IT-Security Expert

SOC Analyst | IT-Security Expert course

Training & Exam

What will you learn?

  • How a SOC operates, technologies and services offered and how they interconnect. What it takes to work within a SOC and how to continuously improve security operations based upon the SOC Implementation Model and SOC Maturity Model
  • How to set up and execute data collection strategies, based on attacker techniques and identified critical and key systems / assets of the organization
  • Solid understanding of threat detection and threat intelligence and the capabilities, technology and people supporting the threat intelligence process
  • How to manage and create use cases for security monitoring purposes
  • Hands on experience in threat detection, analysis, reporting and delivering board level presentations
  • Solid understanding on incident response planning and in-class experience how to manage an incident from preparation to post-incident analysis


  • 5 days of training
  • 24 hours of self study
  • Exam voucher included

About this Course


The SOC Analyst course was developed by a group of SOC- Managers and the creator of the SOC Maturity Model (SOC-CMM). It offers a comprehensive 5- day training that immerses you into the processes, data flows, models and capabilities of a Security Operations Center with hands on, real-world tasks of a SOC- Analyst: You will work on business cases where you’re assigned to support in the deployment of a new SOC and set up, select and execute business-driven and threat-driven data collection strategies based on Attacker Techniques, Key Systems and Company Critical Assets. You will deliver a board level presentation based on your threat analysis of a dataset, and you’ll work on an assignment where you’ll be managing an incident from preparation to post-incident analysis. The course delivers a simulated SOC environment including a SIEM with large datasets for the exercises and ends with a Capture the Flag, a 1- day experience in a virtual SOC.


Who should attend?

  • Those that are pursuing a career and certification as a SOC Analyst.
  • SOC Teams that want to set a baseline requirement for their Tier1,2 Analysts. Cyber Defense teams that are building their SOC operations / insourcing a SIEM solution and that want to have their security team trained. Security Vendors and Managed Service Providers that want to get their experts certified in a cost-effective and efficient way.
  • Security managers keen to learn how to build and manage efficient SOC Operations based on a more practical understanding of its working
  • Security experts from other domains that want to get a fundamental understanding of how the SOC operates and their blue team activities
  • Universities that want to have their students ‘job- ready’, with industry subjects which lead to industry certifications


Course Materials & Laptop Requirements

You’ll receive the official course material from SECO-Institute through our student portal. For this course you’ll need a suitable laptop to participate in the exercises:

  • CPU: 64-bit Intel i5 / i7 2.0+ GHz processor
  • BIOS: Enabled “Intel-VT”
  • RAM: 16 GB RAM (8 GB min)
  • Hard Drive: 150 GB free space
  • Wifi
  • Windows 10 operating system
  • Virtualbox or VMware (a .vmdk file must be started)
  • Firefox or Chrome browser


What’s included?

  • 5 days of training from a group of highly skilled security operations champions
  • Official SECO- Institute course materials
  • Pre- course preparation kit
  • Hands on exam: Capture the Flag on day 5
  • Theory exam: Online remote via a certified proctor
  • Digital Acclaim certification badge when you pass the exam

Course modules

Module 1 – Organisation and Implementation Strategies

This module covers the ways in which a SOC can be organised and the actions that need to be taken to run and continuously improve an effective SOC based upon the SOC Implementation Model and SOC Maturity Model. Throughout the module, students will work on a business case, where they are assigned to deploy a SOC. They will be asked to identify the SOC’s business drivers, describe the SOC’s mission, determine roles and responsibilities, relevant metrics and technology tools and services the SOC should offer.

Topics covered:
• SOC models, SOC types and organisational positioning
• SOC implementation, growth and continuous improvement
• SOC Maturity Model and SOC-CMM tool
• Business drivers, Customers, Charter, Governance, Privacy
• Roles and hierarchy, People-, team- and knowledge management, training
• SOC management, Operations and facilities, Reporting, Use case management
• SOC- Core Technologies: SIEM, IDPS, Analytics and SOAR
• SOC- Services: Security Monitoring, Incident Response, Security Analysis, Threat Intelligence, Threat Hunting, Vulnerability Management, Log Management

Frameworks, best practices, references for this module:
SOC Implementation Model, SOC Maturity Model, The Library of Cyber Resilience Metrics, NIST NICE

Module 2 – Log Collection and Monitoring

This module delivers the theory behind log monitoring and security monitoring systems along with hands-on exercises in security logging and analysing log collections. The module offers an introduction to attacker techniques, critical and key systems and assets identification, and how to set up, select and execute business- driven and threat- driven data collection strategies.

Topics covered:
• Introduction to Attacker techniques and processes
• Data Collection Strategies: Log content, use cases & SIEM rules, Threat-based & business requirement-based logging, log retention
• Logs and Log Collection: Mechanisms, Syslog, SNMP, Agents, File- based logging, Log formats, Indexing and log normalization, log parsing, Regular expressions, Anchors, Repetitions
• Key IT Systems and Their Logs (exercise)
• SIEM (hands on)
• Alerting (hands on)
• Reporting and Dashboarding (hands on)
• Event Analysis, correlation (hands on)

Frameworks, best practices for this module:
Pyramid of Pain and TTP’s, Cyber Kill Chain versus MITRE ATT&CK Framework, OODA loop, Diamond model of intrusion analysis

Module 3 – Threat Detection, Threat Intelligence and Use Case Management for Threat Monitoring

Module 3 starts with threat intelligence, how it is applied to obtain situational awareness, and the capabilities, technology and personnel supporting the threat intelligence process. It then dives deeper into the Pyramid of Pain and MITRE ATT&CK framework, how use cases are applied to monitor the use of attack techniques in the infrastructure and how to apply a use case framework for structured security monitoring. During the hands-on practice, students get to analyse a dataset in order to find indications of threats. The hands-on section prepares students for a complex homework assignment they will complete after this module.

Topics covered:
• Threat Intelligence types, protocols & standards, feeds, platforms
• ISACs and other communities, Chatham House Rule
• CTI process, CTI infrastructure management
• CTI skills: NIST NICE – CTI Analyst
• Attack Techniques
• Security Monitoring Use Cases, MaGMa, MaGMa UCF
• Hands-On Exercise

Frameworks, best practices, references for this module:
CSAN Threat Actors, Threat intelligence protocols and standards. Pyramid of Pain and TTP’s, Cyber Kill Chain versus MITRE ATT&CK and PRE-ATT&CK Frameworks, OODA loop, Diamond model of intrusion analysis. Chatham House Rule. MaGMa, MaGMa UCF Tool, NIST NICE.

Module 4 – Threat Hunting, Analysis and Reporting

During this module, students will present the findings of their homework assignments. It will evaluate if students are able to correlate events and determine their context, identify and quantify vulnerabilities and hunt for threats. Finally, after an in- depth analysis, translate technical findings to a management summary and deliver a board level presentation.

Module 5 – Incident Response

Module 5 starts with an introduction on Incident Response and the NIST Computer Security Incident Handling Guide. It then evaluates the policies that govern incident response, incident response plans, the procedures you should have in place and CERT models and services. From thereon the incident handling process and activities are evaluated, including detection, analysis and reporting, with 2 exercises where students will manage an incident from preparation to post-incident evaluation.

Topics covered:
• Introduction to Incident Response
• Incident Response Policy, Plan, and Procedure Creation
• Incident Handling
• Information Sharing and Reporting

Frameworks, best practices, references for this module:
NIST Computer Security Incident Handling Guide

Module 6 – A one day experience in a virtual SOC

The training ends with a Capture the Flag, a 1- day experience in a virtual SOC. Throughout the day, you’ll be asked to perform impact analysis about possible threats, classify and respond to different incidents and create and present a report. The Capture the Flag is part of your exam.

About the exam

To obtain your certification, you must pass both the hands on exam and the theory exam:

  1. Hands on exam
    • Language: English
    • Delivered: Day 5 of Training – Capture the Flag. Instructor available for questions
    • Time: 5 hours
  2. Theory exam
    • Language: English
    • Delivered: Online via a certified proctor
    • Questions: 40 multiple choice
    • Time: 60 minutes:

Why SECO-Institute?

This training was developed by a group of SOC Managers and the creator of the SOC Maturity Model that is used globally by Enterprise SOC Teams and consultants for improving Security Operations. The training is based on the requirements that they have set for their own teams, so you can feel comfortable that it offers practical, relevant and job-ready content. Lastly and most important: Our instructors! SECO- Institute trainers work within the world’s most challenging environments. They have been involved in building, managing and maturing SOC/CSIRT Teams, have worked on large-scale international cyber investigations, and participated in responding to attacks from renowned campaigns and cyber criminals. Each instructor has gone through a rigorous accreditation process. They are strong communicators, passionate about the domain and eager to share their knowledge and skills.

Training Schedule, Information and Registration

Find a training partner

  • Find a SECO-Institute accredited training partner in your country

Partner with us

  • Benefit from our global network, comprehensive content and certifications to increase engagement with your students

Become a trainer

  • Join the global community of SECO- Institute accredited Trainers