
Explore the security operations center structure, outlining the people, processes, technology, and governance framework (TGC) and the tiered roles from triage analysts to threat hunters, plus benefits of 24/7 monitoring.
Master core SOC tools like SIM, SOAR, threat intelligence platforms, and NTA to aggregate logs, detect threats, and automate responses.
Explore core and advanced SOC tools including EDR for endpoint protection, vulnerability assessment tools, ticketing systems, sandboxing, UEBA, and deception tools such as honeypots and honey tokens.
Analyze mean time to detect, respond, and contain along with alert metrics like false and true positive rates, escalation rate, patch rate, compliance adherence rate, and cost per incident.
Practice level one SoC alert triage in a TryHackMe lab with a simulated siem dashboard, distinguishing true positives from false positives and escalating data exfiltration alerts to level two.
Explore the OSI seven-layer model and the four-layer TCP/IP framework, with practical layer mappings, key protocols, and common SOC attack indicators across application, transport, network, and access layers.
Explore data packets, packet inspection, and how Wireshark analyzes headers, payloads, and DNS/HTTP traffic. Learn to identify threats, beaconing, and DNS tunneling using packet sniffers for SOC incident triage.
Explore dns tunneling and dns beaconing: how encoded subdomains transfer data to an attacker-controlled dns server to bypass filters, exfiltrate information, and how malware check-ins maintain persistence.
Understand attack paths from infiltration to data exfiltration, identify common attack vectors and lateral movement, and learn to detect indicators of compromise for SOC analysts.
Understand Windows core processes such as sms.exe, lsass.exe, svchost.exe, csrss.exe, dllhost.exe, and explorer.exe, their boot sequence, roles in authentication and authorization, and how malware masquerades as them.
Learn to read Windows registries and logs to detect threats, using Sysinternals tools (AutoRun, Process Monitor, Process Explorer, Sysmon) and key event IDs to hunt persistence and brute force.
Explore linux logs and auditing for SoC analysts, differentiating kernel and user logs while reviewing auth, wtmp, and btmp activity, and applying auditd and auditctl for integrity.
Learn to use common linux commands—ps, top, htop, btop, lsof, ss, netstat, find, stat, md5sum, sha256sum, and ls—to monitor processes, analyze network connections, inspect permissions, and detect indicators of compromise.
Master common Linux commands for SoC analysts, including who, last, cat, grep, tcpdump, ifconfig, dig, nslookup, and journalctl for authentication, network monitoring, and log analysis to detect intrusions.
Learn tactics, techniques, and procedures (TTPs) and the cyber kill chain to detect, map, and respond to attacks in a SOC, aligning alerts with tactics and phases.
Explore the Mitre attack framework, its enterprise matrix of adversarial tactics, techniques and common knowledge, and how SOC analysts map indicators of compromise to detection, threat hunting, and incident response.
Map suspicious alerts to the mitre attack matrix to identify tactics and techniques. Build detection logic using log sources and threat intelligence platforms.
Explore what siem is, how security information and event management forms the brain of the soc, enabling correlation, normalization, enrichment, and proactive threat detection.
Explore the types of logs in a siem environment, from authentication and system to cloud and audit logs, and learn data ingestion, detection, correlation, alerting, and incident response.
Master sigma rules, a yaml-based language for portable detection logic across siem platforms, and learn to write, convert, and map rules to MITRE for cohesive detection.
Master Splunk's simple spl queries by learning core concepts—indexes, source types, events, and fields—and using core commands like search, stats, table, and eval to analyze logs.
Learn how alerts are generated from logs using field matching, time-based logic, and thresholds, then distinguish static and behavioral alerts, tune rules, and reduce false positives.
Link multiple low-fidelity alerts into high-confidence incidents through alert correlation in CIM platforms. Learn rule-based, temporal, statistical, entity-based, and threat intelligence approaches, plus drift and evasion challenges.
Explore command and control (C2) as attackers' remote management of infected systems, outlining the C2 life cycle, beaconing, indicators of compromise, and SOC workflow to detect, isolate, and block C2.
Learn root cause analysis by defining the problem, collecting telemetry, constructing a timeline, and mapping findings to the MITRE framework; includes a Cobalt Strike case study.
Investigate a hacked Windows machine using hands-on forensics with PowerShell commands, host file and registry checks, and event logs to reveal infection, persistence, and the use of Mimikatz for credential dumping.
Uncover the soft ticket lifecycle from alert to ticket, with triage, escalation, and documentation. Learn best practices for managing SOC tickets, including structure, status, and evidence.
Master how to write clear, actionable soc investigation reports with timelines, kpis, and executive summaries, using a brute-force ssh incident to train incident response and decision making.
Learn how to escalate incidents, communicate with stakeholders from level 1 to 3, document with tickets using the five Ws, and perform post-incident reporting and legal coordination.
Simulate a tier one to tier two escalation for a DNS exfiltration, correlate DNS logs and a high-severity SIM alert, and prepare a structured ticket with five W's.
Explore how open-source intelligence, covering passive and active approaches, enriches security operations center alerts, speeds triage, and traces attacker infrastructure using VirusTotal, Shodan, URLhaus, whois, and GitHub.
Learn how SOC playbooks and runbooks drive SLA-driven, repeatable incident response with tiered analyst roles. The module covers threat intelligence, triage, enrichment, containment, escalation, and automation challenges.
AI augmented triage accelerates SOC alert handling by automating triage and enriching alerts with threat intelligence and user behavior, while humans retain final judgment.
Explore how artificial intelligence enhances threat intelligence through data ingestion and normalization, pattern recognition, anomaly detection, and risk scoring, with use cases like phishing detection and IOC enrichment.
Explore detection engineering as the structured process of building rules and alerts to detect threats in real time while minimizing false positives and aligning with SIEM, EDR, and threat intelligence.
Develop and tune rules for MITRE techniques like PowerShell, observe obfuscated commands, and version rules with change logs to ensure auditability, reproducibility, and effective detection.
Validate detections using simulated attacks and unit testing to reduce false positives and false negatives, tune rules, and adopt a detection validation pyramid with CI/CD integration.
Explore deception technology and honeypots to empower level two soc analysts with high fidelity alerts, detection rule validation, and insights for threat hunting and rule development.
Explore detection failure engineering by examining telemetry gaps, parsing issues, and logic gaps in SOCs. Study Cobalt Strike obfuscated PowerShell to learn base64 decoding, log enrichment, and broader rule logic.
The SOC Analyst Level 1 & 2 Masterclass is your complete, hands-on training program to launch a successful career in cybersecurity. This course takes you inside the day-to-day operations of a real Security Operations Centre (SOC) and equips you with the skills to detect, investigate, and respond to real-world cyber threats.
Through 12 comprehensive modules and practical, scenario-based training, you will master SOC fundamentals, network traffic analysis, operating system internals, SIEM usage, threat intelligence, detection engineering, and full-scale incident response. Every topic is reinforced with hands-on labs, simulations, and real attack investigations to make you job-ready.
Here’s what you’ll learn in each module:
Module 1: SOC structure, workflows, tools, KPIs, and the role of L1 & L2 analysts.
Module 2: Networking essentials for SOC, including OSI/TCP-IP, protocols, packet inspection, and detecting network-based threats.
Module 3: Windows & Linux internals, log sources, and investigative commands for uncovering malicious activity.
Module 4: Understanding the threat landscape, mapping attacks to MITRE ATT&CK, and analyzing malware & phishing campaigns.
Module 5: SIEM fundamentals, log lifecycle, Splunk queries, Sigma rules, and dashboard creation.
Module 6: L1 alert monitoring, triage processes, enrichment with OSINT, and correlation techniques.
Module 7: Investigating brute force, phishing, malware, data exfiltration, and command & control (C2) attacks.
Module 8: SOC documentation, ticket lifecycle, escalation notes, and effective communication with stakeholders.
Module 9: Threat intelligence tools, OSINT investigations, threat actor profiling, playbooks, and AI-assisted triage.
Module 10: L2 detection engineering, writing & validating rules, log correlation, and deception techniques.
Module 11: Incident response lifecycle – containment, eradication, recovery, and lessons learned.
Module 12: Capstone project simulating a full SOC investigation with multiple threat scenarios.
By the end of this course, you will be able to:
Operate confidently in a SOC environment handling both L1 & L2 tasks.
Monitor, triage, and investigate security alerts using industry tools like Splunk, Wazuh, Elastic Stack, and Wireshark.
Apply MITRE ATT&CK to strengthen detection capabilities.
Create and tune detection rules, correlate logs, and escalate incidents effectively.
Build a professional SOC portfolio with reports, dashboards, and detection rules to showcase to employers.
Whether you are an aspiring SOC Analyst, Blue Team member, or IT professional transitioning into security, this course will give you the knowledge, practical skills, and confidence to succeed in one of the fastest-growing areas of cybersecurity.