Certified SOC Analyst (CSA)
- 02 Aprile 2025
- Duration 24 weeks
- 01 June 2026
- Duration: 36 weeks
Develop expertise to monitor, detect, and respond to cybersecurity incidents with CSA certification
As an Authorized Training Center of EC-Council, we provide official CSA certification that builds SOC expertise in SIEM, threat intelligence, and AI-driven defense
Key features & benefits
Gain practical experience with 50+ hands-on labs and 120+ tools designed to mirror real SOC operations
Follow global standards with full alignment to NICE 2.0 and the NIST Cybersecurity Framework
Develop end-to-end SOC workflow expertise, including log management, event correlation, IoC investigation, and incident escalation
Leverage AI- and ML-powered SOC operations to automate triage, prioritize alerts, and proactively detect threats
Deploy and manage SIEM platforms with 350+ real-world use cases across Splunk, QRadar, ArcSight, and LogRhythm
Strengthen your ability to secure hybrid, multi-cloud, mobile, and IoT environments
Earn a globally recognized EC-Council certification that validates career-ready SOC skills
Enable organizations to build SOC teams capable of reducing detection time, minimizing costs, and improving resilience
Empower professionals to advance their careers with practical expertise and a credential that employers worldwide demand
Course outline
Module 01
Security operations and management
Security operations and management
Learn how a SOC enhances an organization’s security management to maintain a strong security posture, focusing on the critical roles of people, technology, and processes in its operations.
Key topics covered: SOC, SOC capabilities, SOC operations, SOC workflow, components of SOC, SOC models, SOC maturity models, SOC generations, SOC KPIs and metrics, SOC challenges
Module 02
Understanding cyber threats, IoCs, and attack methodology
Understanding cyber threats, IoCs, and attack methodology
Learn various cyberattacks, their IoCs, and the attack tactics, techniques, and procedures (TTPs) cybercriminals use.
- Perform SQL injection attack, cross-site scripting (XSS) attack, network scanning attack, DoS attack, and brute force attack to understand their TTPs and IoCs.
- Detect and analyze IoCs using Wireshark.
Key topics covered: cyber threats, TTPs, reconnaissance attacks, man-in-the-middle attacks, password attack techniques, malware attacks, advanced persistent threat lifecycle, host-based DoS attacks, ransomware attacks, SQL injection attacks, XSS attacks, cross-site request forgery (CSRF) attack, session attacks, social engineering attacks, email attacks, insider attack, IoCs, attacker’s hacking methodology, MITRE D3FEND framework, diamond model of intrusion analysis
Module 03
Log management
Log management
Learn log management in SIEM, including how logs are generated, stored, centrally collected, normalized, and correlated across systems.
- Configure, monitor, and analyze various logs.
- Collect logs from different devices into a centralized location using Splunk.
Key topics covered: incident, event, log, log sources, log format, local logging, Windows event log, Linux logs, Mac logs, firewall logs, iptables, router logs, IIS logs, Apache logs, database logs, centralized logging, log collection, log transmission, log storage, AI-powered script for log storage, log normalization, log parsing, log correlation, log analysis, alerting and reporting
Module 04
Incident detection and triage
Incident detection and triage
Learn SIEM fundamentals, including its capabilities, deployment strategies, use case development, and how it helps SOC analysts detect anomalies, triage alerts, and report incidents.
- Develop Splunk use cases to detect and generate alerts for brute-force attempts, ransomware attacks, SQL injection attempts, XSS attempts, broken access control attempts, application crashes using remote code execution, scanning attempts, monitoring insecure ports and services, DoS attacks, monitoring Windows audit log tampering, and malicious PowerShell script execution.
- Enhance alert triage using the SIGMA rules for Splunk queries.
- Create dashboards in Splunk.
- Create ELK use cases for monitoring trusted binaries connecting to the internet, credential dumping using Mimikatz, and monitoring malware activity in the system.
- Create dashboards in ELK.
- Detect brute-force attack patterns using correlation rules in ManageEngine Log 360.
Key topics covered: SIEM, SIEM architecture and its components, AI-enabled SIEM, types of SIEM solutions, SIEM deployment, SIEM use cases, SIEM deployment architecture, SIEM use case lifecycle, application-level incident detection SIEM use cases, insider incident detection SIEM use cases, examples of network level incident detection SIEM use cases, examples of compliance use cases, SIEM rules generation with AI, alert triage, Splunk AI, Elasticsearch AI, alert triage with AI, dashboards in SOC, SOC reports
Module 05
Proactive threat detection
Proactive threat detection
Learn the importance of threat intelligence and threat hunting for SOC analysts, and how their integration with SIEM helps reduce false positives and enables faster, more accurate alert triage.
- Integrate IoCs into the ELK stack.
- Integrate OTX threat data into OSSIM.
- Detect incidents in Windows Server using YARA.
- Conduct threat hunting using Window PowerShell scripts, Hunt Manager in Velociraptor, Log360 UEBA, and Sophos Central.
Key topics covered: cyber threat intelligence (CTI), threat intelligence lifecycle, types of threat intelligence, threat intelligence strategy, threat intelligence sources, threat intelligence platform (TIP), threat intelligence-driven SOC, threat intelligence use cases for enhanced incident response, enhanced threat detection with AI, threat hunting, threat hunting process, threat hunting frameworks, threat hunting with PowerShell script, PowerShell AI module, threat hunting with AI, threat hunting with YARA, threat hunting tools.
Module 06
Incident response
Incident response
Learn the stages of incident response and how the IRT collaborates with SOC to handle and respond to escalated incidents.
- Generate tickets for incidents.
- Contain data loss incidents.
- Eradicate SQL injection and XSS incidents.
- Perform recovery from data loss incidents.
- Create incident reports using OSSIM.
- Perform automated threat detection and response using Wazuh.
- Detect threats using Sophos Central XDR.
- Integrate Sophos Central XDR with Splunk.
Key topics covered: incident response (IR), IRT, SOC and IRT collaboration, IR process, ticketing system, incident triage, notification, containment, eradication, recovery, network security incident response, application security incident response, email security incident response, insider threats and incident response, malware threats and incident response, SOC playbook, endpoint detection and response (EDR), extended detection and response (XDR), SOAR, SOAR playbook
Module 07
Forensic investigation and malware analysis
Forensic investigation and malware analysis
Learn the importance of forensic investigation and malware analysis in SOC operations to understand attack methods, identify IoCs, and enhance future defenses.
- Perform forensic investigation of application security incidents such as SQL injection attacks.
- Perform forensic investigation of a compromised system incident using Velociraptor.
- Analyze RAM for suspicious activities using Redline.
- Perform static analysis on a suspicious file using PeStudio.
- Examine a suspicious file using VirusTotal.
- Perform dynamic malware analysis in Windows using Process Hacker.
Key topics covered: forensic investigation, forensic investigation methodology, forensic investigation process, forensic investigation of network security incidents, forensic investigation of application security incidents, forensic investigation of email security incidents, forensic investigation of insider incidents, malware analysis, types of malware analysis, malware analysis tools, static malware analysis, dynamic malware analysis.
Module 08
SOC for cloud environments
SOC for cloud environments
Learn the SOC processes in cloud environments, covering monitoring, incident detection, automated response, and security in AWS, Azure, and GCP using cloud-native tools.
- Implement Microsoft Sentinel in Azure.
Key topics covered: cloud SOC, Azure SOC architecture, Microsoft Sentinel, AWS SOC architecture, AWS Security Hub, centralized logging with OpenSearch, Google Cloud Platform (GCP) security operation center, security command center, Chronicle
Our partners & vendors
Ready to grow your cybersecurity team?
Training prerequisites
Core knowledge
Basic understanding of computer networks, operating systems, and cybersecurity concepts
Familiarity with security operations center (SOC) functions and incident response fundamentals
Technical skills
Ability to use basic network and security tools (e.g., ping, traceroute, nslookup, Wireshark)
Understanding of log management concepts, including collection, normalization, and analysis
Familiarity with SIEM platforms (e.g., Splunk, QRadar, ArcSight, ELK) and their role in SOC operations
OS & tools
Confident using Windows and Linux environments (macOS is an advantage)
Able to install and run command-line utilities for monitoring and troubleshooting
Understanding of file systems, user permissions, and system audit logs
Training & register details
TRAINING OVERVIEW
Certified SOC Analyst (CSA)
Gain SOC analyst skills through hands-on labs and SIEM use cases to detect and respond to cybersecurity incidents
Training Duration: 3 days (24 hours)
Format: Instructor-Led Online
Level: Intermediate
Language: Ukrainian
Materials: English | 12 months valid
Labs: 24/7 | 180 days access
Exam Attempts: 1 official exam voucher included (312-39)
HOW TO REGISTER
1. Submit your application
Submit a quick application to let us know you’re interested in the course.
2. Intro call
We’ll schedule a short call to learn more about your goals and expectations.
3. Confirm your spot
Get accepted and complete the paperwork. We’ll send you all the info you need.
4. Start learning
Access your learning platform and get familiar with the materials.
5. Join the community
Get access to the student chat, events, and mentorship opportunities.
Who is CSA for?
Cybersecurity professionals
Advance your career with the CSA program by mastering SOC operations, SIEM, and incident response skills demanded in modern enterprises
Teams & businesses
Strengthen your security posture with certified SOC analysts capable of detecting, analyzing, and responding to real-world threats
Government and military
Trusted globally by government and defense agencies for building skilled SOC teams and ensuring compliance with international standards
Educators
Incorporate official CSA training into academic or corporate programs to prepare the next generation of SOC analysts
FAQ
What does a CSA do?
A certified SOC analyst (CSA) monitors and analyzes security alerts within a SOC, detects and responds to cyberthreats, verifies unauthorized breaches, and issues warnings as needed. Ensuring security issues are promptly identified and mitigated, CSAs are crucial in maintaining an organization’s security posture. A CSA is also trained in using AI tools for major SOC activities.
Is the CSA for beginners?
Yes, the CSA certification program is designed to train current and aspiring Tier I, Tier II, and Tier III SOC analysts to perform intermediate and entry-level operations. However, to attain the CSA training, it is recommended to have a basic knowledge of cybersecurity and networking.
Why is a SOC analyst important?
Without SOC analysts, critical processes like monitoring, detection, analysis, and alert prioritizing would be compromised, exposing organizations to increased risks. SOC analysts strengthen organizations’ security posture by offering the knowledge and experience to recognize and counter new cyberthreats.
What functions do SOC analysts perform, and why are they critical to cybersecurity?
To handle sophisticated threats, organizations need advanced cybersecurity solutions along with traditional methods of defense. Practicing good cybersecurity hygiene, implementing an appropriate line of defense, and incorporating a SOC are practical solutions. SOC teams pursue 24-hour and “follow-the-sun” coverage, performing security monitoring, security incident management, vulnerability management, security device management, and network flow monitoring. Read more about the functions of SOC here.
A SOC analyst continuously monitors and detects potential threats, triages the alerts, and appropriately escalates them. Without a SOC analyst, processes such as monitoring, detection, analysis, and triaging will lose their effectiveness, ultimately negatively affecting the organization.
What jobs can I get after completing the CSA certification program?
With a CSA certification, you can pursue various roles in cybersecurity, such as SOC analyst (L1, L2, and L3), cybersecurity analyst, network security specialist, network defense analyst, security operations center professional, network and security administrator, network security operator, and more.
How much demand is there for CSA professionals?
SOCs are crucial for organizations to protect their systems and data. They are the first line of cyber defense for any IT team. Nearly 6 in 10 financial service providers operate a SOC. Moreover, 74% of SOC leaders plan to increase SOC headcount in two years (KPMG, 2024). The CSA program’s emphasis on practical skills aligns best with the growing demand for security experts especially in blue teams and SOCs.
Is CSA the best blue team certification?
CSA is an excellent choice for blue team professionals, providing a comprehensive focus on SOC operations, incident response, and threat detection. It is 100% compliant with the NICE 2.0 Framework. It includes 120 tools, 50 labs, and the knowledge to leverage AI tools, equipping candidates with real-world experience, which is crucial in a SOC.
What resources are provided in the CSA program?
You will gain access to the CSA training program, with one year of access to courseware, complex labs to have hands-on experience with real-world issues, and a CSA examination voucher. Gain access to 120 tools and 50+ labs, 65 case studies of major SIEM deployments, and 350 common to specific use cases for ArcSight, QRadar, LogRhythm, and Splunk’s SIEM deployments.