From c7eb9532343e92248fd23128358edd1d9470450a Mon Sep 17 00:00:00 2001 From: Carter Perez Date: Sun, 5 Jul 2026 15:45:50 -0400 Subject: [PATCH] Update SOC-ANALYST.md --- ROADMAPS/SOC-ANALYST.md | 99 ++++++++++++++++++++--------------------- 1 file changed, 49 insertions(+), 50 deletions(-) diff --git a/ROADMAPS/SOC-ANALYST.md b/ROADMAPS/SOC-ANALYST.md index 3ad27e45..fcd76086 100644 --- a/ROADMAPS/SOC-ANALYST.md +++ b/ROADMAPS/SOC-ANALYST.md @@ -1,10 +1,10 @@ # SOC Analyst Certification Roadmap -A structured path to becoming a Security Operations Center Analyst, from entry-level to senior/management positions. +A structured path to becoming a Security Operations Center Analyst, from zero to landing your first SOC role. Five certifications, in order, each building on the last. ## Career Path Overview -SOC Analysts monitor, detect, investigate, and respond to cybersecurity threats. This roadmap progresses from foundational knowledge through incident handling and intrusion analysis. +SOC Analysts monitor, detect, investigate, and respond to cybersecurity threats. This roadmap progresses from foundational knowledge through hands-on defense and SIEM tooling, in the order that actually gets you hired: foundation first, tool skills last. --- @@ -14,21 +14,22 @@ SOC Analysts monitor, detect, investigate, and respond to cybersecurity threats. ## Certification Path -| Level | Certification | Organization | Link | -|-------|--------------|--------------|------| -| **Entry** | **Security+** | CompTIA | [Website](https://www.comptia.org/certifications/security) | -| **Core** | **CySA+** | CompTIA | [Website](https://www.comptia.org/certifications/cybersecurity-analyst) | -| **Intermediate** | **GCIH** (Certified Incident Handler) | GIAC | [Website](https://www.giac.org/certifications/certified-incident-handler-gcih/) | -| **Intermediate** | **CEH** (Certified Ethical Hacker) | EC-Council | [Website](https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh/) | -| **Advanced** | **GCIA** (Certified Intrusion Analyst) | GIAC | [Website](https://www.giac.org/certifications/certified-intrusion-analyst-gcia/) | -| **Senior/Management** | **CISSP** | (ISC)² | [Website](https://www.isc2.org/Certifications/CISSP) | +| Step | Certification | Organization | Approx. Cost | Link | +|------|--------------|--------------|--------------|------| +| **01 - Foundation** | **Security+** | CompTIA | ~$404 | [Website](https://www.comptia.org/certifications/security) | +| **02 - Analyst** | **CySA+** | CompTIA | ~$404 | [Website](https://www.comptia.org/certifications/cybersecurity-analyst) | +| **03 - Hands-On** | **Blue Team Level 1** | Security Blue Team | ~$399 | [Website](https://securityblue.team/certifications/blue-team-level-1) | +| **04 - SIEM Tool** | **Splunk Core Certified User** | Splunk | ~$130 | [Website](https://www.splunk.com/en_us/training/certification-track/splunk-core-certified-user.html) | +| **05 - Cloud SOC** | **Microsoft SC-200** | Microsoft | ~$165 | [Website](https://learn.microsoft.com/en-us/credentials/certifications/security-operations-analyst/) | + +*Costs are approximate USD exam-voucher prices and change over time. Check each vendor for current pricing. Splunk and Microsoft both offer free official training.* --- ## Recommended Learning Path ### Phase 1: Foundation (3-6 months) -**Target:** Security+ +**Target:** Security+ (~$404, CompTIA) Build fundamental knowledge in: - Network security concepts @@ -42,8 +43,8 @@ Build fundamental knowledge in: - Practice labs and simulations - Security fundamentals courses -### Phase 2: Core SOC Skills (4-8 months) -**Target:** CySA+ +### Phase 2: Analyst Skills (4-8 months) +**Target:** CySA+ (~$404, CompTIA) Develop analyst capabilities: - Security operations and monitoring @@ -57,50 +58,48 @@ Develop analyst capabilities: - SOC analyst training platforms - Hands-on lab environments (TryHackMe, HackTheBox) -### Phase 3: Incident Handling (6-12 months) -**Target:** GCIH and/or CEH +### Phase 3: Hands-On Defense (3-6 months) +**Target:** Blue Team Level 1 (~$399, Security Blue Team) -Master incident response: -- Incident detection and analysis -- Malware analysis basics -- Forensic investigation -- Ethical hacking techniques -- Attack methodologies +Prove you can do the work in a live, graded investigation: +- Practical SIEM and log analysis +- Phishing analysis +- Threat intelligence +- Digital forensics fundamentals +- End-to-end incident response **Resources:** -- SANS incident handling courses -- EC-Council CEH training -- Incident response simulations +- Security Blue Team labs (included with the certification) +- Hands-on ranges (TryHackMe, HackTheBox) +- Real investigation practice -### Phase 4: Advanced Analysis (12+ months experience) -**Target:** GCIA +### Phase 4: SIEM Tooling (2-4 months) +**Target:** Splunk Core Certified User (~$130, Splunk) -Specialize in intrusion analysis: -- Advanced network traffic analysis -- Threat hunting techniques -- Deep packet inspection -- Attack pattern recognition -- Advanced persistent threat (APT) detection +Get fluent in the SIEM most SOCs run all day: +- Splunk Search Processing Language (SPL) +- Building and reading dashboards +- Field extraction and reporting +- Alerts and scheduled searches **Resources:** -- GIAC training materials -- Advanced threat hunting platforms -- Real-world SOC experience +- Splunk free official training (Intro to Splunk, Search Fundamentals) +- Splunk Search Tutorial and sample data +- Hands-on practice in a free Splunk instance -### Phase 5: Leadership (3-5 years experience) -**Target:** CISSP +### Phase 5: Cloud SOC (2-4 months) +**Target:** Microsoft SC-200 (~$165, Microsoft) -Transition to strategic roles: -- Security program management -- Risk assessment frameworks -- Security architecture design -- Policy and governance -- Team leadership +Cover the cloud SIEM side SOCs increasingly hire for: +- Microsoft Sentinel +- Microsoft Defender XDR +- Kusto Query Language (KQL) +- Cloud detection and incident response **Resources:** -- CISSP study materials -- Management and leadership training -- Industry frameworks (NIST, ISO 27001) +- Microsoft Learn (free SC-200 study path) +- Hands-on Azure and Sentinel labs +- KQL practice environments --- @@ -125,11 +124,11 @@ Transition to strategic roles: ## Estimated Timeline -- **Entry to Core:** 6-12 months -- **Core to Advanced:** 1-2 years -- **Advanced to Senior:** 2-3 years +- **Foundation to Analyst (Security+ to CySA+):** 6-12 months +- **Analyst to Hands-On (CySA+ to BTL1):** 3-6 months +- **Tooling (Splunk + SC-200):** 4-8 months -Total time to senior-level: **4-6 years** with continuous learning and hands-on experience. +Total time to job-ready: **~12-24 months** with consistent study and hands-on practice. ---