Behind every expert response is a structured journey. Go through the roadmap we've created to follow the path from entry-level to SOC Lead.
L1 // REAL-TIME MONITORING — ALERT ACTIVE
What the L1 Analyst Sees
47 failed logins in 4 minutes — same account, from Russia
One login attempt every 5 seconds. That's not a forgotten password — that's a brute-force attack. The L1 analyst flags it and escalates immediately.
L2 // EVENT CORRELATION — PATTERN ANALYSIS
47 Failed Logins
×47
FAILED LOGINS
4 MIN WINDOW · BRUTE FORCE PATTERN DETECTED
Sensitive Files Opened
Q4_Reports_2024.xlsx
● OPENED
Dark Web Contact
WS-04
LONDON
TOR NODE
.onion
Target: a3f2c91b.onion
Status: BEACON established ●
Cross-referencing events across systems...
L3 // FORENSIC ANALYSIS — ARTIFACT EXTRACTION
Finding 1 — Disk Acquired
DISK_IMAGE_WS04.img
Workstation WS-04 · 14:32:07 UTC · 512 GB
L3 physically removed the hard drive and took a complete copy — a bit-for-bit snapshot of everything on the machine.
Finding 2 — Malware Identified
svchost32.exe
A malicious file disguised as a normal Windows process — hiding in plain sight. The "32" in the name is the giveaway.
VERDICT: MALICIOUS
MD5: a3f2...c91b
Finding 3 — Attacker's remote control channel traced
The malware was secretly phoning home every 5 minutes — receiving orders and sending stolen data. This is called Command & Control (C2).
WS-04
INFECTED
London Office
Secret beacon every 300s
HTTPS — Port 443
Receiving instructions. Sending stolen data.
185.220.101.47
C2 SERVER
Moscow, Russia
Is the attack successfully contained?
ALERT: Unusual activity detected in the network.
HUNTING: Finding the source of the threat.
FORENSICS: Investigating the hidden malware.
POST-INCIDENT: DISTILLING LESSONS LEARNED.
WORKING OF SOC with An Example Incident
Scroll to Begin
Detection
Triage
Analysis
Containment
Recovery