This content has been designed by industry experts to equip you with the job-ready skills required for an entry-level security analyst role.

Covers essential networking concepts, including TCP/IP and OSI models, common network devices, key network protocols, and the TCP three-way handshake. Candidates will also explore workflows of web browsing and email transmission and gain hands-on experience with HTTP, SSL/TLS, and VPN scenarios.

Introduces Windows and Linux operating systems, covering OS architecture, security features, authentication mechanisms, file systems, and common processes. Also includes an introduction to Active Directory and the use of event logs for tracing system activity.

Focuses on fundamental topics, including encryption types and difference between encoding, encryption, and hashing. Candidates will also learn how to recognise common encodings and get familiar with useful decoding tools.

Covers the essentials of virtualisation and cloud computing, including the differences between VMs and hosts, cloud vs. virtual hosting, and key cloud providers. Candidates will also learn about cloud service models like SaaS and IaaS with real-world examples.

Explores the core web and scripting concepts, including web app architecture, APIs, and common formats like JSON and XML. Also emphasises recognising scripts across various languages (Python, JavaScript, Bash, PowerShell, PHP) and differentiating scripting from compiled programs.

Covers fundamental principles, including the CIA triad, least privilege, and the impact of human factors in security. Candidates will gain a foundational understanding of modern cybersecurity trends and major vulnerabilities like Log4Shell and EternalBlue.

Introduces the MITRE ATT&CK Framework, a structured knowledge base of adversary tactics, techniques, and procedures (TTPs). Candidates will learn how to navigate the framework, understand attack stages, and map real-world attacks on MITRE techniques.

Explores the Cyber Kill Chain, its purpose in understanding cyber attacks, and the stages of an attack lifecycle. Covers the differences between the Cyber Kill Chain and the MITRE ATT&CK Framework, highlighting their approaches to threat analysis and defense.

Covers the NIST Cybersecurity Framework (CSF), including its five stages: Identify, Protect, Detect, Respond, and Recover. Candidates will learn the high-level purpose of each stage and map real-world scenarios and attack chains on NIST CSF stages.

Covers Indicators of Compromise (IoC) and Indicators of Attack (IoA). Participants will explore various types of IoCs (e.g., IP addresses, file hashes, domains), the difference between IoC and IoA, and the concept of the Pyramid of Pain. Practical examples will demonstrate how and where to use or define IoCs in real-world scenarios to identify and respond to security threats effectively.

Covers the attack lifecycle, email vulnerabilities, and detection techniques. Candidates will analyse phishing tactics such as impersonation, typo-squatting, and sender spoofing while learning about SPF, DKIM, DMARC, and email analysis for threat identification.

Explores common network-based attacks, including port scanning, DDoS, MiTM, DNS poisoning, and ARP spoofing. Candidates will analyse network traffic to identify attack patterns, data exfiltration techniques, and command-and-control (C2) channels.

Focuses on web exploitation, explaining why web applications are prime targets. Covers the difference between client-side and server-side vulnerabilities, key defensive measures (input validation, patching, WAF), and common web attacks like XSS, SQL injection, code injection, and path traversal. Candidates will learn to recognise these threats, understand their impact, and see real-world exploitation examples.

Focuses on how attackers gain access to and maintain control over endpoints. Learners will explore common initial access methods such as RDP/SSH, persistence and privilege escalation techniques, and credential theft with a focus on Mimikatz usage. The module will conclude with an understanding of the impact of attacks and the importance of activity logging for detection using tools like Auditd and Sysmon.

Explores Command and Control, including the different types of shells - forward shells and reverse shells and when each is used, particularly the advantages of reverse shells in bypassing firewall restrictions. Explores C2 frameworks like Metasploit and Cobalt Strike, beaconing techniques, and how they compare to reverse shells, highlighting their advantages and detection indicators.

Introduces malware classification, focusing on understanding the actions performed by different types of malware. Covers the identification of malware indicators and the difference between static and dynamic analysis. Provides an introduction to LOLBAS and explains why threat actors use living-off-the-land techniques for defence evasion.

Explores the functionality of EDR tools, their deployment, and their role in investigations by providing endpoint telemetry. Compares EDR vs. traditional AV and covers detection (telemetry, behavioural analysis) and response (remote shell, containment) features.

Covers firewall and WAF deployments, their detection capabilities and limitations, basic configurations, and firewall log analysis. Candidates will also learn how to create WAF rules for security enforcement.

Focuses on SIEM deployments, log parsing, alert management, threat hunting, triage, and security reporting in SOC environments. Candidates will also learn how raw logs transform into SIEM alert and how to use alert properties such as severity and status for triage.

Explores SOAR platforms, their role in automating security responses, and the creation of playbooks for incident response automation. Focuses on data enrichment and SOAR integration with threat intelligence platforms.

Covers the use of threat intelligence platforms, feeds, and indicators in SOC workflows. Explores how TI is used to classify IP addresses, domains, and hashes, introduces YARA for rule-based detection, and explains TI integration with SIEM and SOAR for data enrichment and automated threat response.

Explains the concept of vulnerability scanning, its purpose, and the importance of regular scans to identify security weaknesses. Covers the differences between external vs internal scanning and web vs network scanning, emphasising their roles in a comprehensive security strategy.

Covers the concept of Blue and Red teams, explaining their roles in security operations. Introduces different types of security teams and outlines the common security hierarchy within organisations. Also focuses on SOC Team roles, with a specific emphasis on the responsibilities of SOC environment.

Explains the classification of security activities into proactive and reactive categories. Discusses common activities, including the purpose of FP remediation, detection engineering, vulnerability scanning, and tabletop exercises. Introduces the concept and purpose of DFIR and Threat Hunting in enhancing security posture.

Focuses on the purpose of SOC Workbooks. Explains the difference between ticket, alert, and detection rule. Walks through the triage workflow and covers alert classification, including alert severity, statuses, and verdicts.

Introduces key performance indicators such as MTTA, MTTD, MTTR, and SLA. Candidates will learn best practices for tracking and improving SOC performance through metrics and lookups.

Explains escalation basics and common escalation schema/matrix in a SOC environment. Covers basic remediation steps for handling urgent cases. The session also discusses SOC communication, focusing on how communication is managed between different teams.