Most people targeting a SOC analyst role make one of two mistakes. They apply before they are genuinely ready, get filtered out at the technical screen, and assume the market is just too competitive. Or they spend months adding more certifications and completing more rooms, waiting for a feeling of readiness that never quite arrives.
This checklist is designed to give you a more accurate answer than either of those approaches. It maps the specific skills that hiring managers and technical interviewers actually test for at Tier 1 SOC analyst level, lets you self-assess honestly against each one, and tells you what to do depending on where you sit.
Working through it should take about twenty minutes. If you find yourself uncertain whether you can confidently tick an item, that uncertainty is itself useful information.
🐦 Click to TweetHow to Use This Checklist
Each skill domain has a set of specific, testable items. For each one, ask yourself whether you could demonstrate it in an interview, not whether you have studied it. There is a meaningful difference between recognising a term when you see it and being able to apply the underlying concept under questioning.
Use this rating for each domain:
Green: You could answer technical questions on this confidently and describe specific examples of applying it in a lab or real environment.
Amber: You understand the concepts and have some hands-on exposure, but you would not feel confident if pressed for detail in an interview.
Red: You have limited or no practical experience with this area and would struggle to answer beyond surface-level definitions.
A single red domain is not disqualifying. Multiple reds, or amber across most domains, suggests you are not yet ready to apply.
Domain 1: Networking Fundamentals
The TCP/IP stack is the foundation of almost every SOC investigation. Alert triage involves understanding why a connection behaved abnormally, which requires knowing what normal looks like.
- I can explain the OSI model and identify which layer a given protocol operates at
- I can describe the TCP three-way handshake and explain what SYN, SYN-ACK, and ACK packets represent
- I understand how DNS works and can identify suspicious DNS behaviour (unusually long subdomains, high query volumes, rare domains)
- I can read a basic network capture and identify source, destination, ports, and protocol
- I know the difference between TCP and UDP and can explain when each is typically used
- I can explain what common ports are used for (80, 443, 22, 445, 3389, 53) and why unexpected traffic on these ports warrants investigation
- I understand what a firewall does and can describe the difference between stateful and stateless inspection
If amber or red: TryHackMe's Pre Security path covers networking fundamentals in a hands-on environment. The network fundamentals and how the web works modules are particularly relevant.
Domain 2: Operating Systems
SOC analysts work primarily in Windows environments with Linux increasingly present in cloud and server infrastructure. Basic OS familiarity is assumed at Tier 1 level.
- I can navigate the Linux command line confidently, including reading files, searching logs, and managing processes
- I understand the Windows Event Log structure and know the key event IDs relevant to security monitoring (4624, 4625, 4688, 4698, 4720, 7045)
- I can explain what the Windows Registry is and why certain registry keys are significant for persistence detection
- I understand what Active Directory is and can describe the difference between a domain user, local user, and domain admin
- I know what Prefetch files are and why they are relevant to forensic investigation
- I can explain the difference between a process and a service in Windows and describe why unexpected services can indicate compromise
If amber or red: TryHackMe's Windows Fundamentals module series and the Linux Fundamentals rooms cover both areas at the right depth for Tier 1 roles. Both are included in the Cyber Security 101 path.
Domain 3: Security Concepts and Frameworks
Interviewers expect entry-level analysts to speak fluently about the conceptual framework of security operations, not just tools.
- I can explain the CIA triad and give a concrete example of a breach of each principle
- I understand what an Indicator of Compromise (IoC) is and can give examples across different types (file hash, IP, domain, behaviour)
- I can explain the difference between an IoC and an Indicator of Attack (IoA)
- I know what the MITRE ATT&CK framework is and can explain how it categorises adversary behaviour into tactics and techniques
- I can describe the Pyramid of Pain and explain why high-confidence IoCs like TTPs are more valuable for defenders than low-confidence ones like IP addresses
- I can explain the difference between a vulnerability, a threat, and a risk
If amber or red: The SOC Level 1 path on TryHackMe covers MITRE ATT&CK, the Pyramid of Pain, and IoC concepts through guided rooms with hands-on exercises.
Domain 4: SIEM and Log Analysis
This is the most directly tested skill domain in SOC analyst interviews. Virtually every technical screen includes some form of log analysis or SIEM scenario.
- I have used Splunk or a similar SIEM platform and can write basic search queries
- I can describe what a SIEM does and why it is central to SOC operations
- I understand how logs from different sources (firewall, endpoint, authentication) are aggregated and correlated
- Given a set of log entries, I can identify the sequence of events and articulate what appears to have happened
- I understand what alert fatigue is and can explain how analysts distinguish signal from noise at scale
- I know what a baseline is in the context of behaviour analytics and why deviations from it matter
- I can explain what SPL (Splunk Processing Language) is and write a basic query to filter events by time, source, or keyword
If amber or red: This is the single highest-value domain to develop before applying. TryHackMe's SOC Level 1 path includes dedicated Splunk rooms with real log data, and the SAL1 exam puts you inside a live SOC simulator working through alert queues in exactly the conditions a real Tier 1 role requires.
Domain 5: Threat Intelligence
Tier 1 analysts are expected to enrich alerts with threat intelligence context, not just triage them in isolation.
- I can explain what threat intelligence is and describe the difference between strategic, tactical, and operational intelligence
- I know what VirusTotal is and can walk through how an analyst uses it to evaluate a suspicious file hash or domain
- I understand what OSINT is and can describe common OSINT techniques used in alert enrichment
- I can explain what a threat intelligence platform does and how it integrates with a SIEM
- I know what MISP is at a conceptual level
- I understand what the difference is between a false positive and a true positive in the context of alert triage
If amber or red: The threat intelligence module within TryHackMe's SOC Level 1 path covers enrichment workflows, VirusTotal, and MISP in a guided format.
Domain 6: Incident Response Process
Interviewers commonly present a scenario and ask candidates to walk through how they would respond. Knowing the process matters as much as knowing the tools.
- I can describe the NIST incident response lifecycle (Preparation, Detection and Analysis, Containment, Eradication, Recovery, Post-Incident Activity)
- I understand what containment means in practice and can describe the difference between short-term and long-term containment
- I can explain what escalation means in a SOC context and describe the criteria for escalating from Tier 1 to Tier 2
- I know what a playbook is and can explain how Tier 1 analysts use them during triage
- I can explain what chain of custody means and why it matters for evidence handling
- I understand what a post-incident review is and what it is designed to produce
If amber or red: The incident response module in the SOC Level 1 path covers all of this, and the SAL1 exam requires you to apply the triage and escalation process in a realistic scenario.
Domain 7: Communication and Reporting
A Tier 1 analyst who cannot communicate findings clearly is a liability, not an asset. This domain is underestimated by most candidates.
- I can write a concise, accurate incident report that covers who, what, when, where, and recommended next steps
- I can explain a technical finding to a non-technical stakeholder without losing accuracy
- I understand what information should and should not be included in an escalation
- I have written up at least one lab exercise or CTF challenge in a professional format and can discuss it in an interview
If amber or red: The fastest way to build this is to start treating every lab you complete as a documentation exercise. Write up what you found, what tools you used, and what the significance was. The SAL1 exam scores your incident reports as part of the assessment, making report quality a genuine exam criterion rather than an afterthought.
Reading Your Results
| Your result | What it means | What to do next |
|---|---|---|
| Mostly green, one or two ambers | You are ready to apply. The ambers are gaps to address in parallel with your job search, not blockers. | Start applying to Tier 1 SOC roles now. Tighten the amber areas and prepare specific examples for each domain for interviews. |
| Mixed green and amber, no reds | You are close. Four to eight weeks of focused work on the amber domains would put you in a strong position. | Prioritise SIEM and log analysis if that is amber — it is the most commonly tested domain. Consider sitting SAL1 to validate readiness with a practical exam. |
| Several ambers and one or more reds | You need structured preparation before applying. This is not a criticism - it is an honest gap assessment. | Work through the SOC Level 1 path systematically. Each domain above maps directly to a module. Return to this checklist after completing the path. |
| Mostly red | You are at the beginning of the journey. That is fine - everyone starts here. | Start with the Pre Security or Cyber Security 101 path to build foundations before tackling SOC-specific content. |
One Thing Most Candidates Miss
The checklist above covers the technical domains. What it cannot capture is whether you can talk about your experience specifically.
The question that most determines whether a technical interviewer makes an offer is not "do you know what Splunk is." It is "walk me through the last time you investigated a suspicious alert." The candidates who answer with a concrete story, naming the tools they used, the decisions they made, and what they concluded, are the ones who get offers.
That specificity only comes from having done it. Not from having studied it. Every TryHackMe room you complete is a potential answer to that question, provided you treated it as an investigation rather than a task to complete and move past.
Build the Skills the Checklist Tests
TryHackMe's SOC Level 1 path maps directly to every domain in this checklist. It is the most structured way to move systematically from gaps to green across all seven areas, and the SAL1 certification gives you a practical exam that tests your readiness under realistic SOC conditions before you sit in front of a hiring manager.
Nick O'Grady