SOC Level 2

Description

Security Operations (SOC) 201 is an advanced course designed to elevate your ability to detect, investigate, and respond to complex cyber threats at scale. Building on the foundational skills from SOC 101, this course focuses on developing an effective investigative methodology and mastering the responsibilities of an Incident Responder or Threat Hunter.
Through hands-on labs and realistic scenarios, you’ll investigate sophisticated threats across enterprise environments, applying advanced techniques aligned with the MITRE ATT&CK framework. The curriculum emphasizes proactive threat hunting as part of a continuous detection and response cycle, helping analysts identify active threats, uncover security gaps, and improve future investigations.
By the end of the course, you’ll be equipped with the mindset, tools, and methodologies needed to confidently investigate incidents, trace root causes, and respond effectively to advanced adversaries.
This course includes an Exam Vouchers for TCM Security’s Practical SOC Analyst Professional (PSAP) certification – Launching September 2025. Each exam voucher includes 1 exam attempt and is valid for 12-months from the course completion date or certification release date.

Additional Course Information

Schedule and Pricing

Target Audience
SOC 201 is designed for individuals seeking to advance their defensive security skills beyond foundational knowledge. Ideal candidates include those already familiar with core SOC concepts who are ready to develop expertise in investigating and responding to sophisticated cyber threats. This course is suited for Tier 2 Security/SOC Analysts, Tier 3 Security/SOC Analysts, Incident Responders, Threat Hunters, Digital Forensic Examiners.
Pre-Requisites

This course relies heavily on working with IR investigations and forensic artifacts, but does not cover learning basic analysis tools. It is strongly recommended to have taken or be familiar with the Security Operations (SOC) 101 material and its prerequisites, which includes experience with:

  • Networking Fundamentals: Practical Help Desk (PHD) or equivalent
  • Operating System Fundamentals: Practical Help Desk (PHD) or equivalent
  • Security Operations Fundamentals
  • Network Traffic Analysis
  • Endpoint Security Monitoring
  • Log Analysis and Management
  • Security Information and Event Management (SIEM)
  • Basic Digital Forensics Exposure
Objectives
  • Develop a robust and reliable investigator's mindset to approach incidents methodically
  • Learn industry-standard methodologies and tools for detecting, hunting, and responding to cyber threats across enterprise environments
  • Gain experience performing incident response and threat hunting at scale
  • Learn to investigate and identify advanced adversary tactics following the MITRE ATT&CK framework, including execution artifacts, lateral movement, credential theft, living off the land techniques, persistence, defense evasion, command and control, and many more
  • Learn to perform effective attack timeline analysis, and guide effective incident response and remediation efforts
  • Investigate the root cause of security incidents by uncovering the entry point
Course Delivery Modality
VILT
Duration in Hours
24
Credits Eligible
1
Course Vendor

Course Outline

Day 1:

  • Understanding the modern adversary
  • Introduction to incident response
  • Incident decision making
  • Introduction to threat hunting
  • Threat hunting teams, data sources, and maturity models
  • Cyber threat intelligence
  • Exploring the MITRE ATT&CK Navigator
  • Structured and unstructured threat hunting
  • Data transformation techniques
  • Data transformation in the command-line, PowerShell, and Splunk
  • Searching, aggregations, statistics, and visualizations

Day 2:

  • Understanding and categorizing anomalies
  • Masquerading
  • Ambiguous identifiers
  • Frequency and volume anomalies
  • Temporal anomalies
  • Location and environmental anomalies
  • Structure and format anomalies
  • Absence and suppression anomalies
  • Entropy analysis
  • Dissecting threat reports
  • Threat hunting lab
  • Tracing an attack chain
  • Hunting execution
  • Hunting malicious process trees
  • Hunting persistence
  • Hunting defense evasion
  • Hunting command and control
  • Hunting lateral movement

Day 3:

  • Collection at scale
  • Collection with WMI
  • PowerShell 101
  • PowerShell remoting
  • Remote collection frameworks
  • Triage artifact collection with KAPE
  • Incident response with Velociraptor
  • Windows memory structures
  • The Volatility framework
  • Process analysis
  • Command line analysis
  • Network analysis
  • Registry analysis