Talk With an Expert

SEC450: SOC Analyst Training – Applied Skills for Cyber Defense Operations

SEC450Cyber Defense
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:
John Hubbard
John Hubbard
SEC450: Blue Team Fundamentals: Security Operations and Analysis
Course authored by:
John Hubbard
John Hubbard
  • GIAC Security Operations Certified (GSOC)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

This course delivers essential training for Security Operations Center (SOC) analysts, equipping you with the skills to detect, stop cyberattacks, and safeguard your organization’s data and systems.

Course Overview

SEC450 is a SOC Analyst training course ideal for those working in cyber defense operations or building and improving a SOC. It offers six days of training, hands-on labs, and a Capstone competition, covering the mission, mindset, and techniques needed for modern cyber defense. The course, paired with the GIAC GSOC certification, provides essential skills for detecting and halting advanced cyberattacks, making it the gold standard in security operations training.

What You’ll Learn

  • Security Data Collection – How to make the most of security telemetry including endpoint, network, application, and cloud-based data
  • Automation – How to identify the best opportunities to make your team more efficient, utilizing scripts, SOAR, and AI agents
  • Efficient Security Process – How to keep your security operations tempo on track with in-depth discussions on what a SOC or security operations team should be doing at every step from security monitoring to detection, triage, analysis, and beyond
  • Quality Triage and Analysis – How to quickly identify the separate typical commodity attack alerts from high-risk, high-impact advanced attacks, and how to do careful, thorough, and cognitive-bias free security incident analysis
  • False Positive Reduction – Detailed explanations, processes, and techniques to reduce false positives to a minimum
  • SOC Tools – Hands-on exercises demonstrating how to collect, organize, and use relevant threat data in a Threat Intelligence Platform (TIP); Principles of success for endpoint security data collection whether you use a SIEM, EDR, NDR, or XDR; how to quickly and accurately triage security incidents; crafting generative AI-powered automation workflows for common SOC activities; and how to best use case management systems to effectively analyze, document, track, and extract critical metrics from your security incidents
  • Burnout and Turnover Reduction – Informed with both scientific research and years of personal experience, this class teaches what causes cyber security analyst burnout and how you and your team can avoid it by understanding the causes and factors that lead to burnout. This class will help you build a long-term sustainable cyber defense career so you and your team can deliver the best every day!

Business Takeaways

  • Stop missing real threats - Your analysts will master advanced detection techniques that catch sophisticated attacks others miss, including network-based hunting, malware analysis, and structured investigation methods that quickly and accurately identify compromise
  • Eliminate alert fatigue - Learn proven detection engineering and tuning strategies that dramatically reduce false positives while maintaining security coverage, allowing your team to focus on actual threats
  • Maximize your security technology investment - Get full value from your SIEM, XDR, EDR, and threat intelligence platforms through proper integration, advanced query techniques, and workflow optimization that most organizations never achieve
  • Accelerate incident response - Implement structured triage processes, quality investigation frameworks, and AI-powered automation that cut response times and improve accuracy under pressure
  • Build sustainable operations - Develop your team's expertise in the advanced skills that prevent burnout, reduce turnover, and create the high-performing SOC analysts every organization struggles to find and retain

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC450: SOC Analyst Training – Applied Skills for Cyber Defense Operations.

Section 1Blue Team Tools and Operations

Section 1 lays the groundwork for SOC analysts, covering threat models, analyst workflows, and key tools like SIEM and SOAR. It closes with how to apply generative AI in security operations, from improving documentation and analysis to understanding AI-driven threats and tools—preparing you for the future of AI in cyber defense.

Topics covered

  • Foundations of Security Operations
  • Cyber Threat Intelligence (CTI) and Building a Threat-Informed Defense
  • SOC Data and Tools
  • Generative AI for the SOC

Labs

  • Threat Intelligence Platforms (TIPs) for SOC Analysts
  • Using a SIEM for Log Analysis
  • Case Management Systems – Playbooks and Workflow Design
  • The AI-Powered SOC – Prompting, Investigating, and Coding with LLMs

Section 2Understanding Your Network

Section 2 dives into network-based threat hunting. Learn to use routers, firewalls, flow logs, and full packet capture to track attacker activity. You'll analyze DNS, HTTP, and TLS traffic, spot encrypted threats without decryption, and explore post-exploitation protocols—building skills to detect threats others overlook.

Topics covered

  • Network Visibility & Traffic Analysis
  • DNS Monitoring & Threat Detection
  • HTTP Traffic Dissection
  • Encrypted Traffic Analysis
  • Post-Exploitation Protocols

Labs

  • Monitoring DNS Requests, Traffic, and Analysis
  • Analyzing Malicious DNS
  • Wireshark Workflow and HTTP Analysis
  • Decoding and Analyzing HTTP/2 and HTTP/3 Traffic
  • Analyzing TLS Traffic without Decryption

Section 3Understanding Endpoints, Logs, and Files

Section 3 builds your skills in log analysis and malware fundamentals. You’ll learn to craft SIEM queries, visualize data, and spot attacker activity across Windows, Linux, and cloud logs. Then, dive into malware handling, static analysis, IOC extraction, and sandboxing to uncover threats hiding in weaponized files and complex data.

Topics covered

  • Deep Dive on SIEM for Threat Detection
  • How Windows and Linux Logging Works
  • Key Log Events for Threat Detection and How to Interpret Them
  • Cloud Logging
  • Malware Analysis Fundamentals

Labs

  • Building SIEM Visualizations and Dashboards
  • Threat Hunting with a SIEM
  • Suspicious File Triage, Static Analysis, and Malware Sandboxes
  • Reverse Engineering Common Malware File Types

Section 4Triage and Analysis

Section 4 builds expertise in phishing investigations and structured analysis. Learn to detect spoofed emails, block malicious links, and investigate BEC and MFA bypasses. Then sharpen your triage and decision-making with OPSEC best practices and structured techniques to reduce bias, prioritize alerts, and analyze threats with clarity under pressure.

Topics covered

  • Phishing Prevention
  • How to Investigate Common Phishing Techniques
  • Alert Triage and Prioritization
  • Structured Analysis Techniques
  • Operational Security (OPSEC) for SOC Analysts

Labs

  • Analyzing Phishing Email Headers and Identifying Spoofed Email
  • Dissecting Modern Malicious Email Attachments
  • Applied Alert Triage & Prioritization
  • Applying Structured Analysis Techniques for High Quality Investigation

Section 5Continuous Improvement, Analytics, and Automation

Section 5 takes you from analyst to detection engineer. Learn to craft high-fidelity detections with tools like YARA-X and Sigma, reduce false positives, and tune alerts effectively. Explore where automation helps or hurts, assess investigation quality, and build sustainable skills to grow your cybersecurity career without burning out.

Topics covered

  • Detection Engineering
  • Alert Tuning and False Positive Reduction
  • Automation and Orchestration
  • Investigation Quality
  • How to Avoid Burnout for SOC Analysts

Labs

  • File-Based Detection with YARA-X
  • Log-Based Detection with Sigma
  • Alert Tuning and False Positive Reduction
  • Integrating generative AI into SOC Automation
  • Collecting and Documenting Incident Information for Effective Incident Reporting

Section 6Capstone: Defend the Flag

The course ends with a high-stakes, team-based capture the flag challenge. Using real network data in a simulated attack, you’ll race to detect and analyze threats across multiple scenarios. It’s a full day of hands-on problem solving that tests your ability to perform advanced threat hunting under real-world pressure.

Things You Need To Know

Relevant Job Roles

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Blue Teamer - All Around Defender

Cyber Defense

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.

Explore learning path

SOC Manager

Cyber Defense

Security Operations Center (SOC) managers bridge the gap between business processes and the highly technical work that goes on in the SOC. They direct SOC operations and are responsible for hiring and training, creating and executing cybersecurity strategy, and leading the company’s response to major security threats.

Explore learning path

Infrastructure Support (OPM 521)

NICE: Protection and Defense

Responsible for testing, implementing, deploying, maintaining, and administering infrastructure hardware and software for cybersecurity.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Defensive Cybersecurity (OPM 511)

NICE: Protection and Defense

Responsible for analyzing data collected from various cybersecurity defense tools to mitigate risks.

Explore learning path

Cybersecurity Analyst/Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Cybersecurity Implementer

European Cybersecurity Skills Framework

Develop, deploy and operate cybersecurity solutions (systems, assets, software, controls and services) on infrastructures and products.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by John Hubbard
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxesBuy now for access on Aug 27. Use code Presale10 for 10% off course price!
    Registration Options
  • Location & instructor

    Boston, MA, US & Virtual (live)

    Instructed by John Hubbard
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    London, GB & Virtual (live)

    Instructed by David Mashburn
    Date & Time
    Fetching schedule..View event details
    Course price
    £7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
    Registration Options
  • Location & instructor

    Sydney, NSW, AU & Virtual (live)

    Instructed by David Mashburn
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Paris, FR

    Instructed by Cristian-Mihai VIDU
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Mark Jeanmougin
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Mark Jeanmougin
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by Cristian-Mihai VIDU
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 11

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources