
Incidents vs alerts — how Sentinel groups related alerts into incidents
Playbooks — Logic Apps integration, automated enrichment and response
Workbooks — custom visualization dashboards
UEBA — User Entity Behavior Analytics, anomaly scoring
Watchlists — custom lookup tables for IOC enrichment
Threat Intelligence blade — IOC import, TI matching rules

IBM QRadar

AQL (Ariel Query Language) basics — SELECT, FROM, WHERE, GROUP BY syntax
Offenses vs events vs flows — the three fundamental data types
Rules and building blocks — rule chaining, response limiters
Reference sets — IOC enrichment lists
QRadar relevance — dominant in financial services, healthcare, federal government

Elastic SIEM / Security Onion

ELK stack — Elasticsearch (storage/search), Logstash (ingest/parse), Kibana (visualization)
Security Onion — free full SOC stack: Zeek, Suricata, Kibana, Elasticsearch, Wazuh
KQL in Kibana — same query language as Sentinel, directly transferable
Detection rules — Sigma rule format, import into Elastic
Alerts and cases in Elastic Security

Alert Triage Workflow

Alert queue management — priority order, aging SLA, assignment
What triggered the alert — rule logic, threshold, source
What is the source — asset, user, process, IP
Is this normal for this source — baselining, context
IOC enrichment — VirusTotal, AbuseIPDB, Shodan, URLScan, WHOIS
Related events — pivot from alert to broader timeline
Verdict — true positive, false positive, or requires escalation
Escalation criteria — what goes to T2 vs what gets closed with documentation
Ticket documentation — every note should include: timestamp, observable, action taken, verdict, analyst name
Shift handoff — open incidents, notable observations, any ongoing threats

Case Management Tools

ServiceNow — ticket creation, category, subcategory, state, SLA management (most common in enterprise)
Jira — issue tracking, sprint boards, labels (common in tech-forward orgs)
TheHive — open-source security case management, observables, tasks, MISP integration
Incident correlation — linking related tickets, parent/child incident relationships

Resources

Splunk free training at splunk.com
TryHackMe Splunk rooms (free/paid)
Boss of the SOC (BOTS) Splunk CTF dataset (free)
Microsoft Learn KQL fundamentals (free)
Security Onion documentation (free)
LetsDefend SIEM labs
TryHackMe Microsoft Sentinel room

Stage 07

Endpoint Detection & Response

After SIEM, EDR is your most-used daily tool. Every endpoint alert lands here. You need to understand what you are reading before you can investigate it.

EDR Fundamentals

EDR vs traditional AV — behavioral/heuristic detection vs signature matching, why AV alone is insufficient
EDR vs XDR — endpoint-only visibility vs cross-domain (network + identity + cloud + email)
How EDR agents work — kernel-level hooks, process monitoring, network telemetry collection
EDR telemetry types — process events, file events, network events, registry events, memory events, authentication events
Detection logic types — IOC-based (hash/IP/domain), behavioral rules, ML anomaly scoring
Response capabilities — host isolation, process termination, file quarantine, live forensics shell

CrowdStrike Falcon

Console layout — Activity dashboard, Detections queue, Hosts inventory, Investigate
Detection alert structure — severity level, tactic, technique, triggering process, tree view
Process tree analysis — parent process, child process, command line arguments, file paths
Host isolation — network containment while maintaining Falcon connectivity for investigation
Real Time Response (RTR) — live remote shell, available commands (netstat, ps, ls, get file, put file, run script)
Threat Graph — visual lateral movement and relationship mapping
Custom IOC management — file hashes, IPs, domains, policies (block vs detect)
Falcon Insight EDR search — raw telemetry queries across the environment

Microsoft Defender for Endpoint

Device inventory — onboarding status, risk level, exposure score
Alert queue — severity, category, detection source, assigned analyst
Device timeline — chronological view of all events on a specific host
DeviceProcessEvents — process creation, command lines
DeviceNetworkEvents — connections, DNS lookups
DeviceFileEvents — file creation, modification, deletion
DeviceRegistryEvents — registry read/write/delete
DeviceLogonEvents — interactive and remote logons
DeviceAlertEvents — alert metadata
Live Response — remote shell with file upload/download, script execution
Automated Investigation and Remediation (AIR) — automated triage findings, approval workflow
Defender XDR integration — correlating endpoint + identity (Entra ID) + email (Defender for Office) + cloud (Defender for Cloud Apps)

SentinelOne

Storyline — AI-generated attack narrative linking related events into a single view
Threat Center — active threats, suspicious activity, resolved items
Deep Visibility — telemetry search similar to Advanced Hunting
Network quarantine — isolation granularity options
Rollback capability — reversing file system changes made by ransomware

General EDR Investigation Process

Identify triggering process — what ran, from where, with what arguments
Parent process analysis — what spawned it, was it expected
Child process review — what did the process subsequently launch
Network connections — outbound connections made during/after execution
File operations — files created, modified, or deleted by the process
Registry operations — run keys, services, scheduled tasks written
Hash lookup — VirusTotal, MalwareBazaar for known-malicious identification
User context — which account ran the process, was it a service account or interactive user
Timeline correlation — cross-reference with SIEM logs for broader context

Resources

CrowdStrike free training portal (free)
Microsoft Learn MDE modules (free)
TryHackMe EDR rooms
LetsDefend endpoint investigation labs
HTB Academy Incident Handling with Splunk module

Stage 08

Threat Intelligence & Attack Frameworks

Raw alerts have no context. These frameworks and tools tell you what the attacker is doing, what they will likely do next, and whether this is a known threat actor or commodity malware.

MITRE ATT&CK

Matrix structure — Tactics (the why/goal) vs Techniques (the how) vs Sub-techniques (specific implementation)
14 Enterprise Tactics — Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
T1059 — Command and Scripting Interpreter (PowerShell .001, cmd .003, Bash .004)
T1078 — Valid Accounts (default accounts, domain accounts, cloud accounts)
T1027 — Obfuscated Files or Information (encoded PowerShell, packed executables)
T1055 — Process Injection (DLL injection, process hollowing, thread hijacking)
T1036 — Masquerading (renamed system binaries, fake extensions)
T1003 — OS Credential Dumping (LSASS memory .001, SAM .002, DCSync .006)
T1021 — Remote Services (RDP .001, SMB/Windows Admin Shares .002, WinRM .006)
T1053 — Scheduled Task/Job (Windows scheduled task .005, cron .003)
T1082 — System Information Discovery
T1083 — File and Directory Discovery
T1071 — Application Layer Protocol (Web protocols .001, DNS .004 for C2)
T1486 — Data Encrypted for Impact (ransomware)
T1566 — Phishing (spearphishing attachment .001, link .002)
T1190 — Exploit Public-Facing Application
T1133 — External Remote Services (VPN, RDP internet-exposed)
ATT&CK Navigator — building coverage heatmaps, threat group TTP overlays
Threat group profiles — APT28 (Fancy Bear/Russia), APT29 (Cozy Bear/Russia), Lazarus Group (North Korea), FIN7 (financially motivated), APT41 (China)
Using ATT&CK to contextualize an alert — mapping alert → technique → expected next steps

Cyber Kill Chain

7 phases — Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives
Mapping alerts to Kill Chain phase — understanding attacker stage
Where detection is most effective — early (Delivery/Exploitation) vs late (C2/Actions)
Defensive controls mapped to each phase

Diamond Model of Intrusion Analysis

4 vertices — Adversary, Infrastructure, Capability, Victim
How it complements ATT&CK for attribution and campaign tracking

IOC Enrichment Tools

VirusTotal — file hashes (MD5/SHA1/SHA256), URLs, domains, IPs; detection ratios across 70+ engines; behavioral sandbox reports; relationship graph
AbuseIPDB — IP reputation, abuse category, confidence score, report history
Shodan — internet-facing device enumeration, open ports, service banners, CVEs per host, ASN data
URLScan.io — webpage screenshot and DOM analysis, network requests made during page load, embedded domains/IPs
MalwareBazaar (abuse.ch) — malware hash database, file type, tags, YARA rule matches
URLhaus (abuse.ch) — malicious URL database, associated malware family, status
ThreatFox (abuse.ch) — IOC database with malware family attribution, C2 indicators
AlienVault OTX — community threat intelligence pulses, IOC feeds, ATT&CK mapping
WHOIS / RDAP — domain registration data, registrar, creation/expiry dates, nameservers
Passive DNS (SecurityTrails, DNSDB) — historical DNS resolutions for pivoting
IPinfo.io / ipwhois — ASN, geolocation, organization, hosted domains
GreyNoise — distinguishes internet background noise from targeted attacks
Any.run — interactive malware sandbox, live process tree, network connections, file drops
Joe Sandbox — automated deep behavioral analysis, full report with IOCs and ATT&CK mapping

Threat Intelligence Platforms

MISP (Malware Information Sharing Platform) — open-source TIP, events, attributes, IOC sharing between organizations
OpenCTI — open-source, relationship-based intelligence modeling
Recorded Future — commercial predictive intelligence (awareness level)
Anomali ThreatStream — commercial TIP (awareness level)

Resources

MITRE ATT&CK website (attack.mitre.org, free)
ATT&CK Navigator (free web app)
AttackIQ Academy (free ATT&CK training)
TryHackMe MITRE room (free)
TryHackMe Cyber Threat Intelligence room
abuse.ch platforms (all free)

Stage 09

Incident Response

When Tier 1 confirms a true positive, IR begins. Know exactly what to do, and critically what not to do, in the first minutes of a confirmed incident.

IR Frameworks

NIST SP 800-61 Rev 2 — Preparation → Detection & Analysis → Containment/Eradication/Recovery → Post-Incident Activity
SANS PICERL — Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Differences between frameworks — NIST is more formal/documentation-heavy, SANS is more operationally focused
Playbooks — pre-written step-by-step response procedures for specific alert types
Runbooks — technical procedures for specific tasks within a playbook

Preparation

Asset inventory and criticality classification — knowing what is normal before detecting abnormal
Network baseline — normal traffic volumes, communication patterns, user behavior windows
Communication and escalation plan — who gets notified, at what severity, in what order
Escalation matrix — T1 → T2 → T3 → IR Lead → Legal → CISO → Management
Incident classification schema — severity levels (P1/P2/P3/P4), categories (malware/phishing/DDoS/insider)
Out-of-band communication — why you do not use potentially compromised email during active IR

Detection & Analysis

Alert validation — confirming an alert is not a false positive before escalating
Scope determination — how many systems are involved, is this isolated or widespread
Initial impact assessment — data accessed, exfiltration occurred, lateral movement detected
Timeline reconstruction — ordering events chronologically across multiple log sources
Evidence collection — screenshots, log exports, file hashes, raw log preservation
Indicator extraction — IPs, domains, hashes, file paths, user accounts, registry keys, email addresses from the incident
Attacker attribution — is this commodity malware or targeted intrusion

Containment

Short-term containment — immediate actions to stop spread: network isolation, account disable, firewall block
Long-term containment — sustainable fixes: patching, policy change, segmentation
Host isolation via EDR — CrowdStrike network containment, MDE device isolation, SentinelOne quarantine
Network-level blocking — firewall rules for malicious IPs/domains, DNS sinkholing
Account actions — disable compromised accounts, force password reset, revoke active sessions/tokens, invalidate API keys
Evidence preservation during containment — do not reboot, do not delete logs, do not wipe before imaging

Eradication

Malware removal — EDR automated remediation, manual removal procedures
Persistence mechanism removal — scheduled tasks, registry run keys, services, cron jobs, WMI subscriptions, startup folder entries
Backdoor removal — webshells, RAT implants, rogue local accounts, SSH authorized_keys additions
Root cause identification — actual initial access vector, why existing controls did not catch it

Recovery

System reimaging vs in-place remediation — when each is appropriate (reimaging preferred for confirmed malware)
Restoration from clean backup — verification of backup integrity before restore
Validation — confirming attacker access is fully removed before returning to production
Monitoring uplift — increased detection sensitivity post-incident, watch for reinfection
Credential rotation — all accounts with potential exposure, service accounts, API keys

Post-Incident

Incident report structure — executive summary, timeline, affected systems, root cause, attacker actions, defender actions, recommendations
Lessons learned session — what detection missed, detection rule gaps, response process gaps
Detection improvement — new SIEM rules, EDR policies, or firewall blocks based on incident IOCs
MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) — measuring and improving SOC performance

Common T1 Incident Types — Investigation Checklist Per Type

Phishing email — analyze headers (Received, X-Originating-IP, SPF/DKIM/DMARC results), extract links for URLScan, hash attachments for VirusTotal, check if clicked or executed, identify all recipients
Malware alert from EDR — process tree review, parent/child chain, command line arguments, network connections made, file drops, persistence mechanisms written, scope to additional hosts
Suspicious logon — impossible travel (geography vs timestamp), off-hours access, unfamiliar device, unfamiliar source IP enrichment, check for MFA bypass or token theft
Brute force — source IP volume, targeted accounts, success/failure ratio, lockout status, check for eventual successful auth
Data exfiltration alert — destination IP/domain enrichment, data volume, protocol, which user/process, what data classification
Ransomware — isolate immediately via EDR, do not reboot, preserve memory if possible, scope encrypted files, identify patient zero, notify IR lead immediately

Resources

NIST SP 800-61 Rev 2 (free, official NIST publication)
SANS IR materials (free whitepapers at sans.org/white-papers)
TryHackMe Incident Response and Forensics rooms
LetsDefend SOC alert scenarios (real incident simulations)
CyberDefenders incident response challenge labs
HTB Academy Incident Handling with Splunk

Stage 10

Hands-On Practice & Portfolio

Hiring managers want proof of work. A LabList profile showing documented investigation methodology, lab builds, and cert progression tells a clearer story than a resume full of bullet points.

Practice Platforms

TryHackMe — SOC Level 1 path (complete fully, document every room with methodology notes)
LetsDefend — SOC Analyst path, real SIEM alert simulations, malware analysis labs
CyberDefenders — blue team CTF challenges, full incident investigation scenarios
Blue Team Labs Online — defensive challenges, log analysis, memory forensics
HackTheBox Academy — SOC Analyst Prerequisites path, Defensive Security track, Incident Handling with Splunk
Boss of the SOC (BOTS) v1/v2/v3 — Splunk CTF dataset using real attacker data

Home Lab Build

Hypervisor — Proxmox (free, bare metal) or VirtualBox (free, hosted) on a spare PC or repurposed hardware
SIEM option 1 — Security Onion (free, full stack: Zeek, Suricata, Elastic/Kibana, integrated dashboards)
SIEM option 2 — Wazuh + ELK (free, lighter weight, single-host friendly)
SIEM option 3 — Splunk Free (500MB/day ingest limit, enough for a lab)
Windows target VM — Windows 10 or 11, deploy Sysmon with SwiftOnSecurity config
Windows Server VM — Active Directory domain, DNS, DHCP
Linux target VM — Ubuntu Server or Debian
Attack VM — Kali Linux for generating realistic traffic and attack telemetry
Log forwarding — Winlogbeat or Splunk Universal Forwarder from Windows VMs to SIEM
Attack simulation — Atomic Red Team tests on Windows target, triage resulting alerts in SIEM
PCAP practice — download from Malware-Traffic-Analysis.net, analyze in Wireshark

What to Document on LabList

Every cert earned — writeup on why you pursued it and what you learned
TryHackMe SOC Level 1 path completion — investigation methodology per room
CyberDefenders challenge writeups — show your process from alert to conclusion
Home lab build — architecture diagram, tools deployed, detections you built and tuned
Mock incident report — end-to-end from raw alert to formal written report
Platform badges — TryHackMe, HTB Academy, LetsDefend progression

FAQ

Common questions

How long does it take to become a SOC Analyst — Tier 1?

6 months is possible if you can commit 20–25 hours per week and treat it like a second job. Realistically, most people working part-time take 12–18 months. The first 2 months go entirely to fundamentals (computer hardware, OS, networking) before you touch any security concepts. Security+ is the target around month 3, with Splunk certification and active labs filling months 4–6. People who skip ahead to security tools without fundamentals hit walls and stall.

Which certifications matter for SOC T1 roles?

Security+ is the canonical entry-level cert and listed in the majority of postings. Splunk Core Certified User for SIEM-specific signal — Splunk appears in 37% of SOC postings, SIEM proficiency in 78%. CySA+ as a follow-up signal. Microsoft SC-200 for organizations using Microsoft Sentinel. The entry-level cert market is dominated by Security+; everything else is supportive.

Do I need a degree to start in a SOC?

No. SOC T1 is one of the most accessible cybersecurity entry points — 4.8M global workforce gap (ISC2 2025) means employers hire candidates without degrees who demonstrate Security+ knowledge and basic lab work. What you do need: ticketing discipline, comfort with shift work, ability to follow runbooks, and clear escalation communication. Career-changers from help desk, military, and IT support backgrounds transition routinely.

What separates a hired SOC Analyst — Tier 1?

Demonstrated home lab work. Set up a Splunk free instance, ingest logs, build dashboards. Walk through a CyberDefenders or LetsDefend SOC challenge. Generic Security+ candidates lose to candidates with hands-on SIEM exposure. Other differentiators: TryHackMe SOC Level 1 path, structured ticket-handling examples, and basic detection rule writing. 29% job growth projected through 2034 (BLS).

SOC Analyst — Tier 1

Common questions

Related roles