What is SOC SIM?
TryHackMe is thrilled to announce the launch of SOC Sim, a groundbreaking product designed to empower Security Operations Center (SOC) Analysts to gain practical experience, build confidence, and develop their investigative mindset to accelerate their careers.
With the launch of SOC Sim from TryHackMe, SOC analysts now have a new, powerful tool at their disposal. Launching with a catalogue of scenarios to choose from, analysts are exposed to a diverse set of threats and investigation opportunities in a real-to-life environment to help build their confidence, experience and progression in their roles.
What is included in SOC SIM?
Real-Life Scenarios: SOC Simulator offers a gamified environment with real-life tooling where users can spin up hypothetical scenarios varying in their difficulty and skillset. These scenarios allow users to build experience triaging and investigating alerts across different alert types and attack vectors stereotypically encountered across the industry.
Dynamic Alert Queues: Users are presented with a dynamic and live alert queue containing both true and false positives. Their mission is to triage and investigate alerts using real tooling, embedded virtual machines and pay careful attention to the company documentation unique to each scenario.
Incident Response Simulation: Users can follow Playbooks tailored to each scenario, mimicking real-world Incident Response Plans. Playbooks change based on the organisation, industry, and scenario difficulty, providing a comprehensive learning experience.
Solo and multiplayer options: Users can play solo or collaborate in their teams, working through scenarios together picking up multiple alerts simultaneously. Key metrics, such as Mean Time to Resolve (MTTR), are tracked in a points-driven simulation, promoting competition and skill development.
Progress Tracking: Team Managers can monitor their team's progression through the SOC Simulator, reviewing detailed reports submitted by team members and improvements to key alert types and skillsets to streamline onboarding and help assessment of skillsets as part of career progression and reviews
Who is SOC SIM for?
SOC SIM is for users aiming to enter the cybersecurity field, such as aspiring SOC analysts or professionals seeking to improve their skills in a simulated environment. It's also useful for researchers studying cybersecurity tactics, as well as businesses and organizations looking to train their security teams, test security tools, and improve incident response strategies in a safe, controlled setting.
FAQs
Q: Can I use the SOC Sim any time?
A: Yes. To get started, simply choose a scenario and dive in to triaging alerts immediately. If you need to pause, you can leave at any time, though we recommend not abandoning an alert you are actively investigating, since the timer will not stop until you have closed out the alert and therefore negatively skew your Mean Time to Resolve.
Q: I’m a SOC Manager, how can I track my team’s usage of the SOC Sim?
A: If you’re in an admin seat on the Business plan, you will be able to see a collection of qualitative and quantitative reports for all of your team’s activity in the SOC Sim. Write-ups and activity logs for each closed out alerts are available for every scenario your team have completed, along with accompanying dashboards to measure improvements in Mean Time to Response, Mean Dwell Time, Alerts closed, scenario completion and more!
Q: I’m a team manager, should I review all the answers?
A: Users are awarded points and given qualitative feedback (via AI) on their case reports for the alerts they triage and close out. Users will fail a scenario if they incorrectly classify a True Positive alert.
Based on the points awarded and qualitative feedback they receive, users will be able to identify how they can improve without input from team managers.
However, team managers will be able to view their team’s previous scenario attempts (both Passed and Failed attempts), along with the case reports they submitted for each alert in the attempt, should they wish to review their team’s performance in more detail and offer additional feedback.
Q: I’m a team manager, how can I compare my team?
A: For public launch, managers will be able to compare their team via the Leaderboard and through advanced reporting.
The leaderboard displays the total SOC Sim points achieved per user in your team. The user with the highest points will have completed the most number of scenarios with the highest degree of accuracy, since points are awarded based on correct classification, escalation and case report detail.
Advanced reporting for SOC Sim will be available via the Management Dashboard, where managers can compare previous attempts at SOC Sim scenarios made by their team, including whether they passed or failed the attempt, and the case reports the user submitted during the scenario. Key metrics, such as their team’s Mean Time To Resolve (MTTR), Mean Dwell Time, False Positive Rate and more can be analysed over time to assess your team’s progression.
Q: Do I need to use my own VM or tooling?
A: Nope! Everything you need is available in-browser via the Simulator panel. The simulator uses an embedded Splunk dashboard and virtual machine with all the tools and resources you need to successfully triage, investigate and close out alerts.
Q: How often will there be new content releases?
A: We are aiming to introduce a regular Scenario release cycle/cadence similar to room releases, though likely to be less frequent than rooms.
Q: Will it be available for Free / Premium users? Can users buy access separately?
A: There will be some scenarios available to Free and Premium users on a scaled-down / restricted version of the simulator. Full access is available on the Business plan. Users will not be able to buy access separately.
Q: What's the difference between this and SOC level 1?
A: SOC L1 is our Learning Path for users looking to learn the skills needed to work as a Junior Security Analyst in a Security Operations Centre.
SOC Simulator is targeted at SOC L1-2 as a way for users to gain practical experience, build confidence, and develop their investigative mindset to accelerate their careers.
Therefore, the SOC L1 learning path is a great segway into the SOC Simulator and would serve as an appropriate pre-requisite before attempting any SOC Simulator engagements.
Q: Is it more difficult than SOC level 2?
A: SOC Simulator scenarios will touch on many aspects covered in the SOC Level 2 path, such as Malware analysis and in-depth log analysis using Splunk.
Since SOC Level 2 is a learning path and SOC Sim scenarios are more like challenges, it’s hard to say if one is more difficult than the other, but there will certainly be some very challenging scenarios and engagements available for SOC Sim that will test the abilities of even advanced SOC Analysts.
Q: Will I accrue points on the TryHackMe leaderboard?
A: Each team has their own leaderboard within the SOC Sim to compete with your teammates. However, since the full SOC Sim feature is available only to users on the Business plan, there is no public leaderboard available for SOC Simulator at launch. In a future iteration, a public leaderboard for cross-company competition may be released.
Q: Can I create my own scenarios?
A: Not currently. Depending on demand, we may consider introducing more customisation of scenarios in future.
Q: Are these real networks?
A: SOC Simulator isn’t a network. Each Scenario is a collection of logs, detection rules and alerts that come together to form a narrative of an attack on an Organisation’s network. Although the logs are fabricated, they are hosted on a real Splunk portal following true-to-life format and detail, so are accurate representations of real-world logs SOC Analysts would engage with.
The Simulator itself is an interpretation of a SIEM (Security Information and Event Management) platform.
Want to know how to use the SOC SIM?
Click the button below, to find out how to use the SOC SIM
Having Issues?
Contact [email protected] to resolve any issues you may have with the SOC SIM
Are you an existing B2B or EDU customer and still have questions?
Please reach out to your Customer Success Manager or Technical Support for assistance.
Interested in Learning if TryHackMe is Right for Your Organization?
Contact us at [email protected] to explore how TryHackMe could benefit your organization. Alternatively, you can book a meeting directly with our Sales team: