Cyber Defense Track:

Threat Analyst Training

What will you learn?

More than just a senior level SOC Training, this course is structured to prepare for a new SOC paradigm and shift students towards a more pro-active defense role. It offers the hands-on practice to work with the modern MDR technology stack and dives deep into activities like network and asset modeling, security automation, blind spot detection assessments, Advanced Persistent Threats Analysis, threat hunting, threat intelligence and incident response

What will you get?

  • 5 days training
  • Course Materials
  • Access to our Virtual Next Generation MDR- SOC
  • Hands on Labs
  • Access to our student portal
  • Practice exam
  • Capture the Flag
  • Exam Voucher

About this Course


The Threat Analyst course was designed for SOC Analysts that are aiming to progress into a more senior role. More than just that, it is structured in a realistic way that will prepare students for a new SOC paradigm by developing dynamic learning, deploying top-notch automation and implementing ITIL-based SOC services. This course offers them the hands-on practice to work with the modern MDR technology stack and evolved processes, and structure their mind the right way to conduct deep investigations on escalated events and incidents and conduct Advanced Persistent Threats Analysis. It also aims to shift students towards a more pro-active defense role in the SOC: They will exercise Network and Asset Modeling as a basis for both risk-based log ingestion strategies and investigation prioritization. They’ll improve threat detection and security monitoring capabilities using MAGMA and SIGMA Rules, conduct blind spot detection assessments, structure full Threat Hunting campaigns to detect threats that will inevitably slip through defenses and respond rapidly and accordingly. The course will close the loop by using the knowledge of attacker techniques and discovered IOCs from students’ investigations to create alerts and rules to proactively detect both in the future, and work with a real Threat Intelligence platform and use it for situational awareness.

Heavily hands- on driven:

This course is very hands- on driven and exercises are conducted in a Capture the Flag format. The Virtual MDR – SOC offers a fully integrated toolset set up to work with each other to re-create your workplace environment as closely as possible:

  • ITSM and CMDB
  • Network and Asset Modelling
  • A SOC Ticketing System
  • SIEM (Splunk and Elastic)
  • A Threat Intelligence platform
  • Packet capture and analysis
  • Automation tools
  • An Incident Response tool
  • XDR


Who should attend?

This training is designed for SOC Analysts that are aiming to progress into a more senior role and SOC Teams that want to set a baseline requirement for their Threat Analysts. The course offers a unique combination of the mindset, knowledge and skills required from a Threat Analyst, immediately applied in a realistic work environment. To join this class, we recommend you have a minimum of 1- 1,5 years of experience as SOC Analyst. If you don’t have this experience, we recommend you taking the SOC Associate Analyst training


What’s included?

  • Training from some of the worlds’ most passionate leaders in cyber defense
  • Virtual SOC with modern MDR Technology Stack fully integrated and set up to work together
  • Hands on labs
  • Official SECO-Institute course materials
  • Pre- course preparation kit
  • Access to SECO’s student portal with exam syllabus, practice exam questions and useful resources
  • Exam voucher
  • Digital Certification Badge when you pass the exam

Course modules

This module offers students a strategic vision of a current SOC (Known as Next Generation SOC and lately, MDR), the different ways it can be structured and the actions to run and continuously improve a scalable and effective SOC. Students will get the mindset to work on a MDR SOC considering technology, processes, roles, tasks, services and will work on a business case, where they’re assigned to process tasks within a virtual SOC via ITSM in a “Capture the Flag” format. They’ll be asked to identify the SOC’s business drivers and customers, roles and responsibilities, utilize MDR components and technologies in order to accomplish the SOC’s mission and create relevant SOC metrics.

1.1. SOC Services evolution to MDR and the impact on the Threat Analyst role

  • Cloud SOC
  • On-prem SOC
  • Strategic SOC

1.2. MDR Service Operations

  • ITIL Service Management
  • Threat Modelling
  • Threat Analysis
  • Threat Hunting
  • Threat Intelligence
  • Create and improve security monitoring and threat detection use cases
  • Conduct blind spot detection assessments
  • Automate SOC processes
  • Respond rapidly to Incidents

1.3. Business

  • New Drivers
  • Customers
  • New governance
  • New privacy regulation
  • SOC Metrics

1.4. People

  • New roles and hierarchy
  • Training
  • Knowledge Management
  • SOC Career progression
  • Assessing the SOC team

Frameworks, best practices for this module (Hands-on):

SOC Maturity Model, SOC Implementation Model, The Library of Cyber Resilience Metrics, NIST NICE

This module introduces students hands on to the Virtual SOC that they will be working in throughout the course, and how the various tools and technologies deployed are working together. Throughout the module, students will work on a business case, where they are assigned to process some tasks.

2.1. ITSM and CMDB (Hands on)

2.2. SOC Ticketing System (Hands on)

2.3. SIEM (Hands on)

2.4. Threat Intelligence platform (Hands on)

2.5. Packet capture and analysis

2.6. Automation tools

2.7. Incident Response tool

2.8. Security Automation tool and scripts

This module starts with an exercise in Network and Asset Modelling and Risk Analysis. Students will model the network that they’re assigned to monitor and protect on our Virtual SOC; label, classify and document the assets using the CMDB module on their ITSM, and conduct risk analysis on those assets. They’ll create log ingestion strategies to set up the best visibility to detect cyberattacks, and conduct detection assessments to help find detection blind spots. Students will ingest several types of logs into the SIEM instances to enable quick searches and investigation of events and configure ITSM modules to define SOC services.

3.1. Network Modelling, Asset Modelling, Risk Analysis (Hands- on)

3.2. Logging, Log sources, Log ingestion (Hands- on)

3.3. Blind Spot Detection Assessment (Hands- on)

3.4. ITSM and defining SOC Services conform ITIL (Hands-on)

While junior and medior SOC Analysts are expected to have a thorough understanding of Attacker Techniques, the Threat Analyst must master them! This module dives deep into MITRE ATTACK&CK Framework by understanding the different environments, its navigators, their associated tactics and techniques and how to work with them at the same time as the Cyber Kill Chain. Students will integrate and apply this knowledge during the course of the training.

4.1. MITRE ATTACK&CK Framework (Hands-on)

4.2. MITRE ATTACK&CK Navigator (Hands-on)

4.3. Cyber Kill Chain (Hands-on)

Modules 3 and 4 have set the stage for deep investigations on escalated threats and incidents. This is where we start confusing students a bit, pushing their boundaries to activate their analytical brain, trigger their curiosity and use their creativity during investigations. The module is delivered in a Capture the Flag format replicating the real workplace as much as possible: Students will work on both Splunk and Elastic SIEM environments for investigation, correlation, alerting, escalation and reporting purposes; get assignments on a virtual ITSM system as in a real SOC, and interact with their SOC mates on the investigation, escalation and hand-over activities. The hands on sections prepare for a complex homework assignment that they’ll receive on day 3.

5.1. Splunk and Elastic SIEM (Hands – on)

5.2. Threat Analysis , correlation and Attack Techniques (Hands – on)

5.3. Alerting, Reporting, Dashboarding and Escalating (Hands – on)

Students will create security monitoring and threat detection use cases in both Splunk and Elastic environments and will use MaGMA UCF to measure, maintain, improve, scale and manage the SOC use case library. They will analyse SIGMA Rules’ structure and create, maintain, scale and improve their own rules. They will dive into the Threat Intelligence process and use it in a real case scenario for situational awareness and threat investigation and detection using a real Threat Intelligence Platform (MISP). These investigations are extended to the fascinating world of the Dark Web for Threat Intelligence purposes. During the hands-on practice, students will discover, share, store and correlate Indicators of Compromise of targeted attacks, financial fraud information, vulnerability information and threat actors. The hands-on section prepares students for a complex homework assignment they will complete after this module.

6.1. MITRE ATTACK&CK applied to monitoring, detection and threat intelligence

6.2. Security Monitoring and Threat Detection Use Cases (Hands-on)

  • Security Monitoring
  • Threat Detection
  • Use Case Development

6.3. SIGMA Rules (Hands-on)

6.4. Threat Intelligence (Hands-on)

  • Types
  • Protocols
  • Standards
  • Feeds
  • Platforms

6.5. Threat Intelligence on the Dark Web (Hands-on)

Frameworks, best practices for this module (Hands-on):

  • CSAN Threat Actors
  • Threat intelligence protocols and standards
  • Pyramid of Pain and TTP’s
  • Cyber Kill Chain versus MITRE ATT&CK
  • OODA loop Diamond model of intrusion analysis
  • Chatham House Rule.
  • MaGMa and MaGMa UCF Tool
  • MISP

Module 4 starts with TTP’s and MITRE ATT&CK Framework in in depth. Students will collect IoC’s and structure a full Threat hunting campaign, where they will create their own hypothesis and will either confirm or discard after being able to cross correlate events and determine their context, and identify and quantify vulnerabilities based on Splunk, Elastic and MISP. Students will track and document the entire process through their ITSM tool, just as next generation SOCs do. Once the threats are hunted, students will create their own rules to be shared and report the findings of their assignments. Finally, after an in- depth analysis, they will translate their technical findings to a management summary and deliver a board level presentation.

7.1. Pyramid of Pain (Hands-on)

7.2. TTPs (Hands-on)

7.3. Threat Hunting Methodologies (Hands-on)

  • Cyber Threat Hunting Framework
  • TaHiTI
  • The Hunting Loop

7.4. The Hunt Matrix (Hands-on)

7.5. The Defense Chain

7.6. Detection Feedback

7.7. Advanced Persistence Defense

7.8. Snort/Zeek Rules (Hands-on)

Frameworks, best practices, references for this module:

  • Threat intelligence protocols and standards
  • Pyramid of Pain and The Hunt Loop
  • Cyber Kill Chain versus MITRE ATT&CK Framework
  • The Defense Chain
  • OODA loop, Diamond model of intrusion analysis
  • MaGMa, MaGMa UCF Tool
  • MISP

Our last module is led by the Incident Response PICERL model and the NIST Computer Security Incident Handling Guide. It evaluates the policies that govern incident response, incident response plans, the required procedures in place and the tools and technologies they need to handle an incident. From thereon, the incident response process and activities are practiced hands on with 2 exercises where students will be assigned on the ITSM tool to manage an incident from preparation to post-incident evaluation. The hands-on section uses a platform that provides endpoint driven information security tools and infrastructure to help them investigate, process and lead incident response in our virtual SOC. The hands on exercises prepare students for a complex homework assignment that will be part of the exam.

8.1. Preparation Phase (Hands-on)

  • Policies
  • IR Plan
  • IR procedures
  • Playbooks

8.2. Identification/Detection(Hands-on)

  • Memory Analysis
  • Disk Analysis
  • Malware Analysis (YARA)
  • Network Analysis

8.3. Containment

  • Systems
  • Network
  • Users
  • Services
  • Cloud

8.4. Eradication

  • Systems
  • Network
  • Users
  • Services
  • Cloud

8.5. Recovery

  • Systems
  • Data

8.6. Lessons Learned (Hands-on)

8.7. Dissemination and Security Awareness

About the exam

  1. Homework assignment in CTF format
    The hands-on section on the last day of training prepares you for a complex, hands on homework assignment in a Capture the Flag format that will be part of your exam and certification. You must finalize your assignment before you can schedule your exam.
  2. Exam
    • Language: English
    • Delivered: Online via a certified proctor
    • Questions: 40 multiple choice (5 questions related to your CTF homework assignment)
    • Time: 60 minutes

From the Horse’s Mouth

‘ Leading a global SOC allows me to work with some of the brightest, curious, and passionate minds unlike in any other industry. It is also one of those duties in my career that has pushed my boundaries on a daily basis, and this is no different for the analysts in my team. Training can play a huge role here. It allows them to defend the organisation like real warriors and at the same time keeps them active, happy and engaged. Offering them the right knowledge, tools and skills at the right time in their career is key here, and that is exactly what we’re doing with SECO’s Cyber Defense training program’. Carlos Valderrama, SOC Director and Lead Author.

Training Schedule, Information and Registration


Starting Dates





1. Take an open class with the creator of the training

April 1st, 2021

Online Live


Carlos Valderrama

Instructor- led, online Live trainings organized by SECO-Institute.

Your instructors:

  • Carlos Valderrama, SOC Director at Proficio, IoT Security Expert for ENISA, lead author for SECO’s Cyber Defense track
  • Rob van Os, SOC Manager at de Volksbank, creator of the SOC Maturity Model, Vice-chair of FI-ISAC, chair of FI-ISAC SOC/CSIRT workgroup, co-author of the SOC Associate Analyst Training
  • Jeroen de Wit, Senior Manager Security Operations at KPMG, knowledge holder KMPG EMEA Center of Excellence for Security Operations. Co-leader of the KPMG global collaboration working group on Security Operations

Training Fee: € 2,950

Included in your training

  • 5 days instructor led, virtual online training
  • Access to SECO’s Virtual SOC
  • Hands on labs
  • All course materials
  • Access to SECO’s student portal with practice exam & resources
  • Exam voucher

2. Join a class with one of our Accredited Training Partners

All year

Online Live and In Person



3. Schedule a class dedicated for your team

Based on availability

Online Live and In Person

On your doorstep

Based on your needs and profile

4. Deliver the training to your team yourself

Set your own dates

Online Live and In Person


Your own trainer

5. Partner with SECO-Institute

Set your own dates

Online Live


Your own trainer