Who is this cybersecurity SOC analyst course for?

Career changers from IT support, helpdesk, or sysadmin work targeting a Tier 1 SOC analyst role; recent graduates of cybersecurity or computer science programs; military veterans using GI Bill or VET TEC benefits; self-taught learners working toward CompTIA Security+ or CySA+; mid-career IT professionals stepping sideways into security operations.

What primary sources does this cybersecurity course cite?

NIST Special Publication 800-61 Revision 2 (Computer Security Incident Handling Guide), NIST SP 800-92 (Guide to Computer Security Log Management), MITRE ATT&CK Enterprise Matrix v15, the original Lockheed Martin Cyber Kill Chain paper (Hutchins, Cloppert & Amin 2011), CISA's 2024 Living off the Land joint advisory, the SANS 2023 SOC Survey, the ISC2 Cybersecurity Workforce Study 2024, BLS OES 2024 occupational data, and Heuer's Psychology of Intelligence Analysis (1999) for structured analytic technique. Every claim is anchored to a primary or peer-reviewed source.

Will this cybersecurity course prepare me for CompTIA Security+ or CySA+?

It is a prerequisite primer rather than a cert prep course. The course covers the conceptual scaffolding (incident handling lifecycle, MITRE ATT&CK, SIEM logic, hunting, alert fatigue) that makes Security+ and CySA+ study more efficient. Pair it with an official CompTIA training resource for exam coverage.

How long does the cybersecurity SOC analyst course take to complete?

Roughly 14 hours of focused study across 6 modules. Most learners complete it in 6 to 8 weeks at 2 to 4 hours per week. Self-paced; no live sessions.

Do I need a home lab to take the course?

Not to start. The first three modules are concept-heavy and can be completed without a lab. Modules 3 through 6 are stronger when paired with a free home lab; the course recommends a VirtualBox or VMware workstation running a Windows VM with Sysmon and a free-tier Elastic stack. All recommended tools are free.

Primary-source-grounded cybersecurity course

SOC Analyst Fundamentals

A primary-source-grounded six-module path into the Security Operations Center analyst role: detection, triage, containment, hunting, and the career ladder from Tier 1 through Tier 3.

6 modules14 hours$147 one-timeNIST + MITRE + BLS sourced

What this cybersecurity course is

SOC Analyst Fundamentals is a 6-module cybersecurity course for career changers and IT professionals targeting an entry-level Security Operations Center analyst role in 2026. Every module connects a primary-source standard (NIST SP 800-61 Rev. 2 incident handling, NIST SP 800-92 log management, MITRE ATT&CK Enterprise) to the daily work of a SOC analyst: alert triage, log correlation, indicator-of-compromise extraction, escalation handoffs, and the structured analytic techniques used in mature SOCs. The course is designed for adults committing 6 to 8 weeks of focused study before sitting CompTIA Security+ or CySA+. It does not promise employment; it gives you the working vocabulary, mental models, and study cadence that a hiring manager filtering for SOC Tier 1 candidates expects to see in a portfolio interview. Designed by Julian Calvo, Ed.D. in Applied Learning Sciences (University of Miami, 2026).

The course sequences six modules around the operational lifecycle of a security alert as defined in NIST SP 800-61 Revision 2 (Cichonski, Millar, Grance, & Scarfone, 2012). Each module pairs a primary-source standard with a hands-on prompt: read the standard, apply it to a realistic alert scenario, write the analyst note that would land in the case management system. The pedagogical scaffolding follows Kolb's experiential learning cycle (Kolb, 1984) and Bandura's self-efficacy theory (Bandura, 1997): concrete reading, structured reflection, abstract conceptualization through the standard, then active experimentation in a home lab. The course is opinionated about source quality: every claim is sourced to NIST, MITRE, SANS, BLS, or peer-reviewed research. No vendor white papers without primary-source backing. No exam dump references.

Six modules

Module 01 · 110 min
What a SOC Analyst Actually Does
The day-to-day work, the three-tier ladder, the BLS occupational data behind the role, and the difference between what hiring managers say they want and what the job actually demands.
Learning objectives
- Describe the four phases of the NIST SP 800-61 incident handling lifecycle and how a Tier 1 analyst's work maps to each
- Cite the BLS OES 2024 median wage and projected growth rate for Information Security Analysts and articulate what those numbers do and do not tell you
- Distinguish Tier 1, Tier 2, and Tier 3 analyst responsibilities and identify which credentials and skills move someone up the ladder
Module 02 · 130 min
The Threat Landscape: How Attackers Operate
The MITRE ATT&CK framework as the working vocabulary of the modern SOC, the kill chain heritage, and how to read the framework as a Tier 1 analyst rather than a researcher.
Learning objectives
- Read a MITRE ATT&CK technique page and identify the tactic, the technique, the procedure example, and the detection guidance
- Map a real-world attack (such as a documented LOLBin abuse) to its ATT&CK technique IDs and explain the analyst-relevant detection sources
- Cite the original Lockheed Martin Cyber Kill Chain paper and the relationship between the kill chain and ATT&CK
Module 03 · 140 min
Detection Engineering: From Logs to Alerts
How a SIEM is built, what NIST SP 800-92 says about log management, and the difference between alert volume and alert fidelity.
Learning objectives
- Cite NIST SP 800-92's six log management activities and explain how each shows up in a SOC analyst's daily work
- Read a Sigma rule and rewrite it in your SIEM's native query language (KQL, SPL, or Lucene)
- Define alert fidelity, false positive rate, and alert fatigue, and cite the operational research that shows why volume is not value
Module 04 · 120 min
Incident Response: NIST 800-61 in Practice
The four phases of NIST SP 800-61, the analyst's role inside each phase, and the documentation patterns that turn an alert into an incident record.
Learning objectives
- Describe the four phases of NIST SP 800-61 Rev. 2 and identify which Tier handles each phase in a typical SOC
- Write a containment recommendation that includes the affected scope, the proposed control, and the residual risk
- Cite the SANS Incident Handler's Handbook six-step model and explain how it maps to the NIST four-phase model
Module 05 · 110 min
Threat Hunting: Hypothesis-Driven Analysis
How proactive hunting differs from reactive triage, the structured analytic techniques borrowed from intelligence analysis, and the data sources you actually need.
Learning objectives
- Distinguish hypothesis-driven, intelligence-driven, and situational-awareness-driven hunts; cite the SqrrlHunting maturity model
- Generate a hunt hypothesis using a MITRE ATT&CK technique and document the data sources, query, and disposition criteria
- Apply the Analysis of Competing Hypotheses (ACH) technique to a multi-explanation alert (Heuer, 1999)
Module 06 · 100 min
Career Trajectory: From Tier 1 to Tier 3
The 24-month plan from first SOC role to Tier 3, the credentials that move you, the portfolio artifacts that prove you, and the salary numbers behind each step.
Learning objectives
- Map a 24-month skill-building plan from Tier 1 to Tier 3 with specific credentials, portfolio artifacts, and milestones
- Cite the BLS, ISC2, and SANS data on SOC compensation by tier and use it to calibrate offer expectations
- Build a 90-day study plan that moves your current cert and portfolio state toward your next-tier target

Target audience

Career changers from IT support, helpdesk, or sysadmin roles targeting a Tier 1 SOC analyst position
Recent graduates of computer science, cybersecurity, or information systems programs preparing for first cybersecurity role
Military veterans using GI Bill or VET TEC benefits toward a SOC analyst credential
Self-taught learners working toward CompTIA Security+ or CySA+
Mid-career IT professionals stepping sideways into security operations

Prerequisites

Comfort with command-line basics on Linux and Windows (cd, ls, ps, netstat, get-process)
Basic understanding of TCP/IP networking (IP addresses, ports, DNS, HTTP)
Willingness to commit 6 to 8 weeks of 4 to 8 hours per week study
Free home lab capability (any laptop with 16 GB RAM running VirtualBox or VMware)

Sources

NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide — Cichonski, Millar, Grance, & Scarfone (2012). Public-domain US Government work.
NIST SP 800-92: Guide to Computer Security Log Management — Kent & Souppaya (2006). Public-domain US Government work.
MITRE ATT&CK Enterprise Matrix — MITRE Corporation. Free for public use.
Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert, Amin 2011) — Original peer-reviewed conference paper that introduced the model.
CISA Joint Advisory: Identifying and Mitigating Living off the Land Techniques — CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, NCSC-UK joint guidance, February 2024.
BLS OES May 2024: Information Security Analysts (15-1212) — U.S. Bureau of Labor Statistics median wages, percentile bands, metro detail.
ISC2 Cybersecurity Workforce Study 2024 — Workforce gap and compensation by tier and region.
SANS 2023 SOC Survey (Crowley & Pescatore) — Operational metrics on SOC tier ratios, alert volume, and analyst burnout.

Disclaimer

This course is for educational purposes only. It does not guarantee employment, interview invitations, or salary outcomes. Cybersecurity job-market conditions vary by region, economic cycle, and individual circumstances. NIST and MITRE materials cited here are public-domain US Government works; readers should consult primary sources for currency. CompTIA Security+ and CySA+ are trademarks of CompTIA; DecipherU is not affiliated with CompTIA. DecipherU is not responsible for career or financial decisions made based on this content.

What this cybersecurity course is

Six modules

Module 01 · 110 min

What a SOC Analyst Actually Does

The day-to-day work, the three-tier ladder, the BLS occupational data behind the role, and the difference between what hiring managers say they want and what the job actually demands.

Learning objectives

Describe the four phases of the NIST SP 800-61 incident handling lifecycle and how a Tier 1 analyst's work maps to each
Cite the BLS OES 2024 median wage and projected growth rate for Information Security Analysts and articulate what those numbers do and do not tell you
Distinguish Tier 1, Tier 2, and Tier 3 analyst responsibilities and identify which credentials and skills move someone up the ladder

Module 02 · 130 min

The Threat Landscape: How Attackers Operate

The MITRE ATT&CK framework as the working vocabulary of the modern SOC, the kill chain heritage, and how to read the framework as a Tier 1 analyst rather than a researcher.

Learning objectives

Read a MITRE ATT&CK technique page and identify the tactic, the technique, the procedure example, and the detection guidance
Map a real-world attack (such as a documented LOLBin abuse) to its ATT&CK technique IDs and explain the analyst-relevant detection sources
Cite the original Lockheed Martin Cyber Kill Chain paper and the relationship between the kill chain and ATT&CK

Module 03 · 140 min

Detection Engineering: From Logs to Alerts

How a SIEM is built, what NIST SP 800-92 says about log management, and the difference between alert volume and alert fidelity.

Learning objectives

Cite NIST SP 800-92's six log management activities and explain how each shows up in a SOC analyst's daily work
Read a Sigma rule and rewrite it in your SIEM's native query language (KQL, SPL, or Lucene)
Define alert fidelity, false positive rate, and alert fatigue, and cite the operational research that shows why volume is not value

Module 04 · 120 min

Incident Response: NIST 800-61 in Practice

The four phases of NIST SP 800-61, the analyst's role inside each phase, and the documentation patterns that turn an alert into an incident record.

Learning objectives

Describe the four phases of NIST SP 800-61 Rev. 2 and identify which Tier handles each phase in a typical SOC
Write a containment recommendation that includes the affected scope, the proposed control, and the residual risk
Cite the SANS Incident Handler's Handbook six-step model and explain how it maps to the NIST four-phase model

Module 05 · 110 min

Threat Hunting: Hypothesis-Driven Analysis

How proactive hunting differs from reactive triage, the structured analytic techniques borrowed from intelligence analysis, and the data sources you actually need.

Learning objectives

Distinguish hypothesis-driven, intelligence-driven, and situational-awareness-driven hunts; cite the SqrrlHunting maturity model
Generate a hunt hypothesis using a MITRE ATT&CK technique and document the data sources, query, and disposition criteria
Apply the Analysis of Competing Hypotheses (ACH) technique to a multi-explanation alert (Heuer, 1999)

Module 06 · 100 min

Career Trajectory: From Tier 1 to Tier 3

The 24-month plan from first SOC role to Tier 3, the credentials that move you, the portfolio artifacts that prove you, and the salary numbers behind each step.

Learning objectives

Map a 24-month skill-building plan from Tier 1 to Tier 3 with specific credentials, portfolio artifacts, and milestones
Cite the BLS, ISC2, and SANS data on SOC compensation by tier and use it to calibrate offer expectations
Build a 90-day study plan that moves your current cert and portfolio state toward your next-tier target

Target audience

Career changers from IT support, helpdesk, or sysadmin roles targeting a Tier 1 SOC analyst position

Recent graduates of computer science, cybersecurity, or information systems programs preparing for first cybersecurity role

Military veterans using GI Bill or VET TEC benefits toward a SOC analyst credential

Self-taught learners working toward CompTIA Security+ or CySA+

Mid-career IT professionals stepping sideways into security operations

Prerequisites

Comfort with command-line basics on Linux and Windows (cd, ls, ps, netstat, get-process)

Basic understanding of TCP/IP networking (IP addresses, ports, DNS, HTTP)

Willingness to commit 6 to 8 weeks of 4 to 8 hours per week study

Free home lab capability (any laptop with 16 GB RAM running VirtualBox or VMware)

Disclaimer

SOC Analyst Fundamentals

What this cybersecurity course is

Six modules

What a SOC Analyst Actually Does

The Threat Landscape: How Attackers Operate

Detection Engineering: From Logs to Alerts

Incident Response: NIST 800-61 in Practice

Threat Hunting: Hypothesis-Driven Analysis

Career Trajectory: From Tier 1 to Tier 3

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer

SOC Analyst Fundamentals

What this cybersecurity course is

Six modules

What a SOC Analyst Actually Does

The Threat Landscape: How Attackers Operate

Detection Engineering: From Logs to Alerts

Incident Response: NIST 800-61 in Practice

Threat Hunting: Hypothesis-Driven Analysis

Career Trajectory: From Tier 1 to Tier 3

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer