Feature
NEWSROOM • 5 min read

Creating SAL1 with employers and experts

We built the world's most credible entry-level defensive certification - the closest thing to real-world experience. Here’s how we partnered with employers and experts to make it happen.

In December 2023, we shadowed Accenture’s SOC team for a day, gaining firsthand insight into their operations. After speaking at length with the SOC manager and senior security analysts, we discovered that hiring was a major challenge - for both employers and candidates trying to land their first job in cybersecurity. Despite CVs often showcasing a high level of competency, Accenture found that most candidates lacked a solid understanding of computing fundamentals, didn’t have an analyst mindset, and had no practical experience. This was especially difficult for fresh graduates or those transitioning from non-technical roles. We also spoke to aspiring security analysts who were training hard and earning certifications, yet still struggling to secure their first role in cyber.

That’s why we collaborated with Accenture, Salesforce, JustEat, and industry experts to create Security Analyst Level 1 (SAL1) - a certification that proves job readiness through a revolutionary virtual, SOC environment. Employers can trust that candidates with SAL1 are prepared for the role, helping them stand out from thousands of others. At the same time, SAL1 certified aspiring security analysts can feel confident that they have the skills needed to succeed in the job.

SAL1 was built over 13 months - no compromises were made. We spoke to hundreds of hiring managers, security analysts, industry experts, fortune 500 companies, ran workshops and mentorship programs, organised beta tests with JustEat’s SOC team, and were led by our 30-person in-house content engineering team.

We didn’t jump straight into creating the certification. First, we had to build a SOC simulator that replicates the exact environment a security analyst works in - handling real-time alerts, conducting investigations, writing reports, and escalating incidents. It’s the closest experience to actually working in a SOC. TryHackMe developed this over nine months, collaborating with our existing defensive cyber clients, including Salesforce, and working closely with senior security analysts. We shared early prototypes, gathered feedback, and ran beta tests to ensure the simulator accurately reflected real-world SOC operations.

Below is a demo of the SOC Simulator - this mirrors tasks security analysts would legitimately undertake, requiring candidates to analyse and prioritise alerts in real-time, conduct an investigation in Splunk, close the alert (marking true or false positive), write a report (that is assessed and graded), and choose whether to escalate for further inspection.

A few months after launching the SOC Simulator - and incorporating it into the assessment process for SAL1 - we hosted an in-person workshop with the Accenture team at their Cheltenham office. Their real-world insights helped refine and strengthen the certification.

"SAL1 is an excellent starting point for anyone looking to show their competency in SOC fundamentals. The hands-on training simulations validate learners not only understand core SOC concepts but can also apply them in practice. This certification helps to demonstrate someone has the baseline skills and competency that are required to be successful in a SOC environment, and helping them to progress their cybersecurity career."


Haroon Mahmood
Detection & Response at Salesforce

At TryHackMe, we’re relentless and on a mission to make SAL1 the most credible entry-level certification on the market - if a candidate has it, they’re high calibre, and when employers see SAL1, they can be confident the person is truly job-ready. That’s why, six months before launch (October 2024), we ran another beta with JustEat and security analysts from Sixworks, IBM, and other organizations to further refine the certification.

Built by Industry Experts

Our in-house content engineering team, made up of experienced professionals with over 100 years of collective industry experience, build all of the assessment (and training) material. This expertise ensures that every question and practical challenge in SAL1 is relevant, rigorous, and reflects real-world expectations.

It’s important to note that we’re not new to this. TryHackMe is the world’s largest cyber security training platform. Over the past six years, we’ve trained more than four million users, from complete beginners to seasoned professionals.

We’ve developed thousands of training labs, for governments, the largest security teams in the world, schools, students and everything in between. This deep experience in cyber security education means that designing the best assessment process was a natural step - we know exactly what skills are needed at each level, and we have the training to support every step of the journey.

"The content engineers leading the project all have years of industry experience - they’ve applied to SOC roles, worked as analysts, and managed SOC teams. TryHackMe’s fully remote work culture allowed us to bring together the best analysts and industry experts and incorporate experiences from a wide range of organizations. This unique blend ensured that the assessment we created truly reflects the realities of an L1 role, from landing your first job to excelling in it."

Marta Strzelec
Head of Content Engineering

How We Designed SAL1

For a certification to be valuable, it needs to reflect how a real SOC operates. Most cyber security exams test knowledge in a way that doesn’t reflect a roles actual responsibilities. But being a security analyst isn’t just about knowing facts - it’s about thinking critically, recognising threats, and making quick, informed decisions. Hiring managers need candidates who can assess security alerts, understand attack patterns, and take action. That’s why we built SAL1 to test both knowledge and the practical analyst mindset needed for real security work.

The test were rigorous. Hiring managers needed proof of knowledge, and candidates had to demonstrate real skills. We designed two core parts of the assessment process

  1. Multiple-choice questions (MCQs) to test computing fundamentals. If candidates don’t understand core computing concepts, they won’t be successful in any cyber role. Accenture told us a common reason candidates were rejected during interviews, is because they lacked the computing basics (all topics covered in our pre-security learning path)
  2. A hands-on practical assessment (SOC Simulator) where candidates triage real security alerts in a virtual SOC environment - because a security analyst’s job is to react, investigate, and contain threats.

We designed the exam to reflect the pace and pressure of a real SOC environment; you can’t get closer to the real thing than this. Security analysts don’t have unlimited time to troubleshoot; they need to make decisions quickly and accurately. The hands-on component ensures candidates aren’t just knowledgeable but can perform under real-world conditions.

Making it Accessible and Affordable

We made SAL1 affordable and accessible. Cyber security education shouldn’t be locked behind prohibitively expensive paywalls. Unlike other certifications on the market, SAL1 is priced significantly lower while having the highest standards of quality.

We want to remove barriers for aspiring analysts, not create more of them. Whether you’re just starting out or looking to level up your skills, we have the training, the support, and now the certification to prove you have what it takes to succeed in a security operations environment role.

SAL1 is the Gold Standard

SAL1 isn’t just another certification - it’s the gold standard for proving you’re ready to be employed as a security analyst.

Article written by Ben Spring (Co-Founder) and James Goforth (SAL1 Product Manager)

authorBen Spring
Feb 24, 2025

Join over 640 organisations upskilling their
workforce with TryHackMe

We use cookies to ensure you get the best user experience. For more information contact us.

Read more