Free community resource — updated as I learn

Become aSOC & Cybersecurity Analyst

A free, step-by-step roadmap built by someone actively on this journey. No fluff. No paywalls. Just the exact labs, tools, and steps you need to go from zero hands-on experience to SOC and cybersecurity analyst roles.

Covers everything from lab setup to threat hunting to cloud security monitoring
Every tool listed is free or low cost — no expensive bootcamps needed
Built for anyone with a laptop and the drive to put in the work
Built and maintained by
Mohammed H. Majeed
Cloud & Network Operations → SOC Analyst (in progress)
Security+ Network+ CySA+ AWS Security → In Progress
Start the Roadmap Follow on LinkedIn
00 — Before You Start

What You Need

Before touching a single lab — get these sorted. This is your foundation.

💻
A decent laptop or PC
Minimum: 16GB RAM, 256GB SSD, Intel i5 or AMD Ryzen 5. You need RAM to run multiple VMs simultaneously. A refurbished ThinkPad T14 or Dell Latitude with 16GB runs around $250–300 on eBay or Best Buy refurbished. 32GB RAM is ideal. Do NOT use a machine with 8GB — you'll fight your setup more than you learn.
🆓
Free accounts to create right now
VMware Workstation Pro — VMware-based VM lab option
GitHub — your portfolio lives here
TryHackMe — guided learning rooms
LetsDefend — SOC alert queue simulator
CyberDefenders — investigation labs
VirusTotal — IOC lookups
Any.run — malware sandbox
URLScan.io — URL analysis
📥
Downloads needed for your lab
VirtualBox — free VM software (Windows/Mac Intel)
UTM — free VM software (Mac Apple Silicon only)
Ubuntu Server 22.04 LTS — your SIEM host
Kali Linux — your attacker machine
Windows 10 Enterprise Eval — free 90-day trial
🧠
Mindset going in
This roadmap is hands-on. You learn by doing, not watching. Every phase ends with a written report or working detection — no exceptions. Document everything in GitHub from day one. Hiring managers can't see what you don't show them. The goal is to be able to talk about real things you built, not hypothetical skills.
01 — The Roadmap

The Complete Path

8 tracks. 26 phases. Updated after reviewing current SOC L1, SOC L2, and Cybersecurity Analyst job requirements plus practitioner feedback: build the lab first, then prove high-volume alert triage, ticket writing, Splunk/SPL, EDR, cloud, IR, automation, and portfolio-ready documentation.

SOC Operations Simulation
Intermediate Alert Queue Practice

Phase 5 is built around analyst-style queue work: a scripted VMware attack loop generates repeated activity, Elastic/Wazuh collect the alerts, and each session is used to review evidence, tune noise, write case notes, and decide what needs escalation.

50+
Alerts Reviewed
Target queue volume per triage session across Elastic and Wazuh.
30-60m
VMware Attack Loop
Timed Kali and Windows activity window to create realistic alert pressure.
10+
Tuning Decisions
Document recurring noise, suppression logic, or why an alert should stay active.
5+
Escalation Notes
Write L2-ready summaries with affected user, host, evidence, timeline, and next action.
30s
First-Look Triage
Initial analyst decision: close, tune, investigate deeper, or escalate with evidence.
How the volume gets created
A VMware attacker VM and Windows/admin activity loop will generate failed logons, PowerShell events, DNS/web noise, scans, new services, file activity, and identity changes.
How the loop runs
The Kali attacker VM runs timed scripts in VMware for 30-60 minutes, creating repeated but safe events that land in Elastic and Wazuh for triage practice.
What gets documented
Each session produces tickets, case notes, false-positive decisions, escalation summaries, and a short lesson learned for the build logs.
🖥️
Track 1 — Build Your SOC Lab
Build the telemetry foundation first: Elastic, Suricata, Sysmon, Fleet, Wazuh, Windows, and Linux.
01
Set Up Your Virtual Lab Environment
VMware, VirtualBox, or UTM · isolated network · Windows · Ubuntu · Kali
VMwareVirtualBoxUbuntu ServerWindows 10KaliHost-Only Networking
Create the safe lab network everything else depends on. Build the VMs, isolate lab traffic, confirm connectivity, and snapshot clean starting points.
1
Build the VM set
Create Windows, Ubuntu, and Kali VMs in VMware, VirtualBox, or UTM with NAT plus host-only networking so the lab can reach the internet while keeping attack traffic isolated.
2
Verify connectivity
Confirm host-to-VM and VM-to-VM communication with ping, ipconfig or ip addr, routing checks, and basic firewall adjustments.
3
Snapshot clean baselines
Take baseline snapshots before installing security tools so broken installs or attack simulations can be rolled back cleanly.
PHASE GOALThree stable VMs, verified lab networking, and clean snapshots ready for SIEM/XDR deployment.
02
Deploy Elastic SIEM + Suricata IDS
Elastic · Kibana · Fleet · Sysmon · Suricata · dashboards
ElasticKibanaFleetSysmonSuricataDashboards
Build your first SIEM and network detection pipeline. This teaches raw log searching, endpoint telemetry, IDS alerts, and dashboarding.
1
Install Elastic and Kibana
Install Elasticsearch and Kibana on Ubuntu, complete enrollment, and make Kibana reachable from the host browser.
2
Collect Windows telemetry
Install Sysmon and enroll the Windows endpoint into Elastic Fleet so process, login, and system activity reaches the SIEM.
3
Add network detection
Install Suricata, generate safe ICMP and network test alerts, and build Kibana dashboards for endpoint and IDS telemetry.
PHASE GOALElastic, Kibana, Fleet, Sysmon, and Suricata working with dashboards and validated alerts.
03
Wazuh XDR — Second Detection Platform
Wazuh manager · indexer · dashboard · Windows agent · FIM · SCA
WazuhXDRWindows AgentFIMSCAVulnerability Detection
Add an XDR-style platform so you can compare flexible SIEM searching against built-in endpoint security, compliance, and vulnerability visibility.
1
Deploy the Wazuh server
Create a dedicated Wazuh Ubuntu Server VM with host-only and NAT networking, then install manager, indexer, dashboard, and Filebeat.
2
Enroll the endpoint agent
Install the Wazuh agent on the Windows victim VM and confirm the endpoint reports as active in the dashboard.
3
Validate XDR features
Test admin group change alerts, File Integrity Monitoring, Security Configuration Assessment, vulnerability detection, and MITRE mapping.
PHASE GOALWazuh deployed, Windows agent active, FIM/SCA/vulnerability detection working, and Elastic vs Wazuh comparison documented.
🎧
Track 2 — SOC L1 Core Workflow
Practice the actual L1 job: high-volume alert triage, ticket notes, phishing, Splunk, escalation, and detection tuning.
04
Windows, Linux, and Network Log Fundamentals
Event IDs · auth logs · Sysmon · DNS · firewall/proxy basics
Windows Event IDsLinux auth.logSysmonDNSFirewall Logs
Before advanced attacks, learn what normal and suspicious logs look like. This is the language SOC analysts read all day.
1
Build a Windows event map
Document common SOC event IDs such as 4624, 4625, 4672, 4688, 4698, 4720, 4728, 4732, 7045, and key Sysmon events.
2
Read Linux security logs
Review Linux authentication, sudo, SSH, cron, and process logs from Ubuntu and Kali so investigations are not Windows-only.
3
Decode network fields
Practice reading source and destination IPs, ports, protocols, DNS queries, HTTP user agents, TLS clues, and IDS signatures.
PHASE GOALA personal log field and Event ID reference with 20 examples tied to real lab evidence.
05
VMware Scripted Attack Loop + High-Volume Triage
attacker VM loop · 50+ alerts/tickets · false-positive tuning · 30-second first look
VMware LoopHigh-Volume Triage50+ TicketsFalse Positives
Now that tools exist, use them like a real SOC queue. Build a safe scripted attack loop in VMware, let the alerts stack up, then practice sorting noisy alerts quickly, deciding what deserves more time, tuning false positives, and writing tickets another analyst could act on.
1
Build the VMware scripted attack loop
Run a Kali attacker VM on a timed VMware loop, plus Windows/admin activity scripts, to create 50+ mixed alerts: failed logins, benign admin activity, suspicious PowerShell, file deletion, network scans, DNS/web noise, and new services.
2
Flood Elastic/Wazuh, then work the queue
Let the loop run for 30-60 minutes, then triage the alert queue in batches. For each alert, make a first-look decision within 30 seconds: close as benign, mark false positive, investigate for 10 more minutes, or escalate with evidence.
3
Write and tune like an analyst
Track alert name, severity, affected host or user, timestamps, query used, verdict, next action, and tuning recommendation for recurring false positives.
PHASE GOALAt least 50 triaged alerts/tickets, 10 false positives tuned or explained, 5 escalations written, and average first-look triage time tracked.
06
SOC Ticket Writing, Escalation, and Shift Handoff
Ticket template · escalation summary · handoff notes
Ticket WritingServiceNow StyleEscalationHandoff
Job postings keep asking for documentation discipline. This phase turns lab work into manager-readable analyst output.
1
Create the ticket template
Build a reusable template with summary, evidence, timeline, analysis, MITRE mapping, verdict, recommended action, and owner.
2
Write practice escalations
Turn the Phase 5 queue into 10 polished tickets and 5 concise escalation notes that an L2 analyst could act on quickly.
3
Practice shift handoff
Write handoff notes that show what happened, what is pending, what was closed, and what needs follow-up on the next shift.
PHASE GOAL10 polished tickets, 5 escalation summaries, and 2 shift handoff notes published to GitHub.
07
Phishing and Email Security Investigation
Headers · URLs · attachments · SPF/DKIM/DMARC
PhishingEmail HeadersURLScanVirusTotalDMARC
Phishing is one of the most common L1 workflows. Move it early so you can talk about email cases before malware/forensics.
1
Analyze email headers
Review sender, return-path, SPF, DKIM, DMARC, received chain, URLs, attachments, and user-reported context.
2
Enrich suspicious indicators
Use URLScan, VirusTotal, AbuseIPDB, MXToolbox, sandbox results, and safe browser checks to decide whether the email is malicious.
3
Document the phishing case
Write a phishing ticket with user impact, IOCs, verdict, containment steps, and recommended user or security actions.
PHASE GOAL5 phishing investigations and 1 polished phishing incident report.
08
Splunk Fundamentals for SOC
SPL · dashboards · failed auth · process execution
SplunkSPLDashboardsSIEM Searching
Elastic is enough for the early lab, but Splunk and SPL show up constantly in SOC postings. Treat this as a focused familiarity block after you have real Elastic triage reps.
1
Stand up Splunk practice
Install Splunk Free or use a safe lab dataset, then ingest Windows, Sysmon, or sample SOC logs for search practice.
2
Practice core SPL searches
Use SPL to find failed logins, rare processes, encoded PowerShell, new services, DNS activity, and top network talkers.
3
Compare SIEM workflows
Rebuild three Kibana dashboard ideas in Splunk and write a Splunk vs Elastic comparison focused on SOC analyst workflow.
PHASE GOALSplunk installed or practiced, 10 SPL searches written, 3 dashboards built, and comparison published.
09
Detection Engineering and Rule Tuning
Sigma · Elastic rules · Wazuh rules · false positive tuning
Detection EngineeringSigmaKQLWazuh Rules
This is the bridge from L1 to L2: not just responding to alerts, but improving alert quality.
1
Write practical detections
Create detections for encoded PowerShell, LSASS access, certutil download, scheduled task creation, new local admin, and suspicious outbound traffic.
2
Convert logic to Sigma
Convert at least three detections into Sigma-style logic and document fields, data source, severity, and likely false positives.
3
Tune noisy alerts
Tune one noisy rule by adding exclusions, thresholds, or enrichment requirements, then explain the detection tradeoff.
PHASE GOAL6 detections, 3 Sigma-style rules, and 1 tuning write-up with before/after logic.
🔐
Track 3 — Endpoint and Identity Investigation
Build AD after the L1 workflow foundation, then investigate identity and endpoint attacks like a real SOC.
10
Build an Active Directory Environment
Domain controller · users · groups · GPO · Kerberos basics
Active DirectoryKerberosGroup PolicyDomain Controller
Most enterprise alerts involve identity. Build AD once you already know how to read Windows authentication logs.
1
Deploy domain services
Deploy a Windows Server domain controller or AD-capable lab design with DNS, domain join, and basic domain administration.
2
Create realistic identities
Create users, groups, OUs, service accounts, and intentionally weak configurations that can generate useful security findings.
3
Forward domain logs
Send domain controller security logs into Elastic or Wazuh so authentication and privilege activity can be investigated.
PHASE GOALAD domain running with logs flowing into the monitoring stack.
11
AD Attack Simulation + Alert Triage
Password spray · Kerberoast · AS-REP roast · BloodHound
AD AttacksKerberoastingBloodHoundImpacket
Simulate common identity attacks and triage the alerts exactly the way L1/L2 SOC analysts do.
1
Run safe AD attacks
Simulate password spray, AS-REP roasting, Kerberoasting, suspicious admin group changes, and BloodHound collection in the lab.
2
Find the telemetry
Identify the related Windows events, Sysmon events, Wazuh alerts, and SIEM searches for each attack path.
3
Escalate like a SOC analyst
Write tickets that include MITRE mapping, severity, evidence, escalation decision, and containment recommendation.
PHASE GOAL5 AD attack scenarios detected, triaged, and documented.
12
Endpoint / EDR Investigation with Wazuh, Sysmon, and Defender-Style Telemetry
Process tree · device timeline · persistence · containment logic
EDRWazuhSysmonProcess TreeContainment
SOC postings ask for EDR/XDR. Use Wazuh and Sysmon now, then map the workflow to Defender/CrowdStrike concepts.
1
Investigate endpoint behavior
Review process execution, parent-child chains, network connections, autoruns, services, scheduled tasks, and file changes.
2
Build a device timeline
Create a timeline for one suspicious endpoint scenario using SIEM events, endpoint alerts, user context, and file activity.
3
Choose a response action
Decide whether to isolate the host, disable the user, block an IOC, collect memory, escalate, or close the alert as benign.
PHASE GOAL3 endpoint investigations with process trees, timelines, and containment decisions.
13
IAM, Hardening, and Least Privilege
Admin review · local groups · baseline hardening · policy gaps
IAMHardeningLeast PrivilegeCIS Controls
Cybersecurity analyst roles are broader than SOC. This phase connects alert work to prevention and control improvement.
1
Review identity exposure
Review local administrators, domain admins, service accounts, stale users, weak password settings, and unnecessary privileges.
2
Harden the lab systems
Disable unnecessary services, improve audit policy, tighten logging, remove excess privilege, and document before-and-after posture.
3
Map to security controls
Map findings to CIS Controls or NIST CSF and write remediation recommendations in business-friendly language.
PHASE GOALIAM/hardening review report with 10 findings and prioritized remediation steps.
🛡️
Track 4 — Cybersecurity Analyst Operations
Add the broader analyst work employers ask for: vulnerability management, intel, IR playbooks, and audit evidence.
14
Vulnerability Management + Patch Prioritization
Nessus/Rapid7-style workflow · CVSS · remediation tracking
Vulnerability ManagementCVSSCVEPatch Tracking
Charlotte cybersecurity analyst roles repeatedly mention vulnerability assessments and remediation tracking.
1
Run authenticated scans
Run authenticated vulnerability scans against Windows and Linux lab systems using safe targets and documented scan settings.
2
Prioritize risk
Prioritize findings using severity, exploitability, asset criticality, exposure, and business impact rather than CVSS alone.
3
Track remediation
Create a remediation tracker with owner, due date, status, exception, validation evidence, and final outcome.
PHASE GOALCredentialed scan completed and remediation tracker published.
15
Threat Intelligence + IOC Enrichment
IOCs · TTPs · reputation checks · threat brief
Threat IntelligenceIOCsVirusTotalMITRE ATT&CK
Threat intel should support triage, not become a theory dump. Tie every IOC to an investigation decision.
1
Enrich IOCs
Enrich IPs, domains, hashes, and URLs from alerts using VirusTotal, AbuseIPDB, URLScan, OTX, and vendor reporting.
2
Separate IOC from behavior
Distinguish short-lived tactical IOCs from attacker behavior, then map the behavior to MITRE ATT&CK.
3
Write a threat brief
Produce a one-page threat intelligence brief that explains relevance, risk, evidence, and analyst action.
PHASE GOAL10 enriched IOCs and 1 threat brief tied to lab alerts.
16
Incident Response Playbooks + Containment Decisions
NIST lifecycle · PICERL · containment · post-incident review
Incident ResponsePlaybooksNISTPICERL
L2 roles expect containment thinking. Practice the decision tree even if you cannot touch production systems.
1
Build core playbooks
Write playbooks for brute force, phishing, malware execution, admin group changes, suspicious PowerShell, and exposed vulnerable hosts.
2
Define decision points
For each playbook, define evidence to collect, containment options, escalation thresholds, and recovery or remediation steps.
3
Run a tabletop
Run one tabletop scenario and write a post-incident review with timeline, decisions, blockers, and lessons learned.
PHASE GOAL6 playbooks and 1 post-incident review completed.
17
GRC, Compliance, Audit Evidence, and Risk Reporting
SOC2/HIPAA mindset · evidence · risk register · metrics
GRCAudit EvidenceRisk RegisterMetrics
Many cybersecurity analyst jobs blend technical analysis with compliance evidence and risk communication.
1
Gather audit evidence
Collect screenshots, tickets, scan results, detections, access reviews, and configuration evidence that prove security work was completed.
2
Build a risk register
Create a small risk register with likelihood, impact, owner, status, treatment plan, and due date.
3
Report SOC metrics
Summarize alerts triaged, true positives, false positives, top categories, recurring issues, and improvement actions.
PHASE GOALRisk register, audit evidence package, and monthly SOC metrics report published.
🔬
Track 5 — Deep Investigation and External Practice
Build L2 depth with network, malware, forensics, hunting, and external SOC case platforms.
18
Network Traffic Analysis
Wireshark · PCAPs · DNS · HTTP · C2 patterns
WiresharkPCAPDNSHTTPSuricata
Network evidence still matters for SOC and IR. Learn to validate what endpoint tools say.
1
Analyze packet captures
Review PCAPs for DNS, HTTP, TLS metadata, unusual ports, scanning, failed connections, and beacon-like timing.
2
Correlate IDS and packets
Correlate Suricata alerts with packet-level evidence and explain what the network traffic proves.
3
Write the network report
Write one network investigation report with timeline, IOCs, affected systems, conclusion, and recommended action.
PHASE GOAL5 PCAP exercises and 1 network investigation report.
19
Malware Triage + Sandbox Analysis
Static triage · behavior · IOCs · safe sandboxing
Malware TriageAny.runHybrid AnalysisYARA
You do not need reverse engineering first. Learn practical SOC malware triage: behavior, IOCs, and user impact.
1
Review sandbox output
Safely analyze malware reports from Any.run, Hybrid Analysis, MalwareBazaar, or other public sandbox sources.
2
Extract behavior and IOCs
Document hashes, dropped files, registry keys, network indicators, persistence behavior, process tree, and ATT&CK mapping.
3
Recommend containment
Write a malware triage note with confidence level, scope, block actions, containment, reimage guidance, and follow-up detection ideas.
PHASE GOAL5 malware triage notes and 1 YARA or Sigma detection idea.
20
Digital Forensics + Memory Basics
Volatility · Autopsy · FTK Imager · timeline reconstruction
DFIRVolatilityAutopsyFTK Imager
Forensics gives you L2 depth and helps you explain what happened after compromise.
1
Run memory triage basics
Practice pslist, pstree, cmdline, netstat, and malfind concepts using safe forensic images or guided memory labs.
2
Review host artifacts
Use Autopsy or FTK Imager concepts to examine filesystem artifacts, browser history, prefetch, registry, and deleted files.
3
Write a DFIR report
Document evidence collected, method, timeline, findings, limitations, and recommended next steps.
PHASE GOALMemory/disk investigation report with timeline and evidence table.
21
Threat Hunting
Hypothesis · query · evidence · detection promotion
Threat HuntingSigmaATT&CK NavigatorHypothesis
Threat hunting is proactive L2 work: start with a hypothesis, search evidence, and turn good hunts into detections.
1
Write hunt hypotheses
Create seven hunt hypotheses covering LOLBins, suspicious PowerShell, LSASS access, rare parent-child processes, DNS anomalies, new services, and persistence.
2
Run the hunts
Execute each hunt in Elastic or Splunk and document the query, data source, result set, verdict, and follow-up action.
3
Map coverage
Create an ATT&CK Navigator coverage map showing what your lab can detect and what visibility gaps remain.
PHASE GOAL7 hunt write-ups and 1 ATT&CK coverage map.
22
External SOC Platforms: LetsDefend, CyberDefenders, and BTLO
Alert queue · artifacts · third-party cases · portfolio reports
LetsDefendCyberDefendersBTLOCase Notes
External labs prove your skills are not limited to scenarios you built yourself.
1
Practice alert queues
Complete LetsDefend alert queue cases and focus on evidence-backed closure notes that resemble real SOC work.
2
Write full lab reports
Complete CyberDefenders artifact-heavy labs and write reports that show method, timeline, evidence, and conclusions.
3
Compare platforms
Complete BTLO scenarios across phishing, logs, PCAP, malware, and memory, then compare the strengths of each platform.
PHASE GOAL30+ external cases/labs tracked with selected reports published.
☁️
Track 6 — Cloud SOC and Microsoft Security Stack
Cloud, identity, M365, Sentinel, and Defender show up constantly in modern SOC/cybersecurity analyst postings.
23
AWS CloudTrail + GuardDuty + Security Hub
CloudTrail · GuardDuty · IAM · Security Hub
AWSCloudTrailGuardDutySecurity HubIAM
Your cloud operations background becomes a differentiator when you can investigate cloud security events.
1
Enable AWS security services
Enable CloudTrail, GuardDuty, and Security Hub in a free-tier-safe AWS account with billing controls.
2
Generate cloud activity
Create safe IAM and API activity, then review CloudTrail event history and GuardDuty or Security Hub context.
3
Write cloud investigations
Document suspicious API calls, risky IAM activity, public exposure, and GuardDuty findings with analyst recommendations.
PHASE GOALCloudTrail/GuardDuty investigations and cloud remediation notes published.
24
Microsoft Sentinel + Defender + Entra ID / M365 Investigations
KQL · incidents · sign-ins · Defender XDR · mailbox rules
SentinelDefenderEntra IDM365KQL
Microsoft security stack experience appears in many SOC and cybersecurity analyst roles.
1
Set up Microsoft practice
Use a Microsoft developer or security lab where available and practice Sentinel KQL basics with identity and endpoint data.
2
Investigate identity and M365
Review Entra ID sign-ins, risky users, conditional access context, mailbox rules, OAuth app activity, and Defender-style endpoint alerts.
3
Compare Microsoft workflow
Write a Microsoft incident report comparing Sentinel and Defender investigation flow to Elastic and Wazuh.
PHASE GOAL5 Sentinel/Defender/Entra investigations and a Microsoft stack comparison report.
🐍
Track 7 — L2 SOC Automation
Use Python and SOAR to enrich alerts, reduce repetitive work, and show L2 readiness.
25
Python Automation + SOAR Case Automation
IOC enrichment · parsing · Shuffle · playbooks
PythonSOARShuffleAPIsAutomation
Automation is not a separate career trick. It is how L2 analysts scale triage and enrich alerts quickly.
1
Automate enrichment
Write Python scripts for IOC enrichment, log parsing, hash and domain reputation checks, and ticket note generation.
2
Build SOAR workflows
Create Shuffle SOAR playbooks for phishing enrichment and suspicious IP or domain enrichment.
3
Document human checkpoints
Document inputs, outputs, failure cases, audit trail, and where a human analyst still makes the final decision.
PHASE GOAL3 Python scripts, 2 SOAR playbooks, and automation documentation published.
🎯
Track 8 — Land the Job
Turn the lab into proof: portfolio, resume bullets, LinkedIn, interview walkthroughs, and targeted applications.
26
Portfolio, Resume, LinkedIn, and Interview Prep
GitHub reports · resume bullets · lab demo · mock interviews
PortfolioResumeLinkedInInterview Prep
The final phase packages your work so hiring managers can see job-function proof, not just tool screenshots.
1
Organize the portfolio
Structure GitHub around reports, tickets, detections, playbooks, automation, external labs, and cloud investigations.
2
Rewrite job materials
Update resume and LinkedIn bullets around alerts triaged, detections written, incidents documented, vulnerabilities prioritized, and playbooks built.
3
Practice the walkthrough
Prepare a five-minute lab walkthrough and ten STAR stories tied to real investigations you can defend in interviews.
PHASE GOALPortfolio polished, resume updated, LinkedIn aligned, lab walkthrough rehearsed, and applications ready.
02 — Technical Skills

Recruiter Skills Snapshot

A quick scan of the SOC and cybersecurity analyst capabilities this lab is building, mapped to real job duties instead of just tool names.

Role Fit
SOC Analyst I / II + Cybersecurity Analyst

This roadmap is designed to show hands-on readiness for high-volume alert triage, SIEM searching, endpoint and network telemetry review, identity investigations, ticket documentation, cloud security monitoring, vulnerability prioritization, and analyst-style reporting.

SOC Analyst L1 SOC Analyst L2 Cybersecurity Analyst Security Operations Detection + Response
26
phases mapped to analyst job duties
40+
security tools, platforms, and frameworks
8
skill tracks from lab build to portfolio
4
completed lab build logs documented
ATS Keywords SIEM SOC Triage High-Volume Alert Queue False Positive Tuning Incident Response EDR/XDR Splunk Microsoft Sentinel Wazuh Elastic MITRE ATT&CK Vulnerability Management Cloud Security Threat Intel
SIEM + Detection
Search logs, build dashboards, compare platforms, write detections, tune noisy alerts, and map findings to MITRE ATT&CK.
Elastic SIEM Kibana Splunk Microsoft Sentinel Wazuh XDR Sigma SPL KQL Detection Rules Alert Tuning
Endpoint + Host Telemetry
Collect Windows activity, investigate endpoint behavior, review file integrity and configuration alerts, and document host-level findings.
Sysmon Windows Event Logs Elastic Agent Fleet Wazuh Agent Microsoft Defender FIM SCA
Network Security
Analyze packets, firewall logs, IDS alerts, scans, DNS, HTTP, and TLS metadata to understand suspicious network behavior.
Suricata IDS Wireshark tcpdump pfSense Firewall Nmap PCAP Analysis DNS HTTP/TLS Metadata
Identity + Access
Build and defend Active Directory, investigate authentication patterns, and understand common identity attack paths.
Active Directory Windows Server Group Policy Entra ID BloodHound IAM Kerberoasting Detection Password Spraying Least Privilege
Cloud + Microsoft Security
Review cloud identity, infrastructure, SaaS, and security service logs across AWS, Azure, and Microsoft 365 workflows.
AWS CloudTrail GuardDuty Security Hub CloudWatch Azure Microsoft 365 Cloud Log Analysis IAM Review
SOC Operations + IR
Triage high-volume alert queues, separate signal from noise, write tickets, escalate cleanly, document scope, use playbooks, and explain containment decisions.
Alert Triage 50+ Ticket Sessions Signal vs Noise False Positive Tuning Ticket Writing Escalation Shift Handoff PICERL Playbooks Case Notes Incident Reports
Threat Intel + External Analysis
Enrich indicators, validate suspicious infrastructure, analyze sandbox results, and turn raw IOCs into useful findings.
VirusTotal AbuseIPDB URLScan.io Any.run Hybrid Analysis MalwareBazaar Shodan CyberChef MXToolbox OTX ATT&CK Navigator IOC Enrichment
Vulnerability + Risk
Prioritize exposure, connect technical findings to risk, validate fixes, and organize evidence for security reviews.
Vulnerability Management Patch Prioritization CIS Controls NIST CSF SCA Findings Access Reviews Risk Register Audit Evidence
Adversary Simulation + DFIR
Generate realistic lab activity, preserve evidence, inspect artifacts, triage malware, and write forensic summaries.
Kali Linux Metasploit Impacket CrackMapExec Mimikatz Volatility Autopsy FTK Imager PEStudio YARA
Lab Infrastructure + Practice
Build safe virtual environments, isolate networks, practice SOC cases, and convert outside labs into documented evidence.
VMware Workstation VirtualBox UTM Ubuntu Server Windows 10 Kali VM Host-Only Networking LetsDefend CyberDefenders TryHackMe BTLO
Automation + Portfolio Proof
Automate enrichment, parse logs, build repeatable notes, and publish clear proof through reports, dashboards, and GitHub.
Python PowerShell Shuffle SOAR VS Code GitHub GitHub Pages API Lookups Technical Writing Dashboards
01
Build logs show the work
Daily writeups document what was configured, what broke, what was fixed, and what alerts were generated.
02
Roadmap maps to job functions
The lab covers high-volume triage, detection, ticketing, false-positive tuning, escalation, IR, cloud, vulnerability management, and analyst reporting.
03 — Certifications

Which Certs Actually Matter

Focus on these. In this order. Don't get distracted by expensive or irrelevant certs.

CompTIA Security+
✓ EARNED
The baseline for every SOC and security analyst role. Required on most job postings and a DoD 8570/8140 requirement for government and defense positions.
CompTIA Network+
✓ EARNED
TCP/IP, DNS, VPNs, firewalls — the networking foundation you need to analyze alerts and investigate traffic in any SOC environment.
CompTIA CySA+
✓ EARNED
The most SOC-specific CompTIA cert. Covers threat detection, SIEM analysis, incident response, and vulnerability management. Filtered for by MSSP ATS systems.
AWS Security Specialty
IN PROGRESS
The highest-level AWS security certification. Covers GuardDuty, CloudTrail, Security Hub, IAM, and cloud incident response. Major differentiator for cloud-adjacent SOC and security analyst roles.
CompTIA A+
WGU — IN PROGRESS
Hardware, OS, troubleshooting, and IT operations fundamentals. Required as part of the WGU B.S. Cybersecurity & Information Assurance degree program.
CompTIA Linux+
WGU — IN PROGRESS
Linux administration, shell scripting, and security hardening on Linux systems. Critical for SOC work — most SIEM servers, EDR tools, and cloud workloads run Linux.
CompTIA Data+
WGU — IN PROGRESS
Data analytics, visualization, and reporting fundamentals. Supports security data analysis, SIEM dashboard work, and threat intelligence reporting skills.
CompTIA PenTest+
WGU — IN PROGRESS
Penetration testing methodology, vulnerability scanning, and ethical hacking. Understanding attacker techniques makes you a stronger defender — essential for L2 SOC and threat hunting roles.
CCSP — (ISC)²
LONG-TERM GOAL
Certified Cloud Security Professional — the gold standard for cloud security engineering roles. Targets the $120K+ Cloud Security Engineer positions. Get this after 2+ years of cloud security experience.
WGU BSCSIA
JAN 2027
Bachelor of Science in Cybersecurity and Information Assurance — Western Governors University. Includes 16 industry certifications built directly into the curriculum. ABET-accredited. NSA/DHS designated National Center of Academic Excellence in Cyber Defense.
04 — Tools

Every Tool You Need

Organized by cost. Most of what you need is free.

FREE TOOLS
Elastic SIEM Kibana Sysmon Suricata IDS VMware Workstation VirtualBox UTM (Mac) Kali Linux Wireshark Metasploit Impacket BloodHound mimikatz CrackMapExec VirusTotal AbuseIPDB URLScan.io Any.run MalwareBazaar Hybrid-Analysis MXToolbox CyberChef Shodan (free tier) ATT&CK Navigator GitHub TryHackMe (free tier) LetsDefend (free tier) CyberDefenders (free) Shuffle SOAR AWS Free Tier Azure Free Tier PEStudio Python VS Code Sigma
LOW COST ($10–50/mo or one-time)
05 — Build Logs

Daily Progress

Real updates from my lab. Every day I work on this roadmap I post what I did, what worked, and what broke.

WHY THIS MATTERS

Most people talk about cybersecurity careers. Few actually document the work. These logs are proof — every command run, every alert fired, every problem solved. If you're building your own lab, follow along and use these as a reference.
Day
01
May 18, 2026
Lab Foundation + Elastic SIEM + Suricata IDS
✓ Phase 1 Complete ✓ Phase 2 Complete
Phase 1 — Lab Foundation
  • Built Ubuntu SIEM VM in Oracle VirtualBox
  • Configured dual networking — NAT adapter for internet, Host-Only adapter for lab traffic
  • Confirmed Windows host can reach Ubuntu VM
  • SIEM host-only IP locked in at 192.168.56.101
  • Troubleshot DNS resolution, package repos, and adapter behavior
Phase 2 — Elastic SIEM + Suricata IDS
  • Installed Elasticsearch and Kibana on Ubuntu SIEM
  • Verified Elasticsearch running with systemctl and curl
  • Bound Kibana to 0.0.0.0 for browser access from Windows host
  • Completed Kibana enrollment + setup at http://192.168.56.101:5601
  • Installed Suricata IDS and jq for JSON parsing
  • Updated rule sets with suricata-update
  • Identified interfaces: enp0s8 (NAT) and enp0s3 (Host-Only)
  • Wrote custom ICMP test rule in /tmp/local.rules
  • Validated rule with suricata -T
  • Confirmed packet visibility from Windows with tcpdump
  • Generated alerts logged in fast.log and eve.json
  • Custom signature firing: SOC LAB ICMP TEST ALERT
Up Next — Phase 3
  • Install Sysmon on Windows 10 VM with SwiftOnSecurity config
  • Connect Windows telemetry to Elastic via Fleet / Elastic Agent
  • Build first Kibana detection dashboards
Read full log on GitHub →
Day
02
May 19, 2026
Windows Telemetry, Sysmon, Fleet, and First SOC Dashboard
✓ Phase 2 Complete Windows + Fleet Kibana Dashboards
Windows 10 Victim VM + Sysmon
  • Built and configured Windows 10 victim VM in VirtualBox
  • Fixed VirtualBox networking — added both Host-Only and NAT adapters
  • Confirmed Windows-to-Ubuntu communication via ICMP
  • Installed Sysmon with the SwiftOnSecurity configuration
  • Verified Sysmon creating Windows Event Logs under Microsoft-Windows-Sysmon/Operational
Elastic Fleet + Agent Enrollment
  • Installed Fleet Server on the Ubuntu SIEM VM
  • Enrolled Windows 10 victim with Elastic Agent
  • Added the System integration for baseline Windows telemetry
  • Added a Custom Windows Event Logs integration targeting Microsoft-Windows-Sysmon/Operational
  • Confirmed Windows/Sysmon logs ingesting into Elastic under the winlog.winlog dataset
First SOC-Focused Kibana Dashboard
  • Sysmon event volume over time
  • Top Sysmon event codes
  • Top Sysmon processes
  • Top parent processes
  • Destination IP / network connection activity
⚠ Issues Hit + How I Fixed Them
  • Kibana enrollment + auth failures — regenerated enrollment tokens via Elasticsearch API and re-ran setup carefully.
  • VirtualBox clipboard/copy-paste broken — installed Guest Additions on Windows and switched to SSH into Ubuntu for command entry.
  • Windows VM had no internet — only had Host-Only adapter. Added a NAT adapter while keeping Host-Only for lab traffic.
  • Windows and Ubuntu could not ping each other — Windows network profile was set to Public, blocking ICMP. Switched the Host-Only interface to Private and added an inbound ICMP firewall rule.
  • Fleet Server install failing on service token auth — generated a fresh Fleet Server service token via the Elasticsearch API, then reinstalled Fleet Server cleanly.
  • Kibana alerting/Fleet errors due to missing encryption keys — generated Kibana encryption keys, added them to kibana.yml, restarted Kibana.
  • Windows logs not showing in Discover even after enrollment — Fleet output was pointing to the Ubuntu NAT IP (10.0.3.15) instead of the stable Host-Only IP. Updated the managed Fleet Elasticsearch output to https://192.168.56.101:9200, restarted Kibana, restarted the Windows agent, and winlog.winlog data streams started flowing.
Skills Sharpened
  • SIEM deployment + Fleet/Agent enrollment end-to-end
  • Sysmon configuration and Windows telemetry collection
  • Kibana dashboard authoring with SOC-relevant panels
  • VirtualBox dual-adapter networking + Windows firewall troubleshooting
  • Token/auth troubleshooting, service management, log pipeline validation
Up Next — Phase 3
  • Build a full Active Directory domain on Windows Server
  • Simulate AD attacks from Kali — password spray, Kerberoasting, AS-REP Roasting, BloodHound, Pass-the-Hash, DCSync
  • Detect each attack in Kibana and map to MITRE ATT&CK
Read full log on GitHub →
Day
03
May 20, 2026
Wazuh XDR Deployment, Windows Agent, FIM, SCA, and Vulnerability Detection
✓ Phase 3 Complete Wazuh XDR Windows Agent FIM + SCA
Wazuh XDR Platform Build
  • Created a dedicated Ubuntu Server VM for Wazuh instead of installing it on the existing Elastic SIEM VM
  • Configured dual networking with Host-Only for lab traffic and NAT for internet/package access
  • Installed Wazuh Manager, Wazuh Indexer, Wazuh Dashboard, and Filebeat using the all-in-one installer
  • Validated dashboard access at https://192.168.56.105
  • Kept Elastic and Kali powered off during this phase to preserve system resources
Windows Agent + Endpoint Monitoring
  • Deployed the Wazuh agent to the Windows 10 victim VM
  • Confirmed the Windows endpoint reported as active in Wazuh
  • Generated endpoint activity with whoami, ipconfig, net user, and net localgroup administrators
  • Confirmed the working pipeline: Windows 10 Victim → Wazuh Agent → Wazuh Server → Wazuh Dashboard
Detection Tests Confirmed
  • Created and removed a safe local test account to validate Windows account monitoring
  • Triggered and confirmed a high-severity Administrators Group Changed alert
  • Mapped account and admin-group activity to MITRE ATT&CK techniques T1136, T1098, and T1078
  • Configured File Integrity Monitoring for C:\Users\Public and confirmed file deletion detection
  • Ran Wazuh Security Configuration Assessment against the Windows 10 CIS benchmark
  • Enabled and validated Vulnerability Detection after tuning Windows syscollector and hotfix collection
Issues Hit + How I Fixed Them
  • Too many VMs for the phase — ran only Wazuh server and Windows victim while keeping Elastic and Kali off unless needed.
  • VirtualBox copy/paste friction — installed OpenSSH Server and managed Wazuh from Windows PowerShell over SSH.
  • FIM not showing results — corrected the Wazuh <syscheck> XML and added C:\Users\Public as a realtime monitored directory.
  • Vulnerability Detection initially empty — confirmed server-side vulnerability detection was enabled, reduced syscollector interval, enabled hotfix collection, then restarted the Wazuh agent and manager.
Elastic vs Wazuh Takeaway
  • Elastic was stronger for flexible SIEM searching, raw telemetry analysis, and custom Kibana dashboards
  • Wazuh was stronger for built-in endpoint alerts, FIM, SCA, vulnerability detection, compliance posture, and MITRE mapping
  • Using both platforms made the lab stronger because real SOC environments often rely on multiple detection and monitoring tools
Read full log on GitHub →
Day
04
May 21, 2026
Windows, Linux, and Network Log Fundamentals
✓ Phase 4 Complete KQL Sysmon Windows + Linux Logs
Phase 4 Focus
  • Shifted from tool setup into SOC Analyst L1 log interpretation and investigation fundamentals
  • Used Kibana Discover with the logs-* data view to review Windows, Sysmon, DNS, and network events
  • Reviewed Linux authentication and service logs directly from the Ubuntu SIEM VM using grep, tail, and journalctl
  • Documented 20+ event scenarios with event meaning, key fields, SOC value, and search examples
Windows + Sysmon Events Reviewed
  • Sysmon Event ID 1 for process creation, command lines, parent processes, and net.exe / net1.exe activity
  • Sysmon Event ID 3 for process-to-network connections and outbound destination review
  • Sysmon Event ID 22 for DNS queries tied back to endpoint process context
  • Sysmon Event IDs 7, 10, 11, and 13 for image loads, process access, file creation, and registry value changes
  • Windows Security Event IDs 4624, 4625, 4672, 4720, 4726, 4732, and 4740 for authentication, privilege, account, and group-change investigations
  • Windows System Event ID 7045 for new service installation and persistence-style review
Linux + Network Log Review
  • Reviewed SSH authentication activity in /var/log/auth.log
  • Reviewed sudo usage to understand privileged Linux command activity
  • Checked Elasticsearch, Kibana, and SSH service logs with journalctl
  • Reviewed network fundamentals: source IP, destination IP, source port, destination port, protocol, DNS query, user agent, and IDS signature
  • Reviewed Suricata IDS alert fields from fast.log and eve.json
Issues Hit + How I Fixed Them
  • ECS fields were blank — used raw Sysmon fields like winlog.event_data.CommandLine, Image, and ParentImage instead of relying only on normalized fields.
  • Specific test file did not appear in Event ID 11 — validated that file-created events existed, added target filename fields, broadened searches, and moved on instead of getting stuck on one exact test file.
  • KQL wildcard searches were picky — broadened searches by event code first, inspected raw fields manually, then narrowed the query.
  • Noisy Windows background events — separated normal system activity from suspicious activity by focusing on field meaning and event context.
Skills Sharpened
  • KQL searching, field selection, and raw event inspection in Kibana
  • Windows authentication, account-change, process, DNS, network, registry, and service-event interpretation
  • Linux SSH, sudo, and service log review from the terminal
  • Network log analysis across IPs, ports, protocols, DNS, and IDS alert fields
  • Interview-ready explanation of how analysts use logs to answer what happened, when, where, which host, which user, and whether it looks suspicious
Up Next — Phase 5
  • Use the logs from Phase 4 to practice a real SOC L1 alert queue workflow
  • Generate safe alerts for failed logins, admin group changes, suspicious PowerShell, file deletion, scans, and new services
  • Write evidence-backed case notes with alert name, severity, host, user, timestamps, query used, verdict, and next action
Read full log on GitHub →
06 — My Journey

Where I Am On This Path

I'm following this same roadmap. Here's my timeline — so you can see it's achievable.

2022 — 2024
IT Support Analyst — Apple IS&T HelpLine
Enterprise IT support for Apple's internal infrastructure. Built foundation in systems, networking, and troubleshooting at scale.
2024 — Present
Cloud & Network Operations — Bay Alarm
Managing cloud and network infrastructure in production. Earned Security+, Network+, and CySA+ while working full-time. Currently pursuing AWS Security Specialty.
Early 2026
Built first home SOC lab
Deployed Elastic SIEM, Snort IDS, Sysmon, pfSense, and a virtualized Active Directory environment. Started generating real alerts and triaging them.
May 2026 RIGHT NOW
Expanding lab — working through this roadmap
New lab machine set up. Starting the full 40-lab roadmap from Phase 1. Documenting everything publicly so others can follow the same path.
End of 2026 — Target
SOC Analyst L1 or L2
Complete the roadmap. Finish AWS Security Specialty. Build a GitHub portfolio of 20+ reports. Land an L1 or L2 SOC role at an MSSP or enterprise SOC in Charlotte or remote.
End of 2027 — Target
Cloud Security Engineer
1 year of SOC experience + cloud certifications + Python and automation skills → pivot to Cloud Security Engineering. The destination this whole path is working toward.
Why Cloud Security Engineering
Cloud Security Engineer — Average Salary
$147K
Range: $110,000 – $185,000+ annually
The SOC analyst path isn't just about landing a security job — it's the foundation for cloud security engineering, where the combination of detection experience and cloud expertise commands top-of-market compensation.
Follow the journey.
I update this roadmap as I learn. If you found it helpful, connect on LinkedIn — I post regular updates on labs, certs, and the job hunt.
Connect on LinkedIn GitHub Portfolio