SOC Threat Analyst Practitioner (S-TA)

Advanced threat analysis and threat hunting practice in a virtual SOC
EnrollBook as in-company

What will you learn?

  • 9Master the SOC analyst mindset and develop essential analytical and collaboration skills through hands-on SOC practice;
  • 9Get real-life experience in a virtual SOC with ITSM, CMDB, SOC Ticketing System, Network and Asset Modelling, SIEM (Splunk and Elastic), Threat Intelligence platforms, Packet capture and analysis, Automation tools, Incident Response tools, and XDR;
  • 9Perform deep investigations on escalated events and incidents, and grasp Advanced Persistent Threats Analysis;


    • 5 days of training
    • 24 hours of self-study
    • R1 CPE credit per study hour

    SOC Threat Analyst Practitioner Course – Advanced SOC training with threat analysis and threat hunting practice

    Our SOC Threat Analyst Practitioner course is for SOC analysts who aspire to improve their skills and advance their career to a more senior level. This hands-on advanced SOC training is designed to train you for more senior SOC jobs. At the same time, it prepares you for a new SOC paradigm characterised by dynamic learning, deploying top-notch automation and implementing ITIL-based SOC services. In this course, you will practice working with the modern MDR technology stack and evolved processes. You will learn to structure your mind the right way to conduct deep investigations on escalated events and incidents, and you will try your hand at conducting Advanced Persistent Threats Analysis.

    Proactive SOC and threat hunting

    In addition to practicing advanced threat analysis, you will also develop the skills you need to succeed in a more pro-active defence role in the SOC. You will use Network and Asset Modeling as a basis for risk-based log ingestion strategies and investigation prioritisation. You will improve threat detection and security monitoring capabilities using MAGMA and SIGMA rules and conduct blind spot detection assessments. You will structure full Threat Hunting campaigns to detect threats that will inevitably slip through defenses, and practice responding to threats rapidly and effectively. Finally, you will employ your knowledge of attacker techniques and use the indicators of compromise (IOCs) discovered in your investigations to create alerts and rules to proactively detect threats in the future. You will also work with a real Threat Intelligence platform and use it for situational awareness.

    Authentic virtual SOC environment

    This SOC Threat Analyst Practitioner course is focused on hands-on practice. The exercises are Capture The Flag challenges in a virtual SOC environment, designed to mimic a real-world SOC as closely as possible. The virtual SOC offers a fully integrated toolset set up to work with each other to recreate an authentic SOC experience:

    • ITSM and CMDB
    • Network and Asset Modelling
    • A SOC Ticketing System
    • SIEM (Splunk and Elastic)
    • A Threat Intelligence platform
    • Packet capture and analysis
    • Automation tools
    • An Incident Response tool
    • XDR

    Who should attend our SOC Threat Analyst Practitioner course?

    This advanced SOC training is designed for SOC analysts aiming to move up in their career to a more senior role. As the training offers a unique combination of the threat analyst mindset, knowledge and skills immediately applied in a realistic work environment, it is also an ideal opportunity for SOC teams who want to set a baseline requirement for their threat analysts.

    To join this course, you should have at least one year of work experience as a SOC analyst. If you don’t have this experience, we recommend you to first take our SOC Analyst Foundation training. Not sure which course is the best choice?  Feel free to contact us for advice.

    What is included in this SOC Threat Analyst Practitioner course?

    • Official SECO-Institute course materials developed by high-level SOC experts;
    • Access to SECO’s Next Generation SOC with a Threat Intelligence Platform, Incident Response Platform, XDR, PCAP, automation tools and CMDB (in addition to 2 SIEMs and a SOC Ticketing System);
    • Training from passionate instructors with decades of SOC experience;
    • Practice exam;
    • Certification exam voucher;
    • Access to the (S)ECO-system, a professional community website where you will find additional resources and exclusive knowledge events.

    Why do your SOC training with Security Academy Online?

    Our SOC Threat Analyst course was developed by an international group of SOC managers and the SOC Director of one of the world’s leading MDR SOC providers.  Drawing on the requirements these real-world SOC experts have set for their own teams, this online SOC Threat Analyst training guarantees a practical, relevant, and job-ready learning experience. Our accredited trainers have been involved in building, managing and maturing SOC/CSIRT teams, worked on large-scale international cyber investigations, and participated in responding to attacks from renowned campaigns and cyber criminals. Equally important, they fully identify with our vision: Passion, mindset and collaboration are crucial to the success of a SOC as a whole as well as the success and satisfaction of its analysts.


    SOC Threat Analyst Practitioner Course Modules


    Module 1 – Setting the Stage: The MDR SOC and the Threat Analyst

    This module gives you a strategic vision of a current SOC (known as Next Generation SOC and lately, MDR), with a focus on the different ways an MDR SOC can be structured and the actions that must be taken to run and continuously improve a scalable and effective SOC based upon the SOC Implementation Model and SOC Maturity Model. You will  acquire the mindset to design an MDR SOC taking into account the relevant technology, processes, roles, tasks and services. In this module, you will also work on a business case, processing tasks in a virtual SOC via ITSM in a “Capture the Flag” format. You will be asked to identify a SOC’s business drivers, customers, roles and responsibilities, and  utilize MDR components and technologies in order to accomplish the SOC’s mission. Finally, you will create relevant SOC metrics.

    1.1. SOC Services, Evolution to MDR and the Impact on the Threat Analyst Role
    • Cloud SOC
    • On-prem SOC
    • Strategic SOC
    1.2. MDR Service Operations
    • ITIL Service Management
    • Threat Modeling
    • Threat Analysis
    • Threat Hunting
    • Threat Intelligence to discover, share, store and correlate Indicators of Compromise or targeted attacks
    • Create and improve security monitoring and threat detection use cases
    • Conduct blind spot detection assessments
    • Automate SOC processes
    • Respond rapidly to incidents
    1.3. Business
    • New drivers
    • Customers
    • New governance
    • New privacy regulations
    • SOC metrics
    1.4. People
    • New roles and hierarchy
    • Training and knowledge management
    • SOC career progression
    • Assessing the SOC team

    Frameworks and best practices for this module (Hands-on):
    SOC Maturity Model
    • SOC Implementation Model
    • The Library of Cyber Resilience Metrics

    Module 2 – Attacker Tactics and Techniques In Depth

    While junior and medior SOC analysts are expected to have a thorough understanding of Attacker Techniques, the Threat Analyst must master them! This module dives deep into the MITRE Att&ck Framework, MITRE Att&ck Navigator and Cyber Kill Chain to give you a full understanding of attacker tactics and techniques, and how to work with them in different environments. You will apply this knowledge to resolve problems during the course of the training.

    2.1. MITRE Att&ck Framework (Hands-on)
    2.2. MITRE Att&ck Navigator (Hands-on)
    2.3. Cyber Kill Chain (Hands-on)


    Module 3 – Key Toolset of the Threat Analyst: Introduction to SECO’s Virtual SOC

    This module introduces you to the Virtual SOC you will be working in throughout the course. You will grasp how the tools and deployed technologies work together in this SOC environment, and work on a business case by processing some tasks.

    3.1. ITSM and CMDB (Hands-on)
    3.2. SOC Ticketing System (Hands-on)
    3.3. SIEM (Hands on)
    3.4. Threat Intelligence platform (Hands-on)
    3.5. Packet capture and analysis
    3.6. Automation tools
    3.7. Incident Response tool
    3.8. Security Automation tool and scripts
    3.9. Rapid Response


    Module 4 – Network and Asset Modeling, Log Ingestion Strategies, SIEM and Threat Investigation

    This module starts with an exercise in Network and Asset Modeling and Risk Analysis. You will model the network you are assigned to monitor and protect in our Virtual SOC. You will label, classify and document the assets using the CMDB module on your ITSM, and perform a risk analysis on the assets. You will create log ingestion strategies in order to set up the best visibility to detect cyberattacks, and you will conduct detection assessments to help find detection blind spots. You will ingest several types of logs into the SIEM instances to enable quick searches and the investigation of events. Likewise, you will configure ITSM modules to define SOC services, investigate escalated threats and create alerts to proactively detect associated attacker techniques. Throughout the module, you will get assignments on a virtual ITSM system as in a real SOC. You will work on both Splunk and Elastic SIEM and interact with your SOC mates to complete investigation, escalation and hand-over activities.

    4.1. Network Modeling, Asset Modeling, Risk Analysis (Hands-on)
    4.2. Logging, Log sources, Log ingestion (Hands-on)
    4.3. Blind Spot Detection Assessment (Hands-on)
    4.4. ITSM and Defining SOC Services Conform to ITIL (Hands-on)
    4.5. Threat Analysis (Hands-on)

    • SIEM (Hands-on)
    • Threat Analysis, correlation and Attack Techniques (Hands-on)
    • Alerting, Reporting, Dashboarding and Escalating (Hands-on)

    Frameworks and best practices for this module (Hands-on):
    You will explore frameworks and best practices relevant to threat investigations, and you will use best-practice structure and naming convention when documenting investigations on the ticketing system. You will understand how the process and labelling convention work in different SOC areas, services, modules and technologies and how to scale them up.

    • Cyber Kill Chain versus MITRE ATT&CK Framework
      • OODA loop
      • Diamond model of intrusion analysis
      • ITIL best practices for the SOC

    Module 5 – Monitoring Use Cases and Threat Intelligence

    Building on your knowledge of Attack Tactics and Techniques, you will create security monitoring and threat detection use cases in both Splunk and Elastic environments. Subsequently, you will use MaGMA UCF to measure, maintain, improve, scale and manage the SOC use case library. You will analyse SIGMA rule structure and create, maintain, scale and improve your own rules. Finally, you will dive into the Threat Intelligence process. You will use a real Threat Intelligence platform (MISP) in an authentic case scenario for situational awareness, threat investigation and threat detection. You will even extend your investigations to the fascinating world of the Dark Web to harvest threat intelligence. During the hands-on practice session, you will discover, share, store and correlate Indicators of Compromise of targeted attacks, financial fraud information, vulnerability information and threat actors. The hands-on session prepares you for a complex homework assignment you will complete after this module.

    5.1. MITRE Att&ck Applied to Monitoring, Detection and Threat Intelligence
    5.2. Security Monitoring and Threat Detection Use Cases (Hands-on)

    • Security Monitoring
    • Threat Detection
    • Use Case Development
    • MaGMA UCF
    5.3. SIGMA Rules (Hands-on)
    5.4. Threat Intelligence (Hands-on)

    • Types
    • Protocols
    • Standards
    • Feeds
    • Platforms
    • STIX/TAXII/OpenIoC
    5.5. Threat Intelligence on the Dark Web (Hands-on)

    Frameworks and best practices for this module (Hands-on):
    • CSAN Threat Actors
    • Threat intelligence protocols and standards
    • Pyramid of Pain and TTP’s
    • Cyber Kill Chain versus MITRE Att&ck
    • OODA loop
    • Diamond model of intrusion analysis
    • Chatham House Rule.
    • MaGMa and MaGMa UCF Tool
    • MISP

    Module 6 – Threat Hunting and Defense

    Module 4 starts with TTPs and the MITRE Att&ck Framework in depth. In this module, you will collect IoCs and structure a full Threat Hunting campaign, where you will create your own hypotheses and either confirm or discard them after cross-correlating events, determining event context, and identifying and quantifying vulnerabilities based on Splunk, Elastic and MISP. You will track and document the entire process through your ITSM tool, just as next generation SOCs do. Once the threats are hunted, you will create your own rules to be shared and report the findings of your assignments. After performing in- depth analysis, you will translate your technical findings to a management summary and deliver a board-level presentation.

    6.1. Pyramid of Pain (Hands-on)
    6.2. TTPs (Hands-on)
    6.3. Threat Hunting Methodologies (Hands-on)

    • Cyber Threat Hunting Framework
    • TaHiTI
    • The Hunting Loop
    6.4. The Hunt Matrix (Hands-on)
    6.5. The Defense Chain
    6.6. Detection Feedback
    6.7. Advanced Persistence Defense
    6.8. Snort/Zeek Rules (Hands-on)

    Frameworks, best practices and references for this module:
    • Threat intelligence protocols and standards
    • Pyramid of Pain and The Hunt Loop
    • Cyber Kill Chain versus MITRE ATT&CK Framework
    • The Defense Chain
    • OODA loop, Diamond model of intrusion analysis
    • MaGMa, MaGMa UCF Tool
    • MISP

    Module 7 – Incident Response

    Our last module is led by the PICERL Incident Response model and the NIST Computer Security Incident Handling Guide. In this module, you will first learn to evaluate the policies governing incident response, incident response plans, the procedures you should have in place and the tools and technologies you need to handle an incident. From there on, you will practice the incident response process including activities such as incident declaration, analysis, escalation and reporting. You will complete two exercises using your ITSM tool: You will manage an incident from preparation to post-incident evaluation. In the hands-on section you will use a platform that provides endpoint-driven information security tools and infrastructure to help you investigate, process and lead incident response in our virtual SOC.

    This module also prepares you for a complex homework assignment. The homework assignment will be part of your certification exam, so make sure you complete it after finishing this module!

    9.1. Preparation Phase (Hands-on)
    • Policies
    • IR Plan
    • IR procedures
    • Playbooks
    9.2. Identification/Detection(Hands-on)
    • Memory Analysis
    • Disk Analysis
    • Malware Analysis (YARA)
    • Network Analysis
    9.3. Containment
    9.4. Eradication
    • Systems
    • Network
    • Users
    • Services
    • Cloud
    9.5. Recovery
    • Systems
    • Data
    9.6. Lessons Learned (Hands-on)
    9.7. Dissemination and Security Awareness

    SOC Threat Analyst Practitioner Certification Exam

    1. Homework assignment in CTF format
      The hands-on exercises on your last course day prepare you for a complex hands-on Capture the Flag homework assignment. This CTF homework assignment will be part of your certification exam. Make sure you finalise your assignment before you schedule your exam!
    2. Exam
      The certification exam is conducted by the SECO-Institute, Europe’s leading security and continuity certification body. The exam voucher is included in the course fee, but you need to schedule your exam with the SECO-Institute. Upon successful completion of the exam, you will receive an exam certificate and an invitation to register your official SECO-SOC Threat Analyst Practitioner (S-SAP) certification title. By activating your certification title, you will become a certified professional in your field and you will receive a shareable digital badge to verify your competence to clients, employers and fellow professionals.• Exam language: English
      • Exam delivery: Online via a certified proctor
      Exam format:
          • 10 multiple-choice questions
       5 open questions related to your CTF homework assignment
       1 case study
      Duration: 120 minutes

    Authors & Lead Trainers

    Carlos Valderrama
    Author & Trainer

    SOC Director
    IoT Security Expert for ENISA

    Rob van Os
    Author & Trainer

    Security Consultant
    Creator of the SOC Maturity Model

    Jeroen de Wit

    Associate Partner, Threat Management
    – EMEA at IBM

    Register now

    In-company training tailored to your needs

    Schedule this training as in-company. Upskill your entire team in the most cost-effective way!