Complete, production-ready SOC analyst training program bridging foundational skills (manual investigation) with 2026 automation-first capabilities (AI agents, SOAR, threat intelligence).
Transform from beginner to automation-first SOC analyst in 8-24 weeks.
- Overview
- What You Get
- Quick Start
- Learning Paths
- Project Portfolio
- Technology Stack
- Career Outcomes
- Getting Started
- Repository Structure
- Contributing
- License
By 2026, cybercrime is a $20 trillion economy. The average data breach costs $4.88 million. Attack windows have collapsed from weeks to hours.
Traditional SOC analysts are obsolete. The future belongs to automation architects.
This program trains you for the new reality:
- β AI agents handle 90%+ of routine triage
- β Human-agent teaming is baseline
- β SOAR orchestration is mandatory
- β Cloud-native, identity-first security
- β Intelligence-driven operations
| Document | Purpose | Read Time |
|---|---|---|
| QUICK-START-GUIDE.md | Week 1 action plan, platform setup | 20 min |
| SOC-Analyst-Roadmap.md | Original master plan (Projects 1-6) | 10 min |
| 2026-Automation-First-Roadmap.md | Future-state vision (AI, SOAR, cloud) | 40 min |
| INTEGRATION-GUIDE.md | How everything fits together | 35 min |
Foundation Projects: Manual investigation skills
Automation Projects: SOAR orchestration, ML-powered threat intelligence
Future-State Projects: AI agents, post-quantum cryptography
Each template includes:
- β Day-by-day execution plan
- β Evidence capture guidelines
- β 3 resume bullet versions (technical, results-oriented, strategic)
- β STAR method interview answers
- β Documentation templates
- β Skills checklist
-
Read the Quick Start Guide
# Open this file first cat QUICK-START-GUIDE.md -
Create Platform Accounts (Free)
- LetsDefend - SOC monitoring labs
- TryHackMe - SIEM & incident response
- CyberDefenders - Blue team challenges
-
Start Project 1
# Open and follow step-by-step cat templates/Project-1-Template.md
This Week: Triage your first 20 security alerts π―
Goal: Entry-level SOC Analyst Tier-1 job
Projects: 1, 2, 3, 7
Outcome: 9-12 resume bullets, 4 portfolio projects
Start Applying: Week 10
Goal: Mid-level SOC Analyst / Detection Engineer
Projects: 1-7 (all foundation + SOAR)
Outcome: 15-18 resume bullets, 7 projects, GitHub detection repo
Start Applying: Week 16
Goal: AI SOC Engineer / Tier 4 Orchestrator
Projects: 1-10 (full suite)
Outcome: 20+ bullets, certifications, open-source contributions
Start Applying: Week 20+
Build manual investigation skills before automating.
| # | Project | Platform | Duration | Difficulty | Skills |
|---|---|---|---|---|---|
| 1 | Live SOC Monitoring | LetsDefend | 2-3 weeks | Beginner | Alert triage, log analysis |
| 2 | Phishing Email Analysis | CyberDefenders | 1-2 weeks | Beginner-Int | Email forensics, IOC extraction |
| 3 | Incident Response (SIEM) | TryHackMe | 2-3 weeks | Intermediate | Splunk/Elastic, MITRE ATT&CK |
| 4 | Ransomware Forensics | CyberDefenders | 2 weeks | Int-Advanced | Memory/PCAP analysis |
| 5 | Threat Hunting | TryHackMe | 2-3 weeks | Int-Advanced | Hypothesis-driven hunting |
| 6 | Detection Engineering | Home Lab | 2-3 weeks | Advanced | Sigma rules, GitHub publication |
2026 automation-first skills.
| # | Project | Platform | Duration | Difficulty | Skills |
|---|---|---|---|---|---|
| 7 | Automated Phishing Responder β | Wazuh + Shuffle + TheHive | 2-3 weeks | Advanced | SOAR orchestration, API integration |
| 8 | Automated Threat Intelligence Platform π | MISP + OpenCTI + Cortex + ML | 3-4 weeks | Enterprise | ML-based IOC filtering, STIX/TAXII, automated detections |
Project 8 Highlights:
- π€ ML model (89% accuracy) filters 10,000 IOCs β 50 actionable
- β‘ Intelligence β Detection time: 5 minutes (vs. 5 days manual)
- π― Automated Sigma rule generation + SIEM deployment
- π 15+ threat intelligence sources integrated
Outlined in 2026-Automation-First-Roadmap.md
| # | Project | Focus | Status |
|---|---|---|---|
| 9 | AI-Assisted Threat Hunting | Jupyter + AI agents | π Outlined |
| 10 | Post-Quantum Cryptography | PQC readiness assessment | π Outlined |
Training:
- LetsDefend (SOC simulation)
- TryHackMe (SIEM labs)
- CyberDefenders (blue team CTFs)
SIEM/EDR:
- Splunk Free (15GB/day)
- Elastic Stack
- Wazuh (open-source EDR)
SOAR:
- Shuffle (open-source)
- TheHive (case management)
Threat Intelligence:
- MISP (TI platform)
- OpenCTI (knowledge graph)
- Cortex (enrichment analyzers)
Detection:
- Sigma (universal rule format)
- YARA (file-based detection)
AI/ML:
- Python scikit-learn
- Jupyter notebooks
- OpenAI/Claude APIs (optional)
| Week | Milestone | Job Readiness |
|---|---|---|
| 8-10 | Projects 1-3 complete | β Entry-level SOC Analyst Tier-1 |
| 12-16 | First interviews, feedback | π Refining based on market |
| 16-20 | Projects 1-7 complete | β Mid-level SOC / Detection Analyst |
| 20-24 | Projects 1-8 + certifications | β AI SOC Engineer, Tier 4 Orchestrator |
Before (Generic):
β’ Studied cybersecurity fundamentals
β’ Completed online courses
After (This Program):
β’ Monitored and triaged 150+ security alerts, achieving 92% TP/FP accuracy
β’ Conducted ransomware forensic investigation using Volatility and Wireshark
β’ Architected SOAR pipeline reducing MTTC from 45 minutes to 3 minutes
β’ Built ML-powered TIP processing 12,500 IOCs/day with 89% accuracy
| Candidate Type | Experience |
|---|---|
| Average | Courses only, no projects |
| Good | 2-3 basic projects |
| Top 10% | SOAR automation (Project 7) |
| Top 1% | β YOU (Enterprise TIP + ML) π |
Recommended Path:
Entry-Level:
- CompTIA Security+ (after Projects 1-3)
- AWS Cloud Practitioner
Intermediate:
- GIAC Security Essentials (GSEC)
- AWS Security Specialty OR Azure Security Engineer (AZ-500)
Advanced (2026-Focused):
- SEC545: GenAI/LLM Security
- SEC598: AI SOC Orchestration
- Azure AI Engineer (AI-102)
Note: Projects > Certifications in 2024-2026 market.
soc-roadmap-2026/
βββ README.md (this file)
βββ QUICK-START-GUIDE.md (π START HERE)
βββ SOC-Analyst-Roadmap.md
βββ 2026-Automation-First-Roadmap.md
βββ INTEGRATION-GUIDE.md
βββ templates/
β βββ Project-1-Template.md (Live SOC Monitoring)
β βββ Project-2-Template.md (Phishing Analysis)
β βββ Project-3-Template.md (Incident Response)
β βββ Project-4-Template.md (Ransomware Forensics)
β βββ Project-5-Template.md (Threat Hunting)
β βββ Project-6-Template.md (Detection Engineering)
β βββ Project-7-Template.md (Automated Phishing Responder)
β βββ Project-8-Template.md (Automated TIP) π
βββ LICENSE
- β Star this repository
- π Read QUICK-START-GUIDE.md
- π Create accounts (LetsDefend, TryHackMe, CyberDefenders)
- π Open templates/Project-1-Template.md
- π― Complete Day 1-7 tasks (first 20 alerts)
- π Start your triage log
- β Complete Projects 1-3
- π Update resume with 6-9 SOC bullets
- πΌ Start applying for SOC Analyst Tier-1 jobs
This is a solo training program, but contributions are welcome!
Ways to contribute:
- π Report issues or unclear instructions
- π‘ Suggest additional project ideas
- π Share your success stories
- π Submit pull requests for corrections
Please:
- Follow existing template structure
- Keep content actionable (not theoretical)
- Test any technical steps before submitting
This project is licensed under the MIT License - see the LICENSE file for details.
You are free to:
- β Use for personal learning
- β Share with others
- β Modify and adapt
- β Use in portfolios
Attribution appreciated but not required.
If this roadmap helped you, consider giving it a β!
Questions or feedback?
- π¬ Open an issue in this repository
- π¦ Share your progress:
#SOCRoadmap2026 - πΌ Built by: Security professionals, for aspiring SOC analysts
What you have:
- β Complete training program (147,000+ words)
- β 10 project blueprints (8 detailed templates)
- β Day-by-day execution plans
- β Resume bullets & interview prep
- β 2026 automation-first vision
What you need:
- β° Consistency (10 hours/week)
- π Execution (start, don't just read)
- β³ Patience (8-24 weeks to job-ready)
The SOC analyst career you want is 8 weeks away.
Your move. ππ
π Begin with the Quick Start Guide β
Made with π for aspiring SOC analysts