SOC L1 - path complete

December 30, 2025

It’s been a while since my last post. During that time I was grinding and learning a lot. I mostly followed the SOC L1 path on TryHackMe. I completed it in November 2025, along with prerequisite paths like Cybersecurity 101, but THM updated the SOC L1 rooms and the version I had finished was labeled legacy. So I spent November and December finishing the updated path and doing the Advent of Cyber 2025 challenges.

That was a lot of information, skills, tools, and techniques to absorb. I’ll try to look at it generally to put what I learned in order without going into too much detail. I’ll save the deep dives for later posts.

I also kept a 180 day learning streak on TryHackMe, which is more a motivational metric than a meaningful achievement, but it kept me going.

SOC L1 path layout

Coursework consisted of 15 main chapters filled with different rooms:

• Blue Team Introduction - Started my defensive security journey by exploring the Blue Team and the Security Operations Centre (SOC). I learned why defensive security matters and how it protects organisations.

• SOC Team Internals - Practiced core SOC analyst skills to triage, classify, and escalate alerts in realistic SOC scenarios.

• Core SOC Solutions - I got hands‑on with SIEM, EDR, and SOAR to understand the core tools SOC analysts rely on.

• Cyber Defence Frameworks - Studied frameworks like Pyramid of Pain, Cyber Kill Chain, and MITRE to better understand adversary behaviour and improve detection and response.

• Phishing Analysis - Analysed phishing emails and practised techniques to identify and defend against real‑world phishing attempts.

• Network Traffic Analysis - Learned the basics of network traffic analysis and used Wireshark to spot different types of attacks.

• Network Security Monitoring - Explored network security fundamentals, monitoring perimeters, and analysing traffic and logs for signs of MITM, discovery, and exfiltration.

• Web Security Monitoring - Practised protecting and monitoring web services through SOC‑oriented labs and real‑world scenarios.

• Windows Security Monitoring - Dug into Windows logging and used real examples to detect common Windows attacks.

• Linux Security Monitoring - Learned Linux logging and applied hands‑on labs to detect typical Linux attacks.

• Malware Concepts for SOC - Identified common malware types, analysed files, and learned why living‑off‑the‑land techniques are increasingly used.

• Threat Analysis Tools - Practised using threat intelligence, enrichment techniques, and analysis workflows to strengthen SOC investigations.

• SIEM Triage for SOC - Used SIEM to detect early signs of attacks, investigate alerts, and correlate logs to build incident timelines.

• SOC Level 1 Capstone Challenges - Investigated critical incidents and applied the full set of SOC L1 skills while handling diverse artefacts

Tools learned

During the course I was introduced to many new tools (and commands) that were required to complete the challenges.

• Splunk / ELK - triage alerts, investigate malicious activity, analyze logs, and spot threats.

• CyberChef - decoding, deobfuscation, and quick data transformations.

• Wireshark - network traffic capture and analysis.

• Snort - write detection rules and operate an IDS/IPS.

• Linux logs - analyse logs such as /var/log/auth.log and /var/log/audit.log.

• Sysmon - Windows event monitoring (also available for Linux); many event IDs to learn.

• YaraGen + Loki - generate YARA signatures and scan systems/logs with Loki.

• Gobuster - web directory and virtual host enumeration.

• whois - OSINT for domain and registrant information.

• nmap - active reconnaissance and host/service enumeration.

• other commands examples:

  netstat, traceroute, ping, arp, nslookup, dig,
  sha256sum, md5sum, grep, find, strings,
  ps, pstree, top
  

⛏️Keep on grinding⛏️

  © 2026 Lucas Wiktorowicz. All rights reserved.