Security Operations Center Training

Equipping Blue Teamers with the right training and resources to safeguard their organizations.

SOC Training & Resources

SANS offers training certification and resources for SIEM, Elastic Stack, and modern detection techniques to help equip Blue Teamers with the right knowledge and know-how that is needed to safeguard their organizations and drive security operations with actionable intelligence.


  • An effective SOC requires not just technical expertise from analysts, but a fundamental understanding of how the tools, processes, and data all come together to give the team a comprehensive view of attempted attacks and help them act to stop them. SOC training courses from SANS like SEC450: Blue Team Fundamentals - Security Operations and Analysis teach not only the concepts your team will need to be successful, but how to orchestrate data flow between SOC tools like a SIEM, Threat Intelligence Platform, and Incident Management system to ensure detected attacks can be dealt with at peak efficiency. In order to be at your best, teams must understand not only the “what, why, and how” of attack detection, but also best practice for triage and incident response workflow, and the methods to measure and consistently improve those capabilities over time.

  • SOC role-related certifications such as the GIAC GSOC, GMON, GSOM, GCDA, GCIA, GCIH, and GREM are a great way to improve your capabilities as an analyst, improving both your teams’ capabilities and your own value in the market. Taking these certifications not only shows that you understand and can apply these important data analysis and threat detection skills but help cement the concepts learned in the related courses in your memory for fast recall during an incident.

  • A tier 1 SOC analyst plays the incredibly important role of front-line defense for an organization’s security operations center. These positions typically involve being the first to look at identified potential attacks and triaging them for priority and severity, solving the issues that you are capable of, and escalating as necessary to further tiers. First-tier SOC analyst jobs are a great position as a point of entry into information security and are often the launching point for a long and in-depth career in cyber defense, and can lead down paths of additional SOC expertise, or towards engineering and architecture positions, specialty forensics roles, and more.

  • A tier 2 SOC analyst is the next level of progression in a tiered SOC for an analyst who has gained mastery of all the tier 1 concepts. As a tier 2 analyst, duties typically become more complex and involve more open-ended tasks such as threat hunting, detection engineering, tool creation and automation tasks, and more. At this level, analysts are expected to have a much stronger grasp of not only SOC analyst duties and workflow, but also an increasing level of familiarity with the organization that they’re defending, allowing them to make faster and higher quality decisions in situations that may have a more severe impact. Tier 2 SOC analysts should be smooth and practiced with all SOC procedures and tools and understand what to do as an incident starts to develop and be able to take charge and make strong experience-based decisions on the next best course of action.

  • A tier 3 SOC analyst (which may or may not exist in certain organizations depending on the size of the SOC) is the top role when it comes to security analysts. At this level, analysts are expected to do incredibly deep analysis and will likely specialize in at least one facet of security monitoring - malware analysis, packet capture analysis, in-depth complex threat hunting for advanced threats, and more. On top of this, tier 3 SOC analysts are typically expected to be leaders and mentors for other in the SOC, helping guide newer analysts to build their skills and realize their potential. Analysts at this tier should also expect to be heavily involved in process improvement and automation projects. As they likely have the highest level of seniority at the organization’s they work for, their deep knowledge of the environment best lends itself to high-value SOC improvement projects, specialized detection engineering tasks, nuanced and detail-oriented threat hunting, leading, or assisting incident response, and more.

  • There are many paths into the role of SOC analysts. While many in the past have traditionally taken the path of working a non-security IT role and eventually moving their way into a SOC analyst position, this path is no longer necessary or even the most common. Many times, SOC analyst positions (especially tier 1) are hired as entry-jobs directly out of cybersecurity-related school programs, tangential IT roles, as a lateral move within an organization’s security team, or even from outside of tech and IT altogether! Given the number of people needed in these roles throughout the world and the shortage of talent available to get them. - Just check out this report from US News and World Report calling Security Analyst the “#1 career of 2022!” No kidding, it’s that awesome!

  • SOC analysts typically have an incredibly varied, challenging, and exciting role that slightly depends on the organization they work at and how they structure and run their security team. The core of the job is looking at network, endpoint, and cloud activity and trying to identify any attempted cyber-attacks so that they can be immediately halted. This requires understanding and looking at log files, network captures, malware and more, and learning how to understand, scope, and contain an attack in progress - a task that is always changing given the nature of constantly evolving attack methods and vulnerabilities. But some security analyst roles go further than that, including activities such as threat hunting, detection engineering (writing new rules and analytics to detect attacks), incident response, and even dipping into some threat intelligence, and forensics duties as well.

  • NOC stands for “Network Operations Center” and is typically the group of people / location where the general health of an organization’s network is monitored. The goal is to quickly identify any service issues or outages and remediate them as quickly as possible. A SOC/CSOC (Cyber Security Operations Center) on the other hand is similar in that it is monitoring for signs of issues in the realm of cyber-attacks. You may hear the term SOC used in the world of physical security as well referring to a room of people monitoring cameras to physically guard a location, which is why some slightly change the acronym to CSOC, or otherwise to be specific about the cybersecurity angle.


Read what others have to say about SANS courses.
Now that the course is over, I can see how this class fills in the gap from more technical certs like Sec+ or even SSCP on specific areas someone on the Blue Team needs to know.
Susan Wagner
Thank you for a very informative week! SEC555 has totally changed what I think about SIEM!
Ben Curry
- F&M Bank
So far, SEC450 not only meets but goes beyond my expectations. One year ago I became a SOC team lead and this course adds to my knowledge and puts a more structured approach on what a SOC I am running should look like
Radek Ochrymowicz
- Frontex
SEC511 is really interesting and full of useful information. I can see it adding a lot of value to our current setup.
James Gormley
- Musgrave
Loved the content of SEC503. 110% up to the SANS standard! It was well put together, presented, and reinforced. And I absolutely loved the class "capstone". Really well done!
Jill Francis
- SANS Institute of Technology student