UPDATE - 3/11/2025

Since the original SYWTBSA series was published in February 2023, many changes have occurred, leading me to sunset this version in favor of SYWTBSA 2.0. Key reasons for this decision include:

• VMware challenges following the Broadcom acquisition.

• Ongoing issues with inconsistencies in student-built VM environments.

• Microsoft discontinuing free developer VM downloads.

• Extensive course updates required, making it impractical to maintain two versions.

The series is now offered as a “pay what you can” course, resolving all of these challenges. You can register here, which helps me continue developing and updating the content while providing support to the hundreds of learners who go through it each year.

Series Intro

Over the years, I’ve had the fortune of mentoring many up-and-comers trying to get a foothold in the information security space. One of the most common questions I am asked is, “What should I do to improve my chances of landing an entry-level SOC analyst job?”

My answer to that question has changed over the years as technology and methodology have evolved. Back in the earlier days, when we walked uphill both ways to the SOC, I would’ve recommended a complex (but very rewarding) process of spinning up a mid-size virtual machine environment complete with a small firewall, (pfSense), a router (vyos) one or two Windows hosts, an attack box (Kali, etc), network monitoring (Arkime/Suricata), and most importantly a log aggregation tool (Graylog or ELK/OpenSearch). Once those systems were up and running, then begins the adventure of deploying agents (Sysmon, Beats) to generate and ship telemetry to the logging tool. Only then does it make sense to start practicing basic attacks against the Windows hosts in order to observe the telemetry and begin “detecting” threats. Just the lab build alone was a many-hour endeavor—it’s a long road before you’re actually doing SOC analyst stuff.

I was (and still am) a big fan of this approach because not only is it how I got my own start (which eventually led to the creation of OpenSOC), but also because there is so much indirect learning that takes place while trying to deploy and configure these systems, routers, firewalls, as well as fun side-quests like troubleshooting log parsers, tuning Sysmon, configuring audit policies, etc. etc. For these reasons and more, I still recommend this approach to anyone lacking general IT knowledge because it will help you gain knowledge needed to be a good security practitioner. If this approach sounds like something that would be beneficial to you, there are plenty of resources across the web to help you setup a test lab for defensive research. A book I have heard great things about is “Building Virtual Machine Labs: A Hands-On Guide” by Tony Robinson and you should absolutely check out Jeff McJunkin’s guide on Building Your Own Kickass Home Lab.

That said, technology has evolved drastically since those days and my new approach to “quickly getting up to speed for SOC work” has evolved as well. This series will focus on the new approach I recommend to up-and-comers.

Let me also clarify that I am not saying “this is all you need” — a strong working knowledge of general IT and some strong entry-level training (such as Antisyphon, Applied Network Defense, or SANS1) is a huge plus as well. However, I will say as a hiring manager and infosec startup founder, the direct and indirect skills you will gain with this approach are the ones I am personally looking for in a candidate, above and beyond what letters you put after your name. If you want to know more about what I (and many others) are looking for in a SOC analyst candidate, check out this interview I did with Gerry Auger on his “Simply Cyber” webcast: “Everything Security Operations Analyst Entry Level.”

Online Course with Cloud-Hosted VMs

To get started, head over to So you want to be a SOC Analyst? 2.0 which features a fully cloud-hosted version of the VM, requiring only a remote desktop client to get through this lab series!

Lab Sections (1.0, deprecated)

• Part 1 - Set up a small virtualization environment (2 small VMs)

• Part 2 - Put on your adversary hat, it's time to make (and observe) some noise

• Part 3 - Emulating an adversary for crafting detections

• Part 4 - Blocking an attack

• Part 5 - Tuning false positives

• Part 6 - Trigger YARA scans with a detection rule

The very awesome Gerry Auger of SimplyCyber did a full video walk-through of this series. Now you can follow along each step of the series before trying it yourself. Watch the video below.

Update, again! Gerry and I did a joint video together where we go through his walk-through video, but with commentary.

Share