SOC Analyst Foundation (S-SAF)

Hands-on online SOC training. Learn from practicing SOC experts and become a certified SOC Analyst.
EnrollBook as in-company

What will you learn?

  • 9Dive into the SOC analyst mindset, and learn the necessary analytical and collaboration skills to thrive in a SOC;
  • 9Get real-life experience in a Virtual SOC with SIEM, ITSM and a SOC Ticketing System;
  • 9Practice attacker techniques and vulnerability assessment;
  • 9Identify companies’ critical assets and key IT systems to monitor and protect;
  • 9Learn where and how to collect data and logs;
  • 9Get hands-on experience in threat analysis, reporting and escalation.


  • 4 days
  • 12 hours of self-study
  • R1 CPE credit per study hour

“I had high expectations from this course and I was not disappointed. From the course materials, the lab environment and the instructor, it was great. The instructor is very experienced and thorough, and the course covers exactly those activities and challenges that we deal with on our SOC. Great training packed with realistic and practical scenario’s”

Jarek Sordyl

National Cyber Security Center, Poland

SOC Analyst Foundation Course – Hands-on SOC training to become a Tier 1 SOC analyst

Our SOC Analyst Foundation course is a hands-on online SOC training developed by expert SOC managers and the creator of the SOC Maturity Model (SOC-CMM). First and foremost, this training will trigger your curiosity, activate your analytical brain, and challenge you to work with SOC mates, clients and incident responders. The course immerses you in the SOC analytical process through ‘if-then’ hypothesis scenarios to help you develop the SOC analyst mindset and the soft skills needed to become a successful SOC analyst. You will learn what to look for and where to find ‘go-to’ resources to support your threat investigations. In addition to a SOC mindset, the course will equip you with the toolset you need to successfully handle the number of logs, alerts and events you will encounter in a real-world SOC, which can be overwhelming if not approached correctly.

This SOC training integrates real-world SOC experts’ lessons with hands-on practice activities mimicking the tasks of a Tier 1 SOC analyst. Throughout the course, you will practice attacker techniques and vulnerability evaluation, the identification of critical assets and key IT systems to monitor and protect, and working with SIEM, ITSM and a SOC Ticketing System. You will monitor, analyse and prioritise SIEM alerts based on host-based and security appliance logs, perform triage and effective decision-making to confirm if a security incident is taking place, declare the incident and escalate to your Tier 3 colleagues in the Virtual SOC. Additionally, you will conduct threat analysis on actual datasets, use the ticketing system to report your findings, and present the results of your investigations.

Immersive experience in a virtual SOC

You will develop your SOC skills in a simulated SOC environment including a virtualized ITSM, SOC Ticketing System and SIEM, fully set up to work together. Our virtual SOC will provide you with an immersive experience mimicking a real-world SOC as closely as possible. Lastly, the course introduces you to use cases for security monitoring and threat intelligence, threat hunting and incident response. By completing this SOC training, you will be fully prepared to continue with our SOC Threat Analyst Practitioner course , a more advanced SOC training designed for SOC analysts aspiring to progress into a more senior role.

Who should attend our SOC Analyst Foundation course?

Our SOC Analyst Foundation course is designed for professionals wanting to start a career as a SOC analyst. But this training is also ideal for junior SOC team members looking to accelerate their learning curve, SOC teams wishing to set a baseline requirement for their Tier 1 analysts, and universities that want to have their students ‘job- ready’, equipped with in-demand industry skills and certifications. This hands-on SOC training offers a unique combination of the SOC analyst mindset, knowledge and skills, immediately applied in a realistic work environment. If you are a SOC analyst looking to grow into a more senior role, we recommend you to take our Threat Analyst Practitioner course.

What is included in our SOC Analyst Foundation course?

  • Official SECO-Institute course materials developed by practicing SOC experts;
  • Access to SECO’s Virtual SOC with ITSM, SOC Ticketing system and SIEM;
  • Training from passionate instructors who are active in SOC management;
  • Practice exam and exam syllabus so you can fully prepare for your SOC Analyst certification exam;
  • Certification exam voucher;
  • Exam voucher
  • Access to the (S)ECO-system, a professional community website where you will find additional resources and exclusive knowledge events.

Why do your SOC training at Security Academy Online?

Our SOC Analyst Founadtion course was developed by an international group of SOC managers and the creator of the SOC Maturity Model (SOC-CMM), a SOC maturity assessment tool adopted by enterprises worldwide to improve Security Operations. Drawing on the SOC-CMM and the requirements real-world SOC experts have set for their own SOC teams, this SOC training guarantees a practical, relevant, and job-ready learning experience. Our accredited trainers have been involved in building, managing and maturing SOC/CSIRT teams, worked on large-scale international cyber investigations, and participated in responding to attacks from renowned campaigns and cyber criminals. Equally important, they fully identify with our vision: Passion, mindset and collaboration are crucial to the success of a SOC as a whole as well as the success and satisfaction of its analysts.



SOC Analyst Foundation Course Modules


Module 1 – Setting the Stage: The SOC and the Tier 1 Analyst

This module briefly introduces you to the processes, data flows and capabilities of a Security Operations Center. First, you will gain insight into the services that a SOC delivers, the technologies deployed in a SOC, and how SOC technologies interconnect. Next, you will grasp SOC roles, responsibilities and tasks from Tier 1 up to management. Following an overview of SOC processes, technologies and responsibilities, the module dives deep into the Tier 1 analyst role. You will understand Tier 1 SOC analyst tasks and the SOC KSA matrix (Knowledge, Skills, Abilities). Finally, you will get familiar with key tools and resources, the major challenges and pitfalls for a junior analyst, and how all of the above are addressed in the training process.

1.1. Introduction to SOC, SOC Services and Technology Based on the SOC Maturity Model (SOC-CMM)
1.2. Roles and Responsibilities in a SOC, SOC Escalation Processes and Career Paths
1.3. Tasks of the Tier 1 Analyst
1.4. Core Skills of the Tier 1 Analyst:

• Understanding attacker techniques and vulnerabilities;
• Ability to identify critical company assets and key systems;
• Knowing where and how to collect data and logs;
• Ability to analyse events and make decisions on whether to declare a security incident;
• Ability to report findings and escalate.
1.5. Key Toolset of the Tier 1 Analyst (SIEM, ITSM and SOC Ticketing System)
1.6. Key Data Sources Initiating Investigations:

• SIEM alerts
• IDS alerts, firewalls, network traffic logs, endpoints
• User reports
1.7. Key Data Sources Supporting Investigations:
• Vulnerability Management
• Threat Intelligence
• Malware Analysis

Module 2 – Key Toolset of the SOC Analyst: SIEM, ITSM, the SOC Ticketing System, and the SOC Analyst Mindset

This hands-on module introduces you to SIEM, ITSM and SOC Ticketing Systems. First, you will understand how SOC tools are used and how they work together. You will learn to use key SIEM technologies and data processing models, focusing on Elastic and Splunk, the currently most popular SIEM products on the market. Furthermore, you will experience the challenges SOC analysts face when working with different team members and transitioning from ITSM to more advanced SOC tools in order to deliver a high-quality service. In this module, you will also work on a business case: You will be assigned to process some tasks in a virtual SOC via a ticketing system. Your hands-on tasks will immerse you in the security analyst mindset and the analytical, step- by-step process of an investigation.

2.1. ITSM
2.2. SOC Ticketing System
2.3. SIEM
2.4. The Mindset of a Security Analyst – Introduction
2.5. Hands-on exercise integrating the use of SOC tools and mindset


Module 3: Log Collection, Use Cases, Threat Detection and Monitoring

This module immerses you in the theory behind log monitoring and security monitoring systems along with hands-on exercises in security logging and analysing log collections. You will learn the fundamentals of attacker techniques, vulnerability finding, critical asset identification and key systems identification. Subsequently, you will learn where and how to collect data (focusing on SIEM alerts, IDS alerts, firewalls, network traffic logs, endpoints and WAF), how to investigate and detect threats based on a large realistic dataset, and how use cases are applied to monitor the use of attack techniques. Module 3 aims to guide you step by step through the SOC analytical process, and help you understand what to look for when analysing log collections and key data sources that will support your investigations.

3.1. The Mindset of a Security Analyst – In Depth
3.2. Introduction to Attacker Techniques and Processes
3.3. Data Collection
• SIEM alerts
• IDS alerts
• Firewalls
• Network traffic logs
• Other data collection methods
3.4. Logs and Log Collection
3.5. Critical and Key IT Systems and Their Logs (exercise)
3.6. ITSM and SIEM (hands-on practice)
3.7. Event Analysis, Correlation and Attack Techniques (hands-on practice)
3.8. Alerting, Reporting and Dashboarding (hands-on practice)
3.9. Security Monitoring Use Cases, MaGMA and MaGMA UCF


Module 4: Threat Analysis In Depth, Fundamentals of Threat Intelligence and Threat Hunting, Incident Response

Module 4 starts with a high- level introduction to the threat intelligence process and how it is applied to obtain situational awareness. Following an overview of threat intelligence, we dive deeper into the Pyramid of Pain and using the MITRE ATT&CK framework for threat hunting and threat analysis. You will fully understand the incident declaration and escalation procedure as well as the overall incident response model and process. In the hands-on practice segment, you will analyse a dataset in order to find indications of threats. After that, you will work with your fellow participants on a business case focused on managing incidents from preparation to post-incident analysis.

The hands-on exercises in Module 4 prepare you for a complex homework assignment you will complete after this module. The homework assignment will be a part of your certification exam!

4.1. Introduction to Threat Intelligence; Situational Awareness and Attribution
4.2. Pyramid of Pain and the MITRE ATT&CK Framework
4.3. Threat Analysis versus Threat Hunting
4.4. Detection: Continuous Improvement and Intelligence Feedback
4.5. Incident Response Model and Process
4.6. Hands-On Threat Analysis Exercise and Incident Response Business Case
4.7. Homework Assignment and Exam Preparation

SOC Analyst Foundation Certification Exam

  1. Hands-on homework assignment in Capture the Flag (CTF) format
    The hands-on section of your last course day prepares you for a complex, hands-on homework assignment (Capture the Flag). This CTF assignment will be a part of your certification exam. You must finalize your CTF homework assignment before you can schedule your exam!
  2. Exam
    The certification exam is conducted by the SECO-Institute, Europe’s leading security and continuity certification body. The exam voucher is included in the course fee, but you need to schedule your exam with the SECO-Institute. Upon successful completion of the exam, you will receive an exam certificate and an invitation to register your official SECO- SOC Analyst Foundation (S-SAF) certification title free of charge. By activating your certification title, you will become a certified professional in your field and you will receive a shareable digital badge to verify your competence to clients, employers and fellow professionals.• Exam language: English
    • Exam delivery: Online exam with remote proctoring
    Exam format: 40 multiple-choice questions (5 questions related to your CTF homework assignment)
    Duration: 60 minutes

Authors & Lead Trainers

Carlos Valderrama
Author & Trainer

SOC Director
IoT Security Expert for ENISA

Rob van Os
Author & Trainer

Security Consultant
Creator of the SOC Maturity Model

Jeroen de Wit

Associate Partner, Threat Management

Register now

In-company training tailored to your needs

Schedule this training as in-company. Upskill your entire team in the most cost-effective way!