A roadmap for security operations: networking, logs, SIEM, alert triage, incident response, threat intelligence, detection rules, and SOC portfolio labs.
Build the base needed to understand alerts: networking, Windows/Linux basics, identity, malware, web attacks, and security controls.
Understand TCP/IP, DNS, HTTP, Windows Event Logs, Linux auth logs, process activity, and endpoint telemetry.
Recognize phishing, brute force, suspicious PowerShell, malware beacons, web attacks, lateral movement, and data exfiltration.
Use SIEM tools to search logs, validate alerts, enrich events, prioritize incidents, and write useful case notes.
Search by host, user, IP, hash, process, URL, time window, event ID, and correlate across data sources.
Document evidence, impact, timeline, scope, false-positive reasons, next actions, and escalation paths.
Investigate login logs, IP reputation, impossible travel, MFA status, device history, and escalation notes.
Move from reacting to alerts toward writing detections, tuning rules, hunting threats, and improving playbooks.
Write Sigma/YARA-style detections, tune noisy alerts, map to ATT&CK, and test with sample telemetry.
Use hypotheses, indicators, baselines, timelines, ATT&CK techniques, and hunting reports.
Build evidence of SOC skill with home labs, alert writeups, detection rules, reports, and interview stories.
Run Security Onion, Splunk, Wazuh, sample logs, attack simulations, and incident response notebooks.
Analyze sample alerts, write case notes, build a timeline, classify severity, propose detection tuning, and publish a report.