Introducing the Revamped SOC Level 1 Learning Path

Train like a real SOC Analyst. Build job-ready defensive skills.

Security Operations Centers (SOCs) are the frontline of cyber security. They monitor threats, investigate suspicious activity, and protect businesses from attacks. But breaking into this world has always been a challenge scattered learning, outdated content, and unrealistic expectations of beginners.

So, we rebuilt our SOC Level 1 (SOC L1) learning path from the ground up.
Now, it’s more practical, structured, and relevant to real job requirements than ever before.

Why We Revamped the SOC L1 Path

1. Forensics Out, Real SOC Work In

While digital forensics is valuable, it’s not part of an entry-level SOC analyst’s role. SOC L1s focus on alert monitoring, triage, escalation, and working with SIEM, SOAR, and EDR tools.

That’s why we replaced most of the forensics content with modules like:

• Core SOC Solutions
• SIEM Triage for SOC
• SOC Team Internals

These are the skills hiring managers actually look for.

2. Added a Proper Introduction to Blue Teaming

The previous path dropped students straight into tools and technical rooms — without explaining why SOC exists, how teams operate, and how defenders think.

The new learning path introduces:

• The role and mission of SOC teams
• Why modern businesses need blue teamers
• Overview of SOC structures, processes, and daily operations

This foundation is now covered in Module 1: Blue Team Introduction.

3. Structured Learning. No More Disconnected Rooms

Previously, the path felt like a list of unrelated topics. Now, it’s been redesigned into compact modules that flow logically, from beginner-friendly concepts to advanced investigations.

You learn in the same order a real analyst would grow on the job, from understanding SOC fundamentals to handling full-scale incidents.

4. Filled Technical Gaps (Linux, Web, LoTL & More)

The old path focused heavily on Windows and Networks. But modern analysts need to understand:

• Linux-based attacks
• Web application threats
• Cloud and modern infrastructure
• Living-off-the-Land (LoTL) techniques
• Threat intelligence workflows

The revamped path now covers all of these to shape a versatile, future-ready SOC analyst.

What You’ll Learn & Path Overview

By completing this path, you’ll:

• Learn SOC tools and workflows (SIEM, SOAR, EDR)
• Detect and analyse network and web attacks
• Monitor Windows, Linux, and endpoints for threats
• Triage security alerts and handle incidents confidently
• Complete real-world capstone challenges, end-to-end

Module Breakdown & What’s Inside?

Module 1: Blue Team Introduction

This module immerses you in the work of a Security Operations Centre, where you’ll learn how both humans and systems become attack vectors, and how analysts detect and respond in real time. Through hands-on scenarios, you’ll gain practical insight into defending organisations from cyber attacks and explore SOC roles, tools, and skills needed to begin your journey as a Junior Security Analyst.

Module 2: Cyber Defence Frameworks

Here you will cover attack stages and adversary techniques using industry frameworks. You’ll follow real incident workflows, map telemetry to frameworks, create triage notes, and apply these models to improve detection and response.

Module 3: Phishing Analysis

Analyze various phishing attacks hands-on. From examining an email's source properties to reviewing malicious phishing attachments, you will investigate real-world examples of attacks in the industry. You will also discover how adversaries launch phishing campaigns and learn how you can defend your organization against them.

Module 4: Network Traffic Analysis

Explores the fundamentals of Network Traffic Analysis, what it is, why it’s needed, how to capture traffic, and how to analyse it. You’ll learn the basics of Wireshark to inspect packet behaviour and detect common attacks like ARP poisoning, Nmap scans, ICMP tunnelling, and more.

Module 5: Network Security Monitoring

This module covers various aspects of network security, focusing on monitoring network perimeters for signs of attack. Through hands-on exercises, you’ll analyse network traffic and logs to investigate whether the attacker is actively probing the network endpoints, performing man-in-the-middle attacks, or attempting to exfiltrate the data through various network channels.

Module 6: Web Security Monitoring

In this module, you’ll learn how the web works and how modern web threats impact both users and application owners. Using network captures, raw logs, and SIEM, you’ll analyse how web attacks unfold and how to detect them in a SOC. You’ll also explore how to stop these threats using tools like WAF and CDN.

Module 7: Windows Security Monitoring

This module explores Windows attacks and defenses directly on the host, without SIEM. You’ll use Event Viewer, the command line, and file system navigation to detect real malware and learn the corresponding MITRE techniques. This hands-on experience will sharpen your Windows skills and prepare you for real-world SOC work.

Module 8: Linux Security Monitoring

This module explores Linux attacks and defenses directly on the host, without SIEM. Through hands-on labs, you’ll detect malware uploads, reverse shells, and cryptomining activity and then tracing each step through system and process logs, building practical Linux skills for real SOC work.

Module 9: Malware Concepts for SOC

In this module, you’ll learn to identify and classify malware in SOC operations. You’ll understand malware goals, risks, and behaviours, attribute files to malware types, and discover why attackers increasingly use living-off-the-land techniques and how to detect them.

Module 10: Core SOC Solutions

This module begins with building knowledge on Endpoint Detection and Response (EDR), covering how it detects advanced threats and enables response actions. You’ll then learn the foundations of SIEM through practical work in Splunk and Elastic Stack. Finally, you’ll explore how SOCs use SOAR to automate tasks and streamline incident handling.

Module 11: Threat Analysis Tools

This module explores the foundations of threat intelligence, covering data sources, enrichment, and analysis. You’ll work with files, hashes, IPs, domains, and intel feeds to identify threats, track adversaries, and map findings to MITRE ATT&CK. By the end, you’ll know how to operationalise threat intelligence in investigations and reporting.

Module 12: SIEM Triage for SOC

Explore how SIEM solutions help detect early signs of attacks, investigate SOC alerts, and correlate logs from multiple sources to build an incident timeline. These skills will be vital for you to identify and respond to real-world threats as a SOC analyst.

Module 13: SOC Team Internals

This module focuses on the core of every SOC...security alerts. You’ll learn to triage and classify alerts, document findings, write reports, and follow escalation and communication procedures. These skills will prepare you for the TryHackMe SOC-SIM and your first months in a real SOC team.

Module 14: Capstone Challenges

Here you’ll investigate real-world incidents across different TTPs, from initial access to data exfiltration. You’ll work with artefacts like memory dumps, emails, packet captures, and event logs, and learn how to navigate SIEM data sources to correlate findings and complete the investigation.

Who Is This Path For?

• Beginners looking to start a blue team career
• Aspiring SOC Analysts or Cybersecurity Analysts
• IT professionals transitioning into security
• Existing SOC beginners looking to structure their knowledge

Ready to Start Your SOC Journey?

The Revamped SOC L1 path gives you everything you need:

• Real tools
• Real incidents
• Real skills that get you hired

Become the defender every organisation needs.