Cyber crime is now a $20 trillion economy. The average data breach costs $4.88 million. Attack windows have collapsed from weeks to hours. Organisations need defenders who can monitor, detect, and respond to threats in real time, and they need more of them than currently exist.
SOC analyst is the frontline of that defence. It is also the most accessible entry point into cyber security for people starting from scratch. No degree required. No prior security experience required. What you need is a clear roadmap, hands-on practice, and the discipline to follow through.
This is that roadmap.
What Does a SOC Analyst Actually Do?
Before you start building toward this role, know what it involves day to day. Not the job description version. The real version.
A Tier 1 SOC analyst monitors an alert queue, triages incoming detections, and makes rapid decisions about what requires investigation versus what is a false positive. You are reading Windows event logs, querying SIEM dashboards, cross-referencing threat intelligence feeds, and documenting your findings in a ticketing system. Every shift, you are the first line of defence between an attacker and the organisation you protect.
At Tier 2, the work deepens. You investigate the incidents Tier 1 flags, conduct deeper forensic analysis, hunt for threats that automated detections miss, and build the runbooks that make Tier 1 faster. This is where SIEM proficiency gives way to genuine investigative skill.
At Tier 3 and beyond, you are a threat hunter, a detection engineer, or a security architect. The SOC analyst career ladder is one of the clearest in cyber security. Every level builds directly on the one before it.
The role is communication-heavy as well as technical. Hiring managers screen for clear written communication as hard as they screen for tool experience. You will write reports, escalate to engineers, and explain incidents to non-technical stakeholders. Build this skill alongside the technical ones from day one.
Phase 1: What Do You Need to Learn First? (Months 1 to 3)
Every SOC skill sits on the same base. Skip it and you will feel the gap when it matters most.
Networking fundamentals. TCP/IP, DNS, HTTP/S, common ports and protocols, how firewalls and proxies work, how traffic flows between systems. You cannot investigate a suspicious network connection without understanding what a normal one looks like.
Operating systems. Windows event logs are the primary data source for most Tier 1 investigations. Know the key event IDs: 4624 and 4625 for logon events, 4688 for process creation, 4698 for scheduled task creation, 7045 for new service installation. Linux command line proficiency is increasingly expected as cloud infrastructure becomes standard in enterprise environments.
Security concepts. The CIA triad, common attack types (phishing, malware, brute force, credential theft), and the MITRE ATT&CK framework as the reference library for understanding how adversaries operate and what evidence they leave behind.
TryHackMe's Pre Security path and Cyber Security 101 path cover this entire layer in structured, hands-on rooms. Work through them in sequence. Do not skip ahead.
Phase 2: Which SOC Skills Do You Need to Build? (Months 3 to 6)
With foundations in place, the SOC-specific layer goes on top. This is where the role starts to feel real.
SIEM proficiency. The SIEM is the central tool of SOC operations. Splunk (SPL query language) and Microsoft Sentinel (KQL) are the two platforms that matter most for employment. You need to write basic and intermediate searches, understand how correlation rules generate alerts, and be able to reconstruct the timeline of an event from raw log data.
Log analysis. Given a set of log entries, can you identify what happened, in what sequence, and what it means? This is the core investigative skill that technical interviews test directly. Practice it until it feels instinctive, not effortful.
Threat intelligence enrichment. Know how to look up a suspicious hash in VirusTotal, how to evaluate a domain's reputation, and how to use OSINT to add context to an alert. Enrichment is what separates a well-investigated ticket from a surface-level one.
Incident response process. Understand the NIST incident response lifecycle: Preparation, Detection and Analysis, Containment, Eradication, Recovery, Post-Incident Activity. Know what escalation means in a SOC context and what criteria determine when to escalate from Tier 1 to Tier 2.
TryHackMe's SOC Level 1 path covers every one of these domains in a guided, hands-on environment with real log data and real tooling. It is the most direct structured route to Tier 1 readiness available on any platform. Work through it alongside Phase 1 content and your public TryHackMe profile builds evidence of both simultaneously.
Phase 3: Which Certifications Should You Get? (Months 4 to 7)
Credentials matter in SOC analyst hiring. But they only earn their keep if they answer the question hiring managers are actually asking: can you do the work?
TryHackMe Pre-Security Certificate is the right first credential. It validates that you have built the foundational layer before moving into SOC-specific content. Something concrete to show employers early in your preparation.
TryHackMe SAL1 (Security Analyst Level 1) is the credential that answers the "can you actually do the work" question directly. Rather than a multiple-choice exam, SAL1 puts you inside a live SOC simulator where you triage alerts, investigate incidents using real tooling, and write graded incident reports under realistic conditions. Backed by Accenture and Salesforce, it is the most practically validated entry-level SOC credential available. Premium subscribers receive a 15% discount.
According to Coding Temple's analysis of hiring manager priorities, a career changer with hands-on lab experience and one solid credential beats someone with three certs and no practical portfolio in the majority of hiring decisions. Quality over quantity. SAL1 and a strong TryHackMe profile is that combination.
For those targeting mid-level roles after their first position, SAL2 validates the Tier 2 skill set through advanced investigation scenarios. Endorsed by NCC Group, with Pablo Menendez Cores describing it as reflecting "quite well what we actually do in an MSSP environment." That is practitioner validation that carries real weight with technical hiring managers. Premium subscribers receive a 15% discount.
Phase 4: How Do You Build a Portfolio That Gets You Noticed? (Ongoing)
Credentials open doors. A portfolio closes the deal.
Every TryHackMe room you complete is a potential writeup. Every SIEM investigation you practise is an opportunity to document your methodology in a professional format. Publish your writeups on GitHub or a personal blog. Link everything from your LinkedIn profile. Make your work visible.
The candidates who get hired are not always the most technically advanced. They are the ones who can speak specifically about investigations they have actually conducted. "Walk me through the last alert you investigated" is a question every SOC interview contains. Your lab work gives you the specific answer that generic study does not.
Phase 5: When Should You Start Applying? (Months 6 to 9+)
The timeline is more predictable than most guides acknowledge. Without an IT background, expect 9 to 18 months to become job-ready. With IT experience in help desk, system administration, or networking, that compresses to 6 to 12 months. The difference is foundational knowledge that IT experience provides for free.
Do not wait until you feel completely ready. If you have completed the SOC Level 1 path, earned SAL1, and have a visible portfolio of documented lab work, you have enough to apply. Apply when you meet approximately 70% of stated requirements. Interviews provide feedback that no amount of additional studying replicates.
Target MSSP postings with "Tier 1" or "junior" in the title. These are the most realistic first roles for career changers and they are the most common. Tailor every application to highlight your lab work specifically, your TryHackMe profile, your documented investigations, and your SAL1 credential. Generic applications get filtered out before a human reads them.
Where Do You Go After Tier 1?
The SOC analyst career path is one of the clearest in the industry. Tier 1 for six to twelve months builds the operational foundation. Tier 2 deepens into forensics, threat hunting, and independent investigation. From there, the paths diverge: security engineering, threat intelligence, DFIR, detection engineering, or management.
SAL2 is the natural credential for the Tier 1 to Tier 2 transition, validating advanced investigation capability and the Tier 2 skill set through realistic, multi-stage scenarios. TryHackMe's Threat Hunting module extends your skill set into the proactive hunting capability that distinguishes Tier 2 from Tier 1.
Every level you reach opens the next one. That is what makes this career path worth committing to.
Your First Move
Start today. Not next week when you have more time. Today.
Create your free TryHackMe account. Open the Pre Security path. Complete one room before you close this tab. That single action creates the momentum that compounds over the next six to twelve months into a career.
The next level is always just within reach.
Nick O'Grady