Live: SOC Job Track

Zero to SOC Analyst

90 Day Roadmap (2026 Edition)

Transform into a job-ready Security Operations Center analyst with this structured, hands-on learning path designed for beginners. Master detection, response, and enterprise security fundamentals employers demand.

Start Your Journey
90
Days
12
Weeks
4
Projects
100+
Lab Tasks

Roadmap Overview

1
Days 1–30

Core Foundations

Security+ Certification & Essential Networking

Build rock-solid IT and cybersecurity fundamentals. Master networking protocols, operating systems, and Security+ domains through structured study and practice exams.

Key Focus:
  • TCP/IP
  • Linux and Windows commands
  • Risk management
  • Cryptography basics
2
Days 31–60

Detection Mastery

Splunk, SIEM, & Threat Hunting Labs

Dive into SOC tools with hands-on labs. Learn log analysis, SIEM querying, alert triage, and behavioral detection using industry-standard platforms.

Key Focus:
  • SPL queries
  • Correlation rules
  • MITRE ATT&CK framework
3
Days 61–90

Pro Level Skills

Advanced Response & Portfolio Projects

Develop enterprise-grade incident response playbooks, build production-ready dashboards, and create a GitHub portfolio that gets interviews.

Key Focus:
  • SOAR automation
  • Threat intelligence integration
  • Interview demos

12-Week Breakdown

Week 1: IT Foundations
  • Binary/hexadecimal conversion mastery
  • Complete Professor Messer Network+ videos (1-20)
  • Practice subnetting (100 problems)
  • Install Kali Linux VM
  • Document CIA triad examples from real SOC incidents
  • Create a daily analyst note template for investigations
Checkpoint: Calculate 10 subnets from memory.
Week 2: Networking Deep Dive
  • OSI Model + TCP/IP stack mastery
  • Wireshark packet analysis (50 PCAPs)
  • Ports/services/database (memorize top 100)
  • Complete NetworkChuck subnetting course
  • Build a network IOC cheat sheet (IPs, domains, ports)
  • Triage 10 suspicious packet captures and record findings
Checkpoint: Decode full TCP 3-way handshake.
Week 3: Linux Mastery
  • Linux file system navigation (50 commands)
  • Process management + permissions
  • Scripting basics (Bash 10 exercises)
  • Complete Linux Journey course
  • Parse auth logs for brute-force indicators
  • Automate IOC extraction with a Bash mini script
Checkpoint: Navigate /proc + /sys confidently.
Week 4: Windows Mastery
  • PowerShell fundamentals (50 cmdlets)
  • Event log analysis (Security/Application)
  • Active Directory basics + enumeration
  • Complete Windows Forensics course
  • Configure Sysmon and collect baseline endpoint telemetry
  • Investigate 5 failed-logon spikes using Event IDs
Checkpoint: Query Event ID 4624 patterns.
Week 5: Sec+ Domains 1-2
  • Complete Messer Sec+ videos (1-30)
  • 1000 Sec+ practice questions
  • Cryptography algorithms + hashing
  • Risk management frameworks
  • Map Sec+ Domain 1-2 topics to SOC analyst tasks
  • Draft an incident severity matrix (Low/Med/High/Critical)
Checkpoint: 85% on Domain 1-2 practice tests.
Week 6: Sec+ Domains 3-5
  • Complete Messer Sec+ videos (31-60)
  • Identity/access management deep dive
  • 1000 more Sec+ practice questions
  • Full Sec+ practice exam (target 850+)
  • Review NIST incident response lifecycle with SOC examples
  • Create a phishing triage mini runbook
Checkpoint: Schedule Security+ exam.
Week 7: SIEM Introduction
  • Splunk fundamentals (free trial)
  • SPL search language (50 queries)
  • Sample log analysis (web server logs)
  • Complete Splunk Boss of the SOC course
  • Build an authentication anomaly dashboard
  • Practice full alert lifecycle: triage to escalation notes
Checkpoint: Build basic correlation search.
Week 8: Threat Hunting
  • MITRE ATT&CK framework mastery
  • 10 threat hunting hypotheses tested
  • Elastic Security + EQL queries
  • Complete SANS FOR508 free content
  • Hunt for LOLBins and suspicious parent-child processes
  • Create IOC enrichment workflow using threat intel sources
Checkpoint: Document 3 hunt stories.
Week 9: Detection Engineering
  • Sigma rule creation (10 rules)
  • Detection-as-Code GitHub repo setup
  • Alert fatigue reduction techniques
  • Complete Detection Engineering course
  • Tune rules against false positives from baseline data
  • Test detections with replayed attack logs
Checkpoint: Portfolio with 5 detection rules.
Week 10: Incident Response
  • DFIR methodology mastery
  • Complete 5 ransomware IR simulations
  • Timeline analysis + TTP mapping
  • Build personal IR playbook
  • Practice containment decision tree for endpoint incidents
  • Write executive and technical incident summaries
Checkpoint: 30-minute IR demo recording.
Week 11: Portfolio Projects
  • Production SIEM dashboard (3 dashboards)
  • SOC metrics + KPI visualization
  • GitHub README + demo videos
  • LinkedIn portfolio showcase
  • Add architecture diagrams and detection logic per project
  • Record 5-minute walkthrough for each flagship project
Checkpoint: Public GitHub with 3+ projects.
Week 12: Interview Mastery
  • 100 SOC interview questions practiced
  • Mock interviews (3 sessions)
  • Salary negotiation + offer framework
  • Apply to 50+ SOC analyst positions
  • Prepare STAR stories from labs and incident simulations
  • Tailor resume keywords to 10 SOC job descriptions
Checkpoint: 3+ interviews scheduled.

Skills Employers Demand

Must-Have Skills Why Companies Hire For This
Splunk/Elastic Querying 80% of SOC roles require SIEM proficiency
MITRE ATT&CK Fluency Used in 95% of detection engineering roles
Alert Triage & Investigation Core daily responsibility for all analysts
Incident Documentation Critical for compliance & knowledge transfer
GitHub Portfolio Proof of hands-on skills > certifications

Daily Study Blueprint

Time Activity Focus
6:00-7:00 AM Active Recall Flashcards + subnetting
7:00-9:00 AM Deep Study Video courses + notes
9:00-10:00 AM Hands-On Labs Splunk queries / Wireshark
6:00-8:00 PM Practice + Review Practice exams / projects
8:00-9:00 PM Documentation GitHub updates / journaling
Pro Tip: Track daily progress in Notion. Weekly review Sundays.

Portfolio Projects

SIEM Threat Dashboard

Production-ready Splunk dashboard tracking lateral movement, privilege escalation, and data exfiltration with MITRE mapping.

Detection Rules Repo

20+ Sigma rules for cloud environments with test cases, documentation, and CI/CD pipeline.

Incident Response Playbook

Complete ransomware response playbook with timeline templates, TTP mapping, and executive reporting.

Threat Hunt Reports

5 documented threat hunts with hypotheses, methodologies, findings, and IOCs.

Interview Mastery

Technical Questions
  • "Walk me through alert triage process"
  • "How do you prioritize incidents?"
  • "Explain MITRE ATT&CK T1566"
  • "False positive reduction techniques"
Behavioral Questions
  • "Tell me about production incident you handled"
  • "How do you handle alert fatigue?"
  • "Describe your detection engineering process"
  • "Escalation + communication examples"
Demo Day: Live Splunk query + dashboard walkthrough wins interviews.

Avoid These Traps

❌ Theory Without Labs

90% of candidates fail hands-on assessments. Build real detection pipelines daily.

❌ Certs Without Portfolio

Security+ alone gets 3% response rate. GitHub > all certifications combined.

❌ Generic Resumes

Hiring managers scan for "Splunk," "MITRE," "triage." Include exact terminology.

Your Success Formula

Consistency (60%) + Labs (25%) + Portfolio (15%) = SOC Analyst Job Offer

Follow this exactly for 90 days. Results guaranteed.