"Very realistic and reflects quite well what we actually do in an MSSP environment." Those are the words from a NCC Group SOC analyst.
Most defensive certifications don’t evaluate the skills inside the job. SAL2 proves you can do the job. That’s why we built Security Analyst Level 2 (SAL2) TryHackMe's most advanced defensive security certification to date.
If you've been working in a SOC and wondering what comes next, this is it. SAL2 is built for analysts who are ready to prove they operate at an elite level, in the kind of high-pressure, multi-layered investigations that define modern defensive security.
Why We Built SAL2
The cyber security industry has a problem that isn't going away quietly. There are nearly thousands unfilled security positions worldwide, and demand for skilled SOC analysts is projected to grow by 33%. Yet the gap between what employers need and what candidates can actually demonstrate keeps widening.
Most certifications focus on one domain: Windows IR, one tool, one scenario type, leaving huge blind spots in a candidate's profile. And almost none of them test the non-technical skills that senior analysts depend on every day: decision-making under pressure, incident communication, prioritisation, and report writing.
Employers are hiring analysts and finding that the credentials on their CV don't reflect what they can actually do in a live environment. Analysts are sitting exams that don't reflect the work they're actually performing. The whole system is misaligned and it's costing organisations dearly when a mid-level hire takes months to ramp up, or worse, mishandles an incident because their training never prepared them for the real thing.
SAL2 was designed to close that gap. It certifies that you can think, act, and lead incidents.
"SAL2 is a solid and well-designed exam. It's very realistic and reflects quite well what we actually do in an MSSP environment. I think it's a strong and practical certification"
The Problem With How SOC Skills Are Tested Today
Let's be direct about something: the existing certification landscape for defensive security is broken in a very specific way.
Most SOC-focused certifications treat the role as a purely technical one. Pass a written exam, demonstrate some Windows forensics knowledge, add it to your LinkedIn. But a real SOC Level 2 analyst isn't just a technician. They're an investigator, a decision-maker, and a communicator all at once, often under time pressure, with incomplete information and competing priorities.
Today's threats bypass traditional defences as a matter of course. Adversaries move laterally across cloud environments, Active Directory, endpoints, and networks in a single attack chain. A skilled analyst needs to follow that chain wherever it leads not just through Windows event logs, but across AWS, Entra ID, SIEM alerts, network PCAPs, and endpoint telemetry simultaneously.
And when the investigation is done? They need to be able to write a clear, actionable incident report. Communicate to stakeholders. Map the attack to MITRE. Make the right escalation call. These are skills that are almost entirely absent from the certifications that currently exist in the market.
That's the gap SAL2 fills and it's a significant one.
The certification serves its primary purpose well: validating and reinforcing incident analysis skills. It is particularly useful for developing a structured approach to investigations and as a practical trainer before real-world work in a SOC.
What Makes SAL2 Different
SAL2 is the only certification on the market that evaluates all aspects of SOC Level 2 operations across every major domain: Cloud, Active Directory, Network, Web, and OS platforms. Here's what that looks like in practice:
12 Multi-Stage, Hands-On Scenarios
Forget reading about incident response. In SAL2, you're living it. Across three simulated shifts, you'll work through 12 scenarios spanning low-noise anomalies to high-severity incidents the kind that land in a real analyst's queue on any given day. A phishing campaign that's already reached a mailbox. Suspicious lateral movement in an Active Directory environment. Anomalous cloud API calls suggesting credential compromise. Malware behaviour buried in endpoint logs. But it's not just about finding the threat.
You'll have to triage and prioritise across competing alerts, manage your workload against SLA pressure, and decide what escalates and what doesn't exactly the judgement calls a senior analyst makes every shift.
Each scenario is built to mirror what analysts face in production environments. You're not working with sanitised, made-for-training data. You're working with realistic, multi-layered evidence that requires genuine investigative thinking to untangle.
The Tools You Actually Use
You'll work across the same stack you'd encounter on the job: SIEM platforms, custom EDR and Threat Intelligence applications, analyst VMs loaded with curated artifacts, and access to compromised machines. The exam environment isn't a simulation of a SOC it's as close to the real thing as a certification can get.
"I like that we use the SIEM practically to answer questions as it makes it more interactive, I also liked the report writing as I really had to think about what to write... it felt 'real."
Two-Part Evaluation: Technical Depth and Analytical Maturity
Every scenario in SAL2 is evaluated across two dimensions, and both matter equally.
The technical component consists of 7 targeted questions per scenario that probe the full attack chain. These aren't surface-level questions. They require you to trace adversary behaviour from initial access through to impact, identify specific indicators of compromise, and demonstrate genuine investigative depth.
The non-technical component is where SAL2 truly separates itself from every other cert on the market. Each scenario also requires a decision-making exercise where you demonstrate the judgement calls you'd make in real time or an AI-graded incident summary report, where you articulate what happened, why it matters, and what should happen next.
Because in a real SOC, finding the threat is only half the job. Communicating it clearly and responding with authority is the other half. SAL2 tests both.
Every Domain. Every Skill Set.
SAL2 covers the full breadth of what modern SOCs demand across both technical and non-technical dimensions.
Technical skills assessed include: Windows log analysis, Active Directory investigation, Entra ID and AWS log investigation, email analysis and phishing investigation, Linux attacks and log analysis, web attacks, basic network analysis (PCAP and IDS), basic malware analysis, threat intelligence and data enrichment, detection engineering with Sigma, and triage across host, EDR, and SIEM.
Non-technical skills assessed include: Internal and external report writing, alert and incident summarisation, MITRE and kill chain mapping, SOC routine and prioritisation, incident communication and coordination, decision-making and immediate response, post-incident actions and planning, and SLA management.
No other certification in this space comes close to this breadth.
"This is a very good exam. It felt engaging, practical, and genuinely challenged me in ways I wasn't expecting. I appreciated having to make decisions based on the scenario and justify them... it made me feel like I was working as a SOC Level 2 analyst"
Exam Format at a Glance
- Non-proctored: Work through the scenarios at your own pace within the time window
- 72 hours total
- 12 unique scenarios: Averaging between 45 minutes and 2 hours each
- One free retake included
- Instant results: No waiting around after you submit
- 3-year validity: With QR-verifiable certification
Who SAL2 Is For
SAL2 is built specifically for SOC Level 1 and Level 2 Analysts who are ready to step into greater responsibility. If you're a Level 1 analyst who's been performing above your grade and want the credential to prove it, SAL2 is your next move. If you're already operating as a Level 2 and want to validate that formally to yourself, your employer, and the market this is it.
It's also a natural fit for Threat Hunter who dive deep into anomaly detection and Incident Responder who handle multiple incidents with diverse resolution approaches who want to sharpen and validate their defensive depth across the full SOC operations picture.
If you hold SAL1, SAL2 is your next challenge.
For everyone else: you should be comfortable with alert handling, log analysis, and basic investigation workflows before attempting SAL2. If you're still building that foundation, our SOC Level 2 learning path is the place to start.
We want SAL2 to be the kind of achievement to be proud of, commands respect in an interview, and genuinely signals to any hiring manager that the person holding it is operating at an elite level.
Why This Matters for Your Career Right Now
The market for skilled defensive security professionals has never been more competitive or more full of opportunity for analysts who can demonstrate real capability.
Organisations across every sector are urgently hiring mid-level SOC talent. They need analysts who can step into complex environments and perform without lengthy ramp-up time. The challenge is that most certifications don't give hiring managers the signal they need to make confident decisions. A cert that tests theory doesn't tell you whether someone can run a real investigation.
SAL2 does. It's built to be the most credible signal a SOC analyst can carry proof that you've been tested against realistic scenarios, complex environments, and the full range of skills the job actually demands.
Whether you're targeting a promotion, positioning yourself for a new role, or simply want the credential that reflects the analyst you've already become SAL2 is the one that does it.
”The certification left a positive impression, especially in terms of its practical focus and proximity to real SOC/DFIR tasks. The exercises are not centered on theoretical knowledge, but on the ability to work with logs, find attack artifacts, and build investigation logic, which closely reflects the real work of an analyst.”
A New Standard for SOC Performance
We've spent a long time thinking about what it means to genuinely validate SOC expertise not just measure it against an exam that was designed for convenience, but actually assess whether someone can perform at the level that modern security operations demand.
SAL2 is the answer we've built. It's rigorous by design, realistic by necessity, and built around the belief that the best analysts deserve a credential that reflects their actual capability.
The industry doesn't need more paper certifications. It needs analysts who can investigate a real incident, make the right call, and communicate it clearly under pressure, with incomplete information, across every domain a modern SOC demands. SAL2 is how you prove you're one of them.
”The platform pushes you to move from indicators of compromise to the full picture of the incident, which is valuable even for those who already have experience in SOC or threat hunting. The variety of data sources is also worth highlighting: you'll work with web logs, Windows events, network activity, and cloud artifacts.”
Carah Els