The most comprehensive, step-by-step roadmap for breaking into defensive cybersecurity.
From absolute zero to your first Blue Team role, every skill, tool, certification, and resource you need.
- Why This Roadmap Exists
- Who Is This For?
- The 10-Phase Overview
- Phase 1: Networking Fundamentals
- Phase 2: Windows Essentials
- Phase 3: Linux Command Line
- Phase 4: Scripting & Automation
- Phase 5: Security Fundamentals
- Phase 6: Blue Team Tools
- Phase 7: Certifications
- Phase 8: Hands-On Practice
- Phase 9: Build Your Portfolio
- Phase 10: Get Hired
- Defensive Security Career Paths
- 2026 Industry Trends
- Free Resources Directory
- Contributing
The cybersecurity industry has 4.8 million unfilled positions worldwide (ISC2, 2025). Defensive security (Blue Team) is the backbone of every organization's security posture, yet most learning resources are scattered, outdated, or focused on offensive security.
This roadmap changes that. It provides a complete, structured, step-by-step learning path from absolute zero to landing your first Blue Team role, with every resource linked, every tool explained, and every step actionable.
What makes this different from other lists:
- π Structured as a learning path, not just a random list of tools
- π’ Ordered by learning sequence, each phase builds on the previous one
- π Prioritizes free resources, you can follow this entire roadmap without spending a dollar on courses
- π― Focused on getting hired, includes resume tips, interview prep, and job search strategy
- π Regularly updated, maintained with the latest tools, certs, and industry trends
- π’ Complete beginners with zero IT or security experience
- π Career switchers coming from other fields
- π Students studying cybersecurity or related fields
- πΌ IT professionals wanting to transition into security
- π΅ Junior SOC analysts looking to level up their skills
You do NOT need:
- A computer science degree
- Previous IT experience
- Expensive training courses
- Any special hardware (a laptop with 8GB+ RAM is enough to start)
| Phase | Topic | Timeline | Prerequisites |
|---|---|---|---|
| 01 | Networking Fundamentals | Weeks 1-4 | None |
| 02 | Windows Essentials | Weeks 3-6 | Basic networking |
| 03 | Linux Command Line | Weeks 4-7 | None |
| 04 | Scripting & Automation | Weeks 5-8 | Basic OS knowledge |
| 05 | Security Fundamentals | Weeks 6-10 | Phases 1-4 |
| 06 | Blue Team Tools | Weeks 8-14 | Phase 5 |
| 07 | Certifications | Months 3-6 | Phases 1-6 |
| 08 | Hands-On Practice | Months 4-8 | Phase 6 |
| 09 | Build Your Portfolio | Months 5-9 | Phase 8 |
| 10 | Get Hired | Months 8-12 | All phases |
β±οΈ Total estimated timeline: 6-12 months with 2-3 hours of daily study. Phases overlap. You don't need to finish one completely before starting the next. Consistency is more important than speed.
Timeline: Weeks 1-4 Β· Effort: 2-3 hours/day
Every security alert involves network traffic. You cannot investigate threats, write detection rules, or analyze incidents without understanding how data moves across networks.
- The 7-layer OSI model and how it maps to the 4-layer TCP/IP model
- What happens at each layer (Physical, Data Link, Network, Transport, Session, Presentation, Application)
- How encapsulation works (data β segment β packet β frame β bits)
- Why this matters for security: understanding which layer an attack targets helps you choose the right detection method
- IPv4 address structure (32-bit, dotted decimal notation)
- Private vs public IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- CIDR notation (/24, /16, /8 and what they mean)
- Subnet masks and how to calculate network/host portions
- NAT (Network Address Translation) and why it exists
- IPv6 basics (128-bit, hexadecimal notation)
You need to memorize these. They appear in every SOC investigation:
| Protocol | Port | What It Does | Security Relevance |
|---|---|---|---|
| DNS | 53 | Resolves domain names to IPs | DNS tunneling, domain hijacking, DGA detection |
| HTTP | 80 | Unencrypted web traffic | Credential theft, malware delivery |
| HTTPS | 443 | Encrypted web traffic | C2 communication hiding in TLS |
| SSH | 22 | Secure remote access | Brute force attacks, unauthorized access |
| RDP | 3389 | Windows remote desktop | #1 ransomware entry vector |
| SMTP | 25 | Email sending | Phishing, spam, spoofing |
| FTP | 20/21 | File transfer | Credential sniffing, data exfiltration |
| DHCP | 67/68 | Automatic IP assignment | Rogue DHCP servers, MITM |
| SMB | 445 | Windows file sharing | EternalBlue, lateral movement |
| LDAP | 389/636 | Directory services | Active Directory attacks |
| Kerberos | 88 | Authentication | Kerberoasting, Golden Ticket |
| Syslog | 514 | Log forwarding | Log analysis, SIEM ingestion |
| SNMP | 161/162 | Network management | Information disclosure |
- Routers: Forward traffic between networks, operate at Layer 3
- Switches: Forward traffic within networks, operate at Layer 2
- Firewalls: Filter traffic based on rules (stateful vs stateless)
- Proxies: Intermediate between clients and servers (forward vs reverse)
- Load Balancers: Distribute traffic across servers
- IDS/IPS: Detect (IDS) or prevent (IPS) malicious traffic
- VLANs: Logically segment networks
- VPNs: Encrypted tunnels across public networks
- DMZ: Demilitarized zone for public-facing services
- Packet capture fundamentals
- Display filters vs capture filters
- Following TCP streams
- Identifying common protocols visually
- Recognizing anomalous traffic patterns
| Resource | Type | Link |
|---|---|---|
| Professor Messer, Network+ N10-009 | Video (87 episodes) | YouTube |
| TryHackMe, Pre-Security Path | Interactive Labs | tryhackme.com |
| Cisco Networking Academy, Intro to Networks | Course | netacad.com |
| Practical Networking | YouTube Channel | YouTube |
| Subnetting Practice | Drill Site | subnettingpractice.com |
| Sunny Classroom, Networking Tutorials | YouTube | YouTube |
| Jeremy's IT Lab, CCNA Course | YouTube (Free) | YouTube |
- Can explain the OSI model and TCP/IP stack
- Can subnet an IP address and calculate ranges
- Memorized critical protocols and their port numbers
- Understand the role of routers, switches, firewalls, and proxies
- Can capture and read basic traffic in Wireshark
- Completed TryHackMe Pre-Security networking rooms
Timeline: Weeks 3-6 Β· Effort: 2-3 hours/day
Over 90% of enterprise environments run Windows with Active Directory. As a SOC analyst, Windows Event Logs will be your primary data source. Understanding how Windows works internally is not optional, it is the foundation of your daily work.
- Domains, forests, and trusts: hierarchical structure of AD
- Users, groups, and OUs: how access is organized
- Group Policy Objects (GPO): how administrators enforce settings across machines
- Kerberos authentication: TGT, TGS, service tickets, and why attackers love it
- NTLM authentication: legacy protocol, pass-the-hash attacks
- Domain Controllers: the most critical servers in any enterprise
This is the #1 skill for SOC analysts. You must be able to read, filter, and correlate Windows events.
Event IDs You Must Memorize:
| Event ID | Log | What It Means | Why It Matters |
|---|---|---|---|
| 4624 | Security | Successful logon | Track who accessed what |
| 4625 | Security | Failed logon | Brute force detection (multiple = attack) |
| 4634 | Security | Logoff | Session tracking |
| 4648 | Security | Explicit credential logon | Lateral movement indicator |
| 4672 | Security | Special privileges assigned | Admin access granted |
| 4688 | Security | New process created | Malware execution detection |
| 4689 | Security | Process exited | Process lifecycle tracking |
| 4720 | Security | User account created | Persistence technique |
| 4724 | Security | Password reset attempt | Privilege escalation |
| 4728 | Security | Member added to security group | Privilege escalation |
| 4732 | Security | Member added to local group | Local admin escalation |
| 1102 | Security | Audit log cleared | Almost always malicious |
| 7045 | System | New service installed | Malware persistence |
| 4104 | PowerShell | Script block logging | Malicious PowerShell detection |
| 1 | Sysmon | Process creation | Detailed process tracking |
| 3 | Sysmon | Network connection | C2 communication detection |
| 11 | Sysmon | File creation | Dropped files, malware delivery |
| 22 | Sysmon | DNS query | DNS-based C2, DGA detection |
How to read Event Log sequences (attack stories):
- Multiple 4625 β single 4624 = successful brute force
- 4720 + 4728 (Domain Admins) = account creation + privilege escalation
- 4688 with suspicious process names (powershell.exe, cmd.exe, certutil.exe) = potential malware execution
- 1102 = someone cleared logs to cover tracks
Essential commands every SOC analyst uses:
# View recent security events
Get-EventLog -LogName Security -Newest 100
# Find failed logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Select-Object TimeCreated, Message
# List running processes with details
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20
# Check network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
# Find recently modified files
Get-ChildItem -Path C:\ -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)}
# Check scheduled tasks (persistence mechanism)
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
# Check startup programs
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, LocationSysmon is a Windows system service that provides detailed telemetry on process creation, network connections, file creation, and more. It is essential for any SOC.
- Install with SwiftOnSecurity's Sysmon config for a well-tuned baseline
- Alternative: Olaf Hartong's Sysmon Modular config
- Learn the key Sysmon Event IDs (1, 3, 7, 8, 10, 11, 13, 22)
- Registry run keys (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run), common persistence location
- Services (services.msc), malware often installs as a service
- Scheduled Tasks, another persistence mechanism
- WMI subscriptions, advanced persistence technique
| Resource | Type | Link |
|---|---|---|
| TryHackMe, Windows Fundamentals 1, 2, 3 | Interactive Labs | tryhackme.com |
| TryHackMe, Active Directory Basics | Lab | tryhackme.com |
| TryHackMe, Windows Event Logs | Lab | tryhackme.com |
| TryHackMe, Sysmon | Lab | tryhackme.com |
| Microsoft Learn, Windows Server | Free Course | learn.microsoft.com |
| 13Cubed, Windows Forensics | YouTube | YouTube |
| SANS Windows Forensic Analysis Poster | Cheat Sheet (Free) | sans.org |
- Understand Active Directory structure (domains, users, groups, GPO)
- Can explain Kerberos authentication flow
- Memorized critical Windows Event IDs
- Can read Event Log sequences and identify attack patterns
- Know basic PowerShell investigation commands
- Understand what Sysmon does and its key Event IDs
- Know common persistence locations (registry, services, scheduled tasks)
- Completed TryHackMe Windows rooms
Timeline: Weeks 4-7 Β· Effort: 2 hours/day
Most security tools, servers, and appliances run Linux. You need terminal fluency, the ability to navigate, search, process text, and automate tasks from the command line.
Navigation & File System:
pwd # Print current directory
ls -la # List all files with details
cd /var/log # Change directory
find / -name "*.log" # Find files by name
locate suspicious.exe # Fast file search (uses database)
tree -L 2 # Directory tree structureFile Operations:
cat file.txt # Display file contents
head -n 20 file.txt # First 20 lines
tail -f /var/log/syslog # Follow log file in real-time (critical for monitoring)
less large_file.log # Page through large files
cp file.txt backup/ # Copy files
mv file.txt newname.txt # Move/rename files
chmod 755 script.sh # Change permissions
chown user:group file # Change ownershipText Processing (used daily in log analysis):
grep "error" logfile.txt # Search for pattern
grep -i "failed" auth.log # Case-insensitive search
grep -r "password" /etc/ # Recursive search
grep -c "404" access.log # Count matches
awk '{print $1, $4}' access.log # Extract specific fields
sed 's/old/new/g' file.txt # Find and replace
sort access.log | uniq -c | sort -rn # Count unique lines, sort by frequency
wc -l logfile.txt # Count lines
cut -d',' -f1,3 data.csv # Extract CSV fieldsSystem Information:
ps aux # List all running processes
ps aux | grep suspicious # Find specific process
top / htop # Real-time process monitoring
netstat -tulnp # Show listening ports and connections
ss -tulnp # Modern replacement for netstat
ifconfig / ip addr # Network interface information
who / w # Who is logged in
last # Login history
df -h # Disk usage
free -h # Memory usage
uname -a # System informationPiping & Chaining (combine commands):
# Count failed SSH login attempts
cat /var/log/auth.log | grep "Failed" | wc -l
# Find top 10 IP addresses in access log
cat access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
# Find large files (potential data staging)
find / -type f -size +100M 2>/dev/null
# Monitor specific log entries in real-time
tail -f /var/log/syslog | grep --color "error\|warning\|critical"/var/log/ β System and application logs
/var/log/auth.log β Authentication logs (SSH, sudo)
/var/log/syslog β General system messages
/var/log/kern.log β Kernel messages
/etc/ β System configuration files
/etc/passwd β User accounts
/etc/shadow β Password hashes
/etc/crontab β Scheduled tasks
/tmp/ β Temporary files (malware often lands here)
/home/ β User home directories
/proc/ β Virtual filesystem with process info
/opt/ β Optional/third-party software
- Ubuntu, Start here. Most beginner-friendly, great documentation
- Kali Linux, Pre-loaded with security tools (pentesting focus)
- Kali Purple, Specifically designed for Blue Team operations
- REMnux, Specialized for malware analysis
- SIFT Workstation, SANS forensics toolkit
- Security Onion, Network security monitoring (Zeek + Suricata + ELK)
| Resource | Type | Link |
|---|---|---|
| OverTheWire, Bandit | Wargame (34 levels) | overthewire.org |
| TryHackMe, Linux Fundamentals (1, 2, 3) | Interactive Labs | tryhackme.com |
| LetsDefend, Linux for Blue Team | Course (CISA recognized) | letsdefend.io |
| Linux Journey | Interactive Tutorial | linuxjourney.com |
| Explainshell | Command Explainer | explainshell.com |
| The Linux Command Line (Book) | Free PDF | linuxcommand.org |
- Can navigate the Linux filesystem comfortably
- Can use grep, awk, sed for text processing
- Understand file permissions (rwx, chmod, chown)
- Can chain commands with pipes (|)
- Know where to find important log files
- Can monitor processes and network connections
- Completed OverTheWire Bandit (at least levels 0-15)
- Completed TryHackMe Linux Fundamentals rooms
Timeline: Weeks 5-8 Β· Effort: 2-3 hours/day
You don't need to become a software engineer. You need functional scripting, the ability to parse logs, call APIs, automate repetitive tasks, and build small tools.
Core Concepts:
- Variables, data types, operators
- Control flow (if/else, for loops, while loops)
- Functions and modules
- File I/O (reading/writing text files, CSV, JSON)
- Error handling (try/except)
- Lists, dictionaries, sets
Security-Relevant Libraries:
# File handling β read and parse log files
with open('auth.log', 'r') as f:
for line in f:
if 'Failed' in line:
print(line.strip())
# Regex β pattern matching in logs
import re
ip_pattern = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
ips = re.findall(ip_pattern, log_content)
# Requests β API calls (VirusTotal, AbuseIPDB, Shodan)
import requests
response = requests.get(f'https://www.virustotal.com/api/v3/ip_addresses/{ip}',
headers={'x-apikey': 'YOUR_API_KEY'})
# JSON β parse structured data
import json
data = json.loads(response.text)
# CSV β parse tabular data
import csv
with open('alerts.csv') as f:
reader = csv.DictReader(f)
for row in reader:
print(row['severity'], row['source_ip'])
# Hashlib β hash files for IOC checking
import hashlib
with open('suspicious.exe', 'rb') as f:
md5_hash = hashlib.md5(f.read()).hexdigest()
print(f"MD5: {md5_hash}")Beginner Projects to Build:
- Log Parser, Read a log file, extract and count unique IP addresses
- IP Reputation Checker, Query AbuseIPDB/VirusTotal API for IP reputation
- Hash Lookup Tool, Calculate file hash and check against VirusTotal
- Phishing URL Analyzer, Extract URLs from emails and check with URLScan.io
- Simple Port Scanner, Connect to common ports to check if they're open
#!/bin/bash
# Example: Monitor failed SSH logins and alert
LOG="/var/log/auth.log"
THRESHOLD=10
count=$(grep "Failed password" $LOG | wc -l)
if [ $count -gt $THRESHOLD ]; then
echo "ALERT: $count failed SSH login attempts detected!"
grep "Failed password" $LOG | awk '{print $11}' | sort | uniq -c | sort -rn | head -5
fi# Example: Find and report suspicious processes
$suspiciousNames = @('mimikatz', 'psexec', 'bloodhound', 'sharphound', 'lazagne')
Get-Process | Where-Object {
$proc = $_.Name.ToLower()
$suspiciousNames | Where-Object { $proc -like "*$_*" }
} | Select-Object Name, Id, Path, StartTimeMany SIEM query languages are SQL-like. Learn:
SELECT source_ip, COUNT(*) as attempts
FROM security_logs
WHERE event_id = 4625
AND timestamp > NOW() - INTERVAL 1 HOUR
GROUP BY source_ip
HAVING attempts > 50
ORDER BY attempts DESC;Used constantly in detection rules, log analysis, and SIEM queries.
| Pattern | Matches | Use Case |
|---|---|---|
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} |
IP addresses | Extract IPs from logs |
[a-fA-F0-9]{32} |
MD5 hashes | Identify file hashes |
[a-fA-F0-9]{64} |
SHA256 hashes | IOC extraction |
https?://[^\s]+ |
URLs | Extract links from emails |
[\w.-]+@[\w.-]+\.\w+ |
Email addresses | Phishing analysis |
[A-Z0-9]{2}(:[A-Z0-9]{2}){5} |
MAC addresses | Network device tracking |
Practice at: regex101.com, paste a log sample and build patterns.
| Resource | Type | Link |
|---|---|---|
| Automate the Boring Stuff with Python | Free Book | automatetheboringstuff.com |
| TryHackMe, Python Basics | Lab | tryhackme.com |
| Codecademy, Learn Python 3 | Interactive Course | codecademy.com |
| Python for Cybersecurity Specialization | Coursera (Audit free) | coursera.org |
| Regex101 | Practice Tool | regex101.com |
| SQLBolt | Interactive SQL Tutorial | sqlbolt.com |
| Bash Scripting Tutorial | Guide | linuxconfig.org |
- Can write Python scripts to parse log files
- Can use the requests library to call APIs
- Comfortable with regex pattern matching
- Can write basic Bash scripts for automation
- Know essential PowerShell investigation commands
- Understand basic SQL (SELECT, WHERE, GROUP BY, JOIN)
- Built at least 2 small security-related Python tools
- Can use regex101.com to build and test patterns
Timeline: Weeks 6-10 Β· Effort: 2-3 hours/day
This phase covers the core security concepts that underpin everything a Blue Team professional does. These concepts appear in every certification exam, every job interview, and every day on the SOC floor.
The CIA Triad:
| Principle | Definition | Protection Method | Attack Example |
|---|---|---|---|
| Confidentiality | Only authorized users can access data | Encryption, access controls, DLP | Data breach, unauthorized access |
| Integrity | Data hasn't been tampered with | Hashing, digital signatures, checksums | Man-in-the-middle, data modification |
| Availability | Systems are accessible when needed | Redundancy, backups, DDoS protection | DoS/DDoS attacks, ransomware |
Additional Principles:
- Authentication (AuthN): Proving who you are (passwords, MFA, biometrics)
- Authorization (AuthZ): What you're allowed to do (RBAC, ACLs)
- Accounting: Logging what you did (audit trails, SIEM)
- Non-repudiation: Cannot deny an action (digital signatures)
- Least Privilege: Minimum access needed for each role
- Defense in Depth: Multiple layers of security controls
- Zero Trust: Never trust, always verify, regardless of network location
Every SOC analyst must understand these attack categories:
| Attack | How It Works | Detection Method |
|---|---|---|
| Phishing | Fraudulent emails trick users into clicking links or downloading files | Email gateway logs, user reports, header analysis |
| Brute Force | Automated password guessing | Multiple 4625 events, account lockouts |
| Credential Stuffing | Using leaked credentials from other breaches | Multiple 4625 from many accounts, single source |
| Malware | Malicious software (virus, trojan, worm, RAT) | EDR alerts, unusual process behavior, network anomalies |
| Ransomware | Encrypts files, demands payment | Mass file modifications, suspicious process execution |
| SQL Injection | Injecting SQL commands into web forms | WAF alerts, unusual database queries |
| Cross-Site Scripting (XSS) | Injecting scripts into web pages | WAF alerts, unusual JavaScript in requests |
| Man-in-the-Middle | Intercepting communications | Certificate warnings, ARP anomalies |
| Lateral Movement | Moving between systems after initial access | Unusual logon patterns, PsExec artifacts, remote services |
| Privilege Escalation | Gaining higher-level access | 4672 on unexpected accounts, 4728 to admin groups |
| Data Exfiltration | Stealing data from the network | Unusual outbound traffic, large transfers, DNS tunneling |
| Supply Chain Attack | Compromising trusted software/vendors | Unusual update behavior, unexpected network connections |
Cyber Kill Chain (Lockheed Martin):
Reconnaissance β Weaponization β Delivery β Exploitation β Installation β Command & Control β Actions on Objectives
MITRE ATT&CK Framework: The industry standard for categorizing adversary behavior. Contains 14 tactics with 200+ techniques.
| Tactic | What the Attacker Does |
|---|---|
| Reconnaissance | Gathering information about the target |
| Resource Development | Building infrastructure for the attack |
| Initial Access | Getting into the network (phishing, exploits) |
| Execution | Running malicious code |
| Persistence | Maintaining access after reboot |
| Privilege Escalation | Getting higher permissions |
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing passwords and tokens |
| Discovery | Learning about the environment |
| Lateral Movement | Moving to other systems |
| Collection | Gathering target data |
| Command and Control | Communicating with implants |
| Exfiltration | Stealing data out |
| Impact | Destroying or manipulating systems |
Start exploring: attack.mitre.org
| Framework | Purpose | Key Points | Link |
|---|---|---|---|
| NIST CSF 2.0 | Big-picture security strategy | 5 functions: Identify, Protect, Detect, Respond, Recover | nist.gov |
| NIST SP 800-61 | Incident Response | 4 phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity | nist.gov |
| CIS Controls v8.1 | Prioritized security actions | 18 controls ordered by priority, organized into 3 implementation groups | cisecurity.org |
| ISO 27001 | Information Security Management System | International standard for security programs, important for GRC roles | iso.org |
| NIST SP 800-53 | Security & Privacy Controls | Comprehensive catalog of security controls for federal systems | nist.gov |
βββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββββββββββββββ βββββββββββββββββββ
β Preparation β βββΊ β Detection & β βββΊ β Containment, Eradication β βββΊ β Post-Incident β
β β β Analysis β β & Recovery β β Activity β
βββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββββββββββββββ βββββββββββββββββββ
β² β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
(Continuous Improvement Loop)
Phase 1, Preparation: Build IR plans, deploy tools, train the team, establish communication channels, document escalation procedures.
Phase 2, Detection & Analysis: Monitor SIEM alerts, validate incidents (true positive vs false positive), classify severity, determine scope, collect initial evidence.
Phase 3, Containment, Eradication & Recovery:
- Containment: Isolate affected systems to prevent spread
- Eradication: Remove the threat completely (malware, backdoors, compromised accounts)
- Recovery: Restore systems from clean backups, verify integrity, monitor for reinfection
Phase 4, Post-Incident Activity: Write incident report, conduct lessons-learned meeting, update detection rules, improve procedures.
| Resource | Type | Link |
|---|---|---|
| TryHackMe, SOC Level 1 Path | Learning Path | tryhackme.com |
| Professor Messer, Security+ SY0-701 | Video (177 episodes) | YouTube |
| MITRE ATT&CK | Framework | attack.mitre.org |
| NIST Cybersecurity Framework | Framework | nist.gov |
| CIS Controls | Framework | cisecurity.org |
| Cybrary, SOC Analyst Path | Free Course | cybrary.it |
- Can explain CIA Triad with real-world examples
- Understand common attack types and their detection methods
- Know the Cyber Kill Chain stages
- Can navigate MITRE ATT&CK and map techniques to detections
- Understand the NIST IR framework phases
- Know the NIST CSF 2.0 five functions
- Familiar with CIS Controls and their prioritization
- Completed TryHackMe SOC Level 1 Path (at least 50%)
Timeline: Weeks 8-14 Β· Effort: 2-3 hours/day
These are the tools you'll use every day in a SOC role. Focus on SIEM first, then expand to EDR, network detection, and forensics.
SIEM is your primary workspace as a SOC analyst. It collects logs from every system, correlates events, and generates alerts.
| SIEM | Market Position | Query Language | Free Option | Learn At |
|---|---|---|---|---|
| Splunk | Market leader, 78% of job postings | SPL | Free tier (500MB/day) | splunk.com |
| Microsoft Sentinel | Fastest growing, best AI integration | KQL | Free for M365 data | Microsoft Learn |
| Elastic SIEM (ELK) | Open source, highly flexible | Lucene / KQL | 100% free | elastic.co |
| Wazuh | Open source, unlimited | Own syntax | 100% free | wazuh.com |
| IBM QRadar CE | Enterprise, regulated industries | AQL | Community Edition | ibm.com |
Start with Splunk, it's in the most job postings. Then learn KQL for Sentinel.
Splunk SPL Examples:
# Find failed logins in the last 24 hours
index=windows EventCode=4625 earliest=-24h
| stats count by src_ip, user
| where count > 10
| sort -count
# Detect potential brute force
index=windows EventCode=4625
| bin _time span=5m
| stats count by _time, src_ip
| where count > 20
# Hunt for PowerShell execution
index=windows EventCode=4688 New_Process_Name="*powershell*"
| table _time, Computer, Account_Name, Process_Command_Line
KQL (Microsoft Sentinel) Examples:
// Find failed sign-ins
SigninLogs
| where ResultType != 0
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 10
| order by FailedAttempts desc
// Detect suspicious process creation
DeviceProcessEvents
| where FileName in ("mimikatz.exe", "psexec.exe", "procdump.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine| Tool | Key Features | Market Position |
|---|---|---|
| CrowdStrike Falcon | Cloud-native, threat intelligence, 1T+ daily events | Market leader (#1 Gartner MQ) |
| Microsoft Defender for Endpoint | Deep M365 integration, converging with Sentinel | Most deployed (Windows ecosystem) |
| SentinelOne | AI-driven autonomous response, Storyline visual narratives | Fastest-growing |
| Carbon Black (VMware) | Behavioral analysis, application control | Enterprise-focused |
| Cortex XDR (Palo Alto) | Network + endpoint correlation | Best for Palo Alto shops |
| Tool | Purpose | Type | Link |
|---|---|---|---|
| Wireshark | Packet capture and deep protocol analysis | Packet Analyzer | wireshark.org |
| Suricata | High-performance IDS/IPS, multi-threaded | IDS/IPS | suricata.io |
| Snort | Signature-based IDS/IPS (Cisco) | IDS/IPS | snort.org |
| Zeek (Bro) | Network metadata extraction, rich logs | Network Monitor | zeek.org |
| NetworkMiner | Network forensic analysis, PCAP parser | NFAT | netresec.com |
| tcpdump | Command-line packet capture | CLI Tool | Built into Linux |
| Arkime (Moloch) | Large scale PCAP capture and search | PCAP Search | arkime.com |
| Tool | Purpose | Link |
|---|---|---|
| Volatility 3 | Memory forensics (RAM analysis) | github.com/volatilityfoundation |
| Autopsy | Disk forensics (open-source) | autopsy.com |
| FTK Imager | Disk imaging and evidence collection | exterro.com |
| KAPE | Rapid evidence collection | kroll.com |
| Velociraptor | Endpoint investigation at scale | github.com/Velocidex |
| Eric Zimmerman's Tools | Windows artifact parsing (MFT, ShellBags, etc.) | ericzimmerman.github.io |
| Chainsaw | Windows event log hunting | github.com/WithSecureLabs |
| Tool/Standard | Purpose | Link |
|---|---|---|
| SIGMA Rules | Vendor-agnostic detection rules (3,000+) | github.com/SigmaHQ |
| YARA Rules | Malware pattern matching | github.com/VirusTotal/yara |
| TheHive | Open-source incident case management | thehive-project.org |
| Cortex | Observable analysis automation | thehive-project.org |
| MISP | Threat intelligence sharing platform | misp-project.org |
| OpenCTI | Cyber threat intelligence platform | opencti.io |
| VirusTotal | File/URL/IP analysis | virustotal.com |
| AbuseIPDB | IP reputation database | abuseipdb.com |
| URLScan.io | URL analysis and scanning | urlscan.io |
| ANY.RUN | Interactive malware sandbox | any.run |
| Hybrid Analysis | Free malware analysis | hybrid-analysis.com |
| Tool | Type | Link |
|---|---|---|
| Splunk SOAR | Enterprise SOAR | splunk.com |
| Microsoft Sentinel Logic Apps | Cloud-native automation | azure.microsoft.com |
| Shuffle | Open-source SOAR | github.com/Shuffle |
| Tines | No-code SOAR | tines.com |
| n8n | Open-source workflow automation | n8n.io |
- Can write basic Splunk SPL queries
- Understand what KQL is and can write basic queries
- Can use Wireshark to analyze packet captures
- Understand IDS/IPS concepts (Suricata/Snort)
- Know what EDR does and the major players
- Can explain what SIGMA and YARA rules do
- Familiar with forensic tools (Volatility, Autopsy)
- Know common threat intelligence platforms (VT, AbuseIPDB)
- Installed Splunk Free or Wazuh in a VM
Timeline: Months 3-6
Certifications serve two purposes: passing HR filters and proving technical competence. The optimal path addresses both.
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β Security+ β βββΊ β BTL1 β βββΊ β SC-200 β
β (HR Filter) β β (Hands-On) β β (Sentinel) β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββ
β CySA+ / CDSA / CCD β
β (Mid-Level Validation) β
ββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββ
β BTL2 / OSDA / GIAC β
β (Advanced / Senior) β
ββββββββββββββββββββββββββ
| Cert | Cost | Format | Study Time | Why Get It | Free Study Resources |
|---|---|---|---|---|---|
| CompTIA Security+ (SY0-701) | $425 | 90 MCQ + PBQ, 750/900 pass | 4-8 weeks | In nearly every job posting. Globally recognized. Required for U.S. DoD roles. | Professor Messer (177 free videos) |
| BTL1 (Blue Team Level 1) | ~$495 | 24-hour hands-on lab exam | 8-12 weeks | Proves practical ability. Called "the OSCP of Blue Team." Training + exam included. | Security Blue Team BTJA (free pathway) |
| Microsoft SC-200 | $165 | MCQ + case studies | 4-6 weeks | Validates Sentinel/KQL skills. Free training. Free annual renewal. Best value cert. | Microsoft Learn (100% free) |
| Cert | Cost | Format | When to Get | Details |
|---|---|---|---|---|
| CompTIA CySA+ (CS0-003) | $404 | MCQ + PBQ | After Security+ | Globally recognized. Covers security ops, vuln management, IR. DoD 8140 approved. |
| HTB CDSA | $210-490 | 7-day practical | After 6+ months learning | Investigate 2 incidents, submit professional IR reports. HTB Academy: $8/mo with .edu email. |
| CCD (Certified CyberDefender) | ~$800 | 48-hour practical | After 6+ months learning | Network + disk + memory forensics + threat hunting. Deeply respected in DFIR community. |
| Cert | Cost | Format | Notes |
|---|---|---|---|
| BTL2 | ~$2,500 | 72-hour practical | Senior Blue Team validation. Very challenging. |
| OSDA (OffSec Defense Analyst) | $999+ | Practical exam | OffSec brand recognition (same company as OSCP). |
| GIAC GCIH | $8,000-$9,000 | MCQ + practical | Gold standard. Incident handling. Avg holder salary: $132K. |
| GIAC GCIA | $8,000-$9,000 | MCQ + practical | Intrusion analysis. Network forensics focused. |
| GIAC GCFA | $8,000-$9,000 | MCQ + practical | Forensic analyst. Disk and memory forensics. |
| GIAC GCFE | $8,000-$9,000 | MCQ + practical | Forensic examiner. Windows forensics focused. |
π‘ Tip: GIAC certifications are extremely valuable but expensive. Get your employer to sponsor them after landing your first role.
- Passed CompTIA Security+ (or equivalent)
- Enrolled in BTL1 training
- Started Microsoft Learn SC-200 path
- Created a certification study schedule
- Joined study groups (Discord, Reddit)
Timeline: Months 4-8 Β· Effort: Ongoing practice
Reading about security is not the same as doing it. These platforms provide simulated environments where theory becomes muscle memory.
| # | Platform | What It Offers | Cost | Best For | Link |
|---|---|---|---|---|---|
| 1 | TryHackMe | Browser-based labs, SOC L1/L2 paths, 40+ defensive rooms | Free + $14/mo | Absolute beginners | tryhackme.com |
| 2 | Blue Team Labs Online | 254+ investigations, free BTJA pathway (6-7 hrs) | Free tier | Quick Blue Team intro | blueteamlabs.online |
| 3 | LetsDefend | Simulated SOC dashboard, alert queue, Elastic SIEM, 3000+ logs | Free tier | SOC workflow practice | letsdefend.io |
| 4 | CyberDefenders | Blue Team CTF challenges, 15+ categories, weekly new labs | Free tier | Intermediate challenges | cyberdefenders.org |
| 5 | Hack The Box | 100+ Sherlock defensive labs, Academy SOC path | $8/mo student | Advanced practice, CDSA path | hackthebox.com |
Step 1: TryHackMe Pre-Security Path ββββββββββββββββ (Free, foundational)
β
Step 2: BTLO Free BTJA Pathway βββββββββββββββββββββ (Free, 6-7 hours)
β
Step 3: TryHackMe SOC Level 1 Path ββββββββββββββββ (50-80 hours, core training)
β
Step 4: LetsDefend SOC Analyst Path βββββββββββββββ (Real alert triage practice)
β
Step 5: CyberDefenders + HTB Sherlocks ββββββββββββ (Intermediate challenges)
β
Step 6: TryHackMe SOC Level 2 Path ββββββββββββββββ (Advanced investigation)
| Resource | What It Is | Link |
|---|---|---|
| Splunk BOTS | Free Boss of the SOC CTF for SPL practice | splunk.com |
| KC7 | Free game-based KQL training | kc7.dev |
| OpenSOC | Free Blue Team competitions at DEF CON/BSides | opensoc.io |
| Malware Traffic Analysis | PCAP exercises with real malware traffic | malware-traffic-analysis.net |
| SANS Holiday Hack Challenge | Annual free security challenge | holidayhackchallenge.com |
| RangeForce | Enterprise security simulations | rangeforce.com |
- Completed TryHackMe Pre-Security and SOC Level 1 paths
- Completed BTLO BTJA free pathway
- Practiced alert triage on LetsDefend
- Completed 5+ CyberDefenders challenges
- Completed 5+ HTB Sherlocks
- Practiced Splunk SPL on BOTS CTF
- Written detailed writeups for completed challenges
Timeline: Months 5-9
Certifications prove knowledge. Projects prove you can do the work. Hiring managers consistently rank demonstrated practical skills above certification counts.
Build a home lab that mirrors real enterprise environments:
| Component | Recommended | Cost | Purpose |
|---|---|---|---|
| Hardware | 16GB+ RAM, SSD (32GB ideal) | Your existing PC | Run virtual machines |
| Hypervisor | Proxmox or VirtualBox | Free | Virtualization platform |
| Firewall | pfSense | Free | Network segmentation with VLANs |
| Domain | Windows Server 2022 + AD | Free trial / edu license | Active Directory environment |
| Workstations | Windows 10/11 VMs joined to domain | Free trial | Endpoints to monitor |
| SIEM | Wazuh (unlimited) or Splunk Free (500MB/day) | Free | Log collection and alerting |
| Network Monitor | Security Onion (includes Zeek + Suricata) | Free | Network security monitoring |
| Logging | Sysmon on all Windows VMs | Free | Enhanced endpoint visibility |
| Malware Lab | FlareVM or REMnux (isolated network) | Free | Safe malware analysis |
| Threat Emulation | Atomic Red Team | Free | Simulate attacks for detection testing |
Architecture Diagram:
βββββββββββββββ
β pfSense β
β (Firewall) β
ββββββββ¬βββββββ
β
ββββββββββββββΌβββββββββββββ
β β β
βββββββ΄ββββββ ββββββ΄ββββ ββββββββ΄ββββ
β VLAN 10 β β VLAN 20β β VLAN 30 β
β Corporate β β SOC β β Malware β
βββββββββββββ€ ββββββββββ€ β Lab β
β Win Serverβ β Wazuh/ β ββββββββββββ€
β (DC + AD) β β Splunk β β FlareVM β
β Win 10 x2 β β SecOn β β REMnux β
β Ubuntu β β TheHiveβ β(Isolated)β
βββββββββββββ ββββββββββ ββββββββββββ
-
SIEM Deployment + Custom Dashboards
- Deploy Wazuh or Splunk, ingest Windows event logs and Sysmon
- Build dashboards showing failed logins, suspicious processes, network anomalies
- Document the entire setup with architecture diagrams
-
Adversary Emulation with Atomic Red Team
- Install Atomic Red Team on a test machine
- Execute techniques mapped to MITRE ATT&CK (e.g., T1003.001 credential dumping)
- Verify whether your SIEM detects each attack
- Write custom detection rules to close gaps
- Document: technique tested β expected alert β actual result β rule created
-
Phishing Analysis Pipeline
- Build a workflow: receive phishing email β analyze headers β decode URLs β sandbox attachments β extract IOCs
- Tools: PhishTool, URLScan.io, ANY.RUN
- Write Python scripts to automate IOC extraction
-
Incident Response Reports from CTF Challenges
- Complete HTB Sherlocks or CyberDefenders challenges
- Write professional IR reports with: executive summary, timeline, IOC table, ATT&CK mapping, remediation recommendations
- Publish on GitHub or Medium
-
Threat Intelligence Brief on an APT Group
- Choose an APT group (e.g., APT29, Lazarus Group, FIN7)
- Research using MITRE ATT&CK, threat reports, OSINT
- Produce a brief with: group overview, TTPs, IOCs, detection recommendations
- Map their techniques to your SIEM rules
-
Open-Source Detection Rule Contributions
- Write SIGMA rules for specific attack techniques
- Contribute to SigmaHQ/sigma
- Write YARA rules for malware detection
- Even 1 accepted PR demonstrates real skill
| Platform | Audience | Why |
|---|---|---|
| GitHub | Technical recruiters, hiring managers | Shows code, projects, and contributions |
| Medium | Broad cybersecurity community | CTF writeups drive interview callbacks |
| LinkedIn Articles | Recruiters, network connections | Direct recruiter visibility |
| Personal Blog (Hugo/Jekyll on GitHub Pages) | Everyone | Most professional, demonstrates technical skill |
π‘ Blog about everything you build. Multiple sources confirm that Medium writeups of TryHackMe rooms and CTF challenges have directly led to interview callbacks for beginners.
- Home lab built and documented
- SIEM deployed with log ingestion from multiple sources
- At least 3 portfolio projects completed
- Projects documented with screenshots and architecture diagrams
- Blog posts published (at least 5)
- GitHub profile updated with projects
- SIGMA or YARA rule contributed to open-source (bonus)
Timeline: Months 8-12
The cybersecurity talent gap is real, 4.8 million positions unfilled globally. But competition for entry-level roles is fierce because many applicants lack practical demonstration of skills. Here's how to stand out.
Format: One page, ATS-optimized (no fancy formatting, standard sections).
Structure:
Professional Summary (3 lines)
Technical Skills (keywords from job postings)
Certifications (most relevant first)
Experience (quantify everything)
Projects / Home Lab
Education
Key Tips:
- Mirror exact keywords from job postings (SIEM, Splunk, incident response, threat detection, MITRE ATT&CK)
- Quantify everything: "Monitored 500+ daily alerts, reducing false positives by 30%"
- Include a Projects section, home lab details, CTF achievements, platform completions
- Bold your most important qualifications
- Hiring managers spend ~30 seconds per resume
- Headline:
SOC Analyst | SIEM | Incident Response | Threat Detection | Security+ - About section: Key skills, career goals, link to GitHub/blog
- Post regularly: CTF writeups, lab build guides, breach analysis, tool tips
- Engage: Comment on posts by security leaders, join groups
- Complete profiles receive 40% more recruiter outreach
| Source | What It Offers | Link |
|---|---|---|
| Largest job board, recruiter messaging | linkedin.com/jobs | |
| Indeed | Broad job aggregator | indeed.com |
| CyberSeek | Maps cybersecurity positions worldwide | cyberseek.org |
| Hack The Box Jobs | Built for cybersecurity candidates | hackthebox.com/jobs |
| SANS CyberTalent | Hiring events and apprenticeships | sans.org/cybertalent |
| Company career pages | Apply directly at MSSPs | Secureworks, Rapid7, CrowdStrike, Arctic Wolf |
Entry Strategies:
- MSSPs (Managed Security Service Providers): Lower entry barrier, rapid experience gain, excellent training ground
- SOC Apprenticeships: Programs like Level Effect, SANS CyberTalent
- Large enterprises: Formal SOC training programs (banks, healthcare, tech)
- Apply broadly: Successful hires often apply 300-500 times
SOC analyst interviews typically have three parts: behavioral/cultural fit, foundational concepts, and scenario-based investigations. Scenario questions carry the most weight because they reveal how you actually think and work under pressure. Lab and CTF experiences absolutely count as real experience.
These test whether you understand the basics. Expect them early in the interview.
| Question | What They're Testing |
|---|---|
| "Explain the CIA Triad with examples" | Can you connect theory to real-world security |
| "What is the difference between IDS and IPS?" | IDS monitors and alerts, IPS monitors and blocks |
| "Describe the TCP three-way handshake" | SYN, SYN-ACK, ACK and why it matters for detection |
| "What is the difference between encryption and hashing?" | Encryption is reversible (AES, RSA), hashing is one-way (SHA256, MD5) |
| "Explain authentication vs authorization" | AuthN = who you are, AuthZ = what you can access |
| "What is the difference between a vulnerability, a threat, and a risk?" | Weakness vs potential danger vs likelihood x impact |
| "What does the Zero Trust model mean?" | Never trust, always verify, regardless of network location |
| "Name 5 common ports and their services" | Tests memorization: 22/SSH, 53/DNS, 80/HTTP, 443/HTTPS, 3389/RDP |
| "What is DNS and how does resolution work?" | Recursive query, root servers, TLD, authoritative, caching |
| "What is the difference between TCP and UDP?" | Connection-oriented vs connectionless, reliability vs speed |
| "Explain what a VLAN is and why it matters for security" | Logical network segmentation, reduces attack surface |
| "What is NAT and why is it used?" | Translates private IPs to public, hides internal network structure |
These test your understanding of how security operations are structured.
| Question | What They're Testing |
|---|---|
| "Walk me through the NIST Incident Response phases" | Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident |
| "How do you use MITRE ATT&CK in your daily work?" | Map alerts to techniques, identify detection gaps, guide threat hunting |
| "What is the Cyber Kill Chain and how would you use it?" | Understanding attack progression, detecting at each stage |
| "Explain the difference between NIST CSF and CIS Controls" | CSF = strategic framework (5 functions), CIS = tactical controls (18 prioritized actions) |
| "What is the difference between a true positive, false positive, true negative, and false negative?" | Critical for alert triage: TP = real alert, FP = false alarm, FN = missed attack (most dangerous) |
| "How would you reduce false positives in a SIEM?" | Tune rules, add context/whitelists, correlate with threat intel, adjust thresholds |
| "What are IOCs and how do you use them?" | Indicators of Compromise: IPs, domains, hashes, file names used to detect known threats |
| "What is the difference between IOCs and TTPs?" | IOCs are specific artifacts (change often), TTPs are behavioral patterns (harder to change) |
These test your hands-on skills with the tools you will use daily.
| Question | What They're Testing |
|---|---|
| "Have you used any SIEM tools? Write a basic query" | Practical Splunk SPL or KQL ability |
| "What is Sysmon and which Event IDs are most useful?" | Event ID 1 (process creation), 3 (network), 11 (file create), 22 (DNS) |
| "Explain what SIGMA rules are and why they matter" | Vendor-agnostic detection rules, convertible to any SIEM query format |
| "What Windows Event ID indicates a successful logon? A failed one?" | 4624 = success, 4625 = failed |
| "How would you detect someone clearing Windows Event Logs?" | Event ID 1102 in Security log |
| "What tools would you use for memory forensics?" | Volatility (standard), also Rekall |
| "What is the purpose of Wireshark display filters vs capture filters?" | Display filters = filter what you see, capture filters = filter what is collected |
| "You see Event ID 7045 in a Windows system log. What does it mean?" | New service installed, potential persistence mechanism |
| "What is the difference between EDR and antivirus?" | AV = signature-based file scanning, EDR = behavioral monitoring, detection, and response |
| "How does Kerberos authentication work?" | TGT from KDC, TGS for services, why attackers target it (Kerberoasting, Golden Ticket) |
These carry the most weight. Interviewers want to see your thought process, not a perfect answer.
Scenario 1: Phishing Investigation
"A user reports a suspicious email. Walk me through your investigation."
1. Collect the email (full headers, not just forwarded body)
2. Analyze headers: check sender address vs display name, Return-Path, SPF/DKIM/DMARC results
3. Examine URLs: extract without clicking, check with URLScan.io, look for typosquatting
4. Sandbox attachments: submit to ANY.RUN or Hybrid Analysis
5. Query SIEM: find all recipients of the same email (Subject, sender, attachment hash)
6. Check if anyone clicked: proxy logs, DNS logs for the malicious domain
7. Check for credential submission: authentication logs for impossible travel or new locations
8. Extract IOCs: sender IP, domain, URLs, file hashes
9. If confirmed malicious: block sender/domain, quarantine from all mailboxes, reset credentials if needed
10. Document: create ticket, write findings, update block lists and detection rules
Scenario 2: Brute Force Detection
"You see 500 failed login attempts from a single IP in 10 minutes followed by a successful login. What do you do?"
1. Verify the alert: check Event IDs 4625 (failed) and 4624 (success) in SIEM
2. Identify the target account and source IP
3. Check IP reputation: AbuseIPDB, VirusTotal, geo-location
4. Assess the successful login: is it legitimate or did the attacker succeed?
5. If compromised: disable account, force password reset, check for lateral movement
6. Check for post-login activity: any new processes (4688), services (7045), group changes (4728)
7. Block the source IP at firewall level
8. Search for same IP targeting other accounts
9. Notify the account owner through a verified channel (not email, in case email is compromised)
10. Document and recommend: MFA enforcement, account lockout policies, geo-blocking
Scenario 3: Suspicious Process Execution
"Your EDR alerts on powershell.exe spawning from winword.exe. What does this mean and what do you do?"
1. This is a classic malicious macro behavior: Word document opens, runs PowerShell
2. Check the user: who opened the document? Was it from email?
3. Examine the PowerShell command line (Event ID 4688 or Sysmon Event 1):
- Is it encoded/obfuscated? (Base64 encoded commands are suspicious)
- Does it reach out to external IPs? (C2 communication)
- Does it download additional payloads? (certutil, wget, Invoke-WebRequest)
4. Check network connections from that endpoint (Sysmon Event 3)
5. Isolate the endpoint via EDR if confirmed malicious
6. Trace back to the source: find the original email and document
7. Check for other endpoints with the same document hash
8. Collect forensic artifacts: memory dump, prefetch files, recent file activity
9. Map to MITRE ATT&CK: Initial Access (T1566.001 Spearphishing Attachment), Execution (T1059.001 PowerShell)
10. Escalate to Tier 2/IR team with all findings
Scenario 4: Lateral Movement Detection
"You notice a service account authenticating to 15 different servers within 3 minutes. Is this normal?"
1. Check baseline: does this service account normally authenticate to many servers? (some do for backups, monitoring)
2. If abnormal: check the authentication type (Kerberos, NTLM, RDP, PsExec)
3. Look for Event ID 4648 (explicit credentials) which indicates pass-the-hash or credential reuse
4. Check if PsExec or remote service artifacts exist (Event ID 7045 on target machines)
5. Review the source machine: was it recently compromised?
6. Check for data access patterns: did the account access file shares or databases?
7. If confirmed suspicious: disable the service account, isolate the source machine
8. Reset the service account credentials and any other accounts that used the same password
9. Check all 15 servers for signs of compromise (new services, scheduled tasks, new accounts)
10. Map to ATT&CK: Lateral Movement (T1021 Remote Services), Credential Access (T1003 Credential Dumping)
Scenario 5: Ransomware Response
"Multiple users report they cannot open their files and see a ransom note on their desktops. What are your first steps?"
1. DO NOT shut down affected machines (you may lose volatile memory evidence)
2. Isolate affected systems from the network immediately (disconnect, not power off)
3. Identify patient zero: which system was first affected? (check file modification timestamps)
4. Determine the ransomware strain: ransom note text, file extension, check ID Ransomware (id-ransomware.malwarehunterteam.com)
5. Assess scope: how many systems affected? Check SIEM for the ransomware file hash across all endpoints
6. Preserve evidence: memory dump of affected systems, copy of ransom note, sample of encrypted files
7. Check backup integrity: are backups clean and available for recovery?
8. Identify entry vector: phishing email, exposed RDP, vulnerable VPN, supply chain
9. Engage incident response team, management, and potentially legal/law enforcement
10. Begin containment: block C2 domains/IPs, patch the exploited vulnerability, reset all credentials
Scenario 6: Insider Threat
"DLP alerts show a user downloading 2GB of customer data to a USB drive at 11 PM. How do you handle this?"
1. Verify the alert: confirm the DLP event in logs, check what data was accessed
2. Check the user's normal behavior: do they usually access this data? Do they work late?
3. Review recent HR activity: is the user on a PIP, submitted resignation, or under investigation?
4. Check for other suspicious activity: personal email forwards, cloud storage uploads, print jobs
5. Do NOT alert the user yet, coordinate with HR and legal first
6. Preserve evidence: DLP logs, file access logs, badge entry/exit times, CCTV if applicable
7. Assess the sensitivity of the data: PII, financial records, intellectual property?
8. Follow your organization's insider threat policy for escalation
9. If data contains PII: assess data breach notification requirements (GDPR, CCPA, etc.)
10. Document everything with timestamps for potential legal proceedings
Scenario 7: SIEM Down During an Incident
"Your SIEM goes down while you're investigating an active incident. What do you do?"
1. Don't panic: switch to alternative data sources
2. Use EDR console directly for endpoint telemetry
3. Check firewall and proxy logs through their native interfaces
4. Use PowerShell/CLI to query Windows Event Logs directly on affected systems
5. Check network monitoring tools (Zeek, Suricata) for network-level visibility
6. Document everything manually with timestamps
7. Coordinate with the SIEM/IT team for restoration while continuing investigation
8. Once SIEM is back, backfill your investigation with log data from the downtime period
Don't underestimate these. They assess culture fit and how you handle real-world SOC pressures.
| Question | What They Want to Hear |
|---|---|
| "How do you stay current with cybersecurity news?" | Specific sources: DFIR Report, Krebs, Darknet Diaries, Twitter/X infosec community, RSS feeds |
| "Describe a time you had to learn something quickly" | Show adaptability, mention a specific tool or concept from labs/CTFs |
| "How do you handle working rotating shifts?" | Honest answer about work-life balance, show you understand SOC reality |
| "What do you do when you disagree with a senior analyst's assessment?" | Respectful pushback with evidence, escalation path, willingness to learn |
| "How do you prioritize when multiple alerts fire at once?" | Severity-based triage, critical assets first, follow the playbook, communicate with team |
| "Tell me about a mistake you made and what you learned" | Shows self-awareness, growth mindset, process improvement |
| "Why Blue Team instead of Red Team?" | Genuine answer about defending, protecting people, the challenge of detection |
| "What's a recent security breach you found interesting?" | Demonstrates you follow the industry, can analyze from a defender's perspective |
DNS Tunneling Detection:
1. Monitor for high volume of DNS queries to a single domain
2. Look for unusually long subdomain names (data encoded in subdomain)
3. Check for TXT record queries (often used for data exfiltration)
4. Identify DNS traffic to non-standard ports
5. Compare against baseline DNS patterns for the organization
Malicious Binary Analysis (Basic):
1. NEVER execute the file on a production machine
2. Calculate file hash (MD5, SHA256) and check VirusTotal
3. Check file properties: size, compile date, digital signature
4. Run strings analysis: look for URLs, IPs, suspicious function calls
5. Submit to a sandbox (ANY.RUN, Hybrid Analysis) for dynamic analysis
6. Check for known malware family matches
7. Extract IOCs and update detection rules
Compromised Account Investigation:
1. Review authentication logs: impossible travel, new device, unusual hours
2. Check MFA status: was MFA bypassed or not configured?
3. Review email activity: forwarding rules, sent items, deleted items
4. Check for inbox rules created to hide attacker emails
5. Review file access: SharePoint, OneDrive, internal file servers
6. Check for OAuth app consents (common persistence in cloud environments)
7. Reset credentials, revoke sessions, review and remove suspicious OAuth apps
| Resource | Link |
|---|---|
| LetsDefend, SOC Interview Questions | letsdefend.io |
| GitHub, SOC-Interview-Questions | github.com/LetsDefend |
| TryHackMe, SOC Analyst Interview Prep | tryhackme.com |
| Cybersecurity Interview Bible (YouTube) | Search "SOC analyst interview questions" |
- Resume written, ATS-optimized, one page
- LinkedIn profile complete and active
- Applying to 5-10 positions per week
- Practiced the phishing investigation methodology
- Can answer all common interview questions
- Have 2-3 incident stories from labs/CTFs ready
- Networking through Discord, Reddit, LinkedIn
- Attending BSides or other security events
| Role | Salary Range | What You Do | Entry Point |
|---|---|---|---|
| SOC Analyst (Tier 1) | $50Kβ$80K | Monitor alerts, triage, escalate | This roadmap |
| SOC Analyst (Tier 2) | $70Kβ$110K | Deep investigation, correlation, root cause | 1-2 years as T1 |
| SOC Analyst (Tier 3) | $100Kβ$140K+ | Threat hunting, detection development | 2-4 years |
| Incident Responder | $85Kβ$135K | Containment, forensics, recovery | 2-3 years |
| Threat Hunter | $90Kβ$152K | Proactive search for hidden threats | 3-5 years |
| Detection Engineer | $119Kβ$215K | Write detection rules, SIGMA, automation | 2-4 years |
| Security Engineer | $110Kβ$170K+ | Build and maintain security infrastructure | 3-5 years |
| Digital Forensics Analyst | $65Kβ$132K | Evidence preservation, disk/memory analysis | 2-3 years |
| Malware Analyst | $77Kβ$141K | Reverse engineer malicious code | 3-5 years |
| GRC Analyst | $70Kβ$155K | Compliance, risk assessment, policy | Accessible from non-technical backgrounds |
Typical Career Progression:
IT Support β SOC Analyst T1 β T2 β T3/Threat Hunter β Senior Lead β Security Engineer β Architect β CISO
Stay ahead by understanding where the industry is heading:
- π€ AI in the SOC: 55% of security teams deploy AI copilots. Investigations complete 45-61% faster. Learn to work WITH AI, not against it.
- βοΈ Cloud Security: 88% of organizations run hybrid/multi-cloud. Learn AWS CloudTrail, Azure Sentinel, GCP Security Command Center.
- π Zero Trust: U.S. DoD allocated $977M for zero trust. NIST released SP 1800-35. 63% of organizations implementing.
- π Detection Engineering: Hottest Blue Team specialty ($119K-$215K). Detection-as-code, SIGMA rules, CI/CD pipelines.
- π€ SOAR & Automation: 50+ agentic SOC vendors. AI handling 60% of SOC workloads within 3 years.
- π Identity Security: ITDR (Identity Threat Detection and Response) is the fastest-growing security category.
| Channel | Focus | Link |
|---|---|---|
| Professor Messer | Security+ & Network+ full courses | YouTube |
| John Hammond | CTFs, DFIR, malware analysis | YouTube |
| 13Cubed | Windows forensics, memory analysis | YouTube |
| Simply Cyber | Daily news and career guidance | YouTube |
| Day Cyberwox | Cloud security and home labs | YouTube |
| NetworkChuck | Fun networking fundamentals | YouTube |
| The Cyber Mentor | Ethical hacking and security career | YouTube |
| SANS Institute | Conference talks and training previews | YouTube |
| David Bombal | Networking, Python, expert interviews | YouTube |
| LiveOverflow | Binary exploitation, CTF deep dives | YouTube |
| IppSec | Hack The Box walkthroughs, methodology | YouTube |
| Hak5 | Security tools, hardware hacking | YouTube |
| Black Hills InfoSec | Threat hunting, SOC webcasts, free training | YouTube |
| Active Countermeasures | Threat hunting techniques and tools | YouTube |
| Malware Analysis for Hedgehogs | Reverse engineering, malware deep dives | YouTube |
| PC Security Channel | Malware testing, antivirus comparisons | YouTube |
| Cyberspatial | Certification study guides (CySA+, CASP+) | YouTube |
| Infosec Institute | Enterprise security, GRC, awareness training | YouTube |
| Security Onion | Network security monitoring tutorials | YouTube |
| Gerald Auger | SOC career strategy, resume reviews | YouTube |
| Blog | Focus | Link |
|---|---|---|
| The DFIR Report | Real intrusion analyses with ATT&CK | thedfirreport.com |
| Red Canary Blog | Threat detection report, detection engineering | redcanary.com/blog |
| SANS Internet Storm Center | Daily security diaries | isc.sans.edu |
| Krebs on Security | Investigative cybersecurity journalism | krebsonsecurity.com |
| Elastic Security Labs | Threat research and detection rules | elastic.co/security-labs |
| Podcast | Focus | Link |
|---|---|---|
| Darknet Diaries | True cybercrime stories | darknetdiaries.com |
| SANS Blueprint | SOC operations and Blue Team leadership | sans.org |
| CyberWire Daily | Concise 15-min daily news | thecyberwire.com |
| Defensive Security Podcast | Weekly breach reviews with defensive lessons | defensivesecurity.org |
| Microsoft Threat Intelligence | APT insights from Microsoft researchers | Microsoft |
| Repo | Description | Link |
|---|---|---|
| SigmaHQ/sigma | 3,000+ vendor-agnostic detection rules | github.com |
| sbousseaden/EVTX-ATTACK-SAMPLES | Windows event log samples mapped to ATT&CK | github.com |
| fabacab/awesome-cybersecurity-blueteam | Curated Blue Team tool list | github.com |
| InQuest/awesome-yara | YARA rules collection | github.com |
| aboutsecurity/blueteam_homelabs | Home lab build resources | github.com |
| A-poc/BlueTeam-Tools | 65+ Blue Team tools list | github.com |
| SwiftOnSecurity/sysmon-config | Sysmon configuration template | github.com |
| redcanaryco/atomic-red-team | Adversary emulation for detection testing | github.com |
| LetsDefend/SOC-Interview-Questions | Interview preparation | github.com |
| Community | Platform | Link |
|---|---|---|
| Blue Team Village | Discord | blueteamvillage.org |
| Security Blue Team | Discord (21K+ members) | discord.gg/securityblueteam |
| Black Hills InfoSec | Discord | discord.gg/bhis |
| r/blueteamsec | reddit.com/r/blueteamsec | |
| r/cybersecurity | reddit.com/r/cybersecurity | |
| r/netsec | reddit.com/r/netsec | |
| r/SecurityCareerAdvice | reddit.com/r/SecurityCareerAdvice |
Contributions are welcome! If you have suggestions for resources, tools, or improvements:
- Fork this repository
- Create a feature branch (
git checkout -b add-new-resource) - Commit your changes (
git commit -m 'Add: new DFIR tool') - Push to the branch (
git push origin add-new-resource) - Open a Pull Request
Contribution Guidelines:
- Resources must be free or have a free tier
- Include a brief description of why the resource is valuable
- Follow the existing format
- Verify all links are working
- No promotional content
Made by Kerem
If this roadmap helped you, give it a β and share it with someone who needs it!
