The TryHackMe SOC Level 1 path has become the go-to SOC analyst training for anyone serious about breaking into Security Operations Center roles. In 2025, TryHackMe completely revamped this learning path to better reflect what junior security analysts actually do on the job, adding new modules and removing content that belongs in more advanced training.
This guide covers everything you need to know about the TryHackMe SOC Level 1 path in 2026: what modules you'll complete, how long it takes, how much it costs, and how to use this SOC training to launch your cybersecurity career. Whether you're brand new to security or transitioning from IT, this path provides the foundation you need to become a SOC analyst.
Quick Facts: TryHackMe SOC Level 1 Path
In This Guide
What Is the TryHackMe SOC Level 1 Path?
The TryHackMe SOC Level 1 path is a structured SOC analyst training program designed to prepare you for entry-level Security Operations Center positions. Unlike scattered tutorials or random YouTube videos, this learning path follows a logical progression from foundational concepts to hands-on alert triage and incident investigation.
As a junior security analyst (the role SOC Level 1 prepares you for), your primary job involves monitoring security alerts, investigating network threats, and escalating confirmed cyber incidents to senior analysts. The path teaches these exact operational skills through interactive labs rather than passive reading.
Who Should Take This Path?
- Career changers: IT professionals wanting to move into cybersecurity
- Students: Those pursuing cybersecurity degrees who want practical skills
- Self-learners: Anyone interested in defensive security operations
- Job seekers: Candidates preparing for SOC analyst interviews
Prerequisites
The path assumes basic knowledge of:
- How computers and operating systems work (Windows and Linux basics)
- Fundamental networking concepts (IP addresses, ports, protocols)
- Common security terminology
If you're completely new to these topics, TryHackMe recommends completing the Pre-Security or Cyber Security 101 paths first. You might also want to review our guide to network ports for essential networking knowledge.
SOC Level 1 Module Breakdown: What You'll Learn
The revamped TryHackMe SOC Level 1 learning path contains ten modules organized to build your skills progressively. Here's what each module covers and why it matters for your SOC analyst career in a Security Operations Center.
1. Blue Team Introduction
This module sets the foundation by explaining what SOCs do and how they protect organizations. You'll learn about the Junior Security Analyst role, understand how humans and systems become attack vectors, and see how analysts detect and respond to threats in real time.
Key rooms: Junior Security Analyst Intro, SOC Role in Blue Team, Humans as Attack Vectors, Systems as Attack Vectors
2. SOC Team Internals
Here you learn how SOCs actually operate day-to-day. This includes alert triage workflows, report writing, metrics that measure SOC effectiveness, and communication procedures. The module includes a phishing simulation that puts theory into practice.
Key rooms: SOC L1 Alert Triage, SOC L1 Alert Reporting, SOC Workbooks and Lookups, SOC Metrics and Objectives, SOC Simulator: Introduction to Phishing
3. Core SOC Solutions
This module introduces the security tools you'll use daily as a SOC analyst. You'll gain hands-on experience with Endpoint Detection and Response (EDR) platforms, Security Information and Event Management (SIEM) systems like Splunk and the Elastic Stack, and Security Orchestration, Automation, and Response (SOAR) platforms.
Key rooms: Introduction to EDR, Introduction to SIEM, Splunk: The Basics, Elastic Stack: The Basics, Introduction to SOAR
4. Cyber Defence Frameworks
Understanding attack patterns helps you defend against them. This module covers the major frameworks SOC analysts use to categorize and respond to threats: the Pyramid of Pain, Cyber Kill Chain, Unified Kill Chain, and MITRE ATT&CK. Practical rooms let you apply these frameworks to real scenarios.
Key rooms: Pyramid Of Pain, Cyber Kill Chain, Unified Kill Chain, MITRE, Summit, Eviction
5. Phishing Analysis
Phishing remains one of the most common attack vectors. This module teaches you to analyze email headers, identify malicious attachments, investigate URLs, and determine whether phishing attempts succeeded. You'll investigate real-world phishing examples from actual campaigns.
6. Network Traffic Analysis
SOC analysts spend significant time reviewing network traffic for suspicious activity. This module covers packet analysis fundamentals, using Wireshark effectively, and identifying malicious network patterns. For additional packet analysis practice, check our cybersecurity labs that include traffic analysis challenges.
7. Security Monitoring
Building on earlier modules, this section dives deeper into Windows and Linux security monitoring. You'll learn what events to watch, how to configure logging properly, and how to correlate events across multiple systems to identify attacks.
8. Malware Concepts
Understanding malware behavior helps you identify and respond to infections. This module covers malware types, common behaviors, and basic analysis techniques. Note that deep malware reverse engineering has been moved to more advanced paths.
9. SIEM Triage
The capstone technical module puts everything together. You'll work through realistic SIEM scenarios where you receive alerts, investigate them using the tools and frameworks you've learned, and make decisions about escalation. This directly prepares you for the actual work of a SOC analyst.
10. Capstone Challenges
The final module presents multi-step scenarios that span the entire attack lifecycle. You'll correlate evidence from multiple sources (pcaps, event logs, SIEM data, email artifacts) to tell the complete story of an attack from initial access through exfiltration.
Completion time reality: TryHackMe estimates 40+ hours for this path. In practice, expect 50-80 hours if you're new to these concepts and actually learn the material rather than rushing through. Quality matters more than speed.
What Changed in the 2025 SOC Level 1 Revamp
TryHackMe significantly updated the SOC Level 1 path in late 2025, retiring the legacy version in April 2025. These changes align the path more closely with what entry-level SOC analysts actually do on the job.
What Was Added
- SOC Team Internals module: New content on alert triage workflows, reporting standards, and SOC metrics
- Windows Security Monitoring: Dedicated rooms for Windows threat detection and logging
- Web Attack Investigation: New content on detecting web shells and investigating web attacks
- 19 new challenge rooms: Including TShark challenges, Monday Monitor, Friday Overtime, and Retracted
- Enhanced capstone module: Multi-source correlation exercises that mirror real investigations
What Was Removed
- Deep forensics content: Memory forensics, disk imaging, and detailed artifact analysis moved to advanced paths
- Advanced tool training: Deep dives into Autopsy, Redline, KAPE, and Volatility removed
- Velociraptor content: Moved to more advanced blue team training
Why These Changes Matter
The old path tried to cover everything, resulting in Level 1 analysts learning tools they wouldn't touch for years. The revamped path focuses on what you'll actually do in your first SOC role: triage alerts, investigate with SIEM, write reports, and escalate appropriately. Deep forensics comes later in your career.
From a hiring manager's perspective, a candidate who completed the new SOC Level 1 path demonstrates relevant skills for the actual job. They understand triage workflows, can navigate a SIEM, and know when to escalate. That's exactly what entry-level positions require.
Legacy path note: If you started the old SOC Level 1 path, your progress is preserved in the legacy version. However, for job readiness, consider working through the new path as well since it reflects current industry expectations.
SOC Level 1 Path vs SAL1 Certification
TryHackMe offers both the SOC Level 1 learning path and the SAL1 (Security Analyst Level 1) certification. Understanding the difference helps you plan your training effectively.
| Aspect | SOC Level 1 Path | SAL1 Certification |
|---|---|---|
| What It Is | Learning track with labs | Proctored practical exam |
| Cost | TryHackMe Premium ($14/month) | $349 (includes Premium) |
| Outcome | Certificate of Completion | Professional Certification |
| Format | Self-paced learning | Timed exam (24h window) |
| Industry Backing | None | Accenture, Salesforce |
Do You Need Both?
The SOC Level 1 path teaches you the skills. The SAL1 certification validates them under exam conditions. TryHackMe recommends completing the SOC Level 1 path before attempting SAL1, but they test different things.
The path focuses on learning through guided labs. The certification tests whether you can apply those skills independently in a realistic SOC environment with time pressure. For comprehensive coverage of TryHackMe certifications, see our TryHackMe certifications guide.
Recommended approach: Complete the SOC Level 1 path first. If you want formal certification to show employers, pursue SAL1 afterward. The path completion alone demonstrates learning commitment, while SAL1 validates practical competency.
How to Get the Most from This SOC Analyst Training
Completing the path is straightforward. Completing it in a way that actually prepares you for a SOC analyst career requires more intentional effort. Here's how to maximize your learning and turn this SOC training into real job skills.
Don't Rush Through Rooms
It's tempting to speed through rooms to mark them complete. Resist this urge. When you encounter a SIEM query, take time to understand why it works. When investigating an alert, follow the full process even if you already guessed the answer. The goal is skill development, not checkmarks.
Take Notes Like You're Building a Playbook
Create documentation as you learn. Write down SIEM queries that work, investigation steps for different alert types, and key indicators to look for. This playbook becomes valuable reference material for your job search and future work.
Practice Report Writing
SOC analysts write reports constantly. Use every investigation room as an opportunity to practice clear, concise security writing. Include the 5 W's (who, what, when, where, why), relevant IOCs, and your recommended actions. This skill directly transfers to both SAL1 exam success and job performance.
Supplement with External Resources
The path provides excellent foundations but can't cover everything. Consider these additions:
- Splunk documentation: Deep dive into SPL queries beyond what the path covers
- MITRE ATT&CK Navigator: Practice mapping real attacks to the framework
- Boss of the SOC datasets: Free SIEM investigation practice from Splunk
- Phishing analysis tools: Practice with real phishing samples in safe environments
Set a Realistic Schedule
Consistent progress beats sporadic cramming. Aim for 5-10 hours weekly rather than marathon weekend sessions. This gives concepts time to solidify between study sessions. At this pace, expect to complete the path in 6-12 weeks.
Avoid this common mistake: Don't skip rooms that seem boring or theoretical. The SOC Team Internals module might feel less exciting than hands-on hacking, but understanding triage workflows and metrics directly impacts your ability to interview well and perform on the job.
Career Value: Does SOC Level 1 Help You Get Hired as a SOC Analyst?
Completing SOC analyst training is only valuable if it helps your career. Here's an honest assessment of what the TryHackMe SOC Level 1 path provides professionally.
What Employers Actually See
When you list "TryHackMe SOC Level 1 Path Completed" on your resume, hiring managers see someone who invested significant time in structured, practical SOC analyst training. The path's focus on real workflows (not just tools) signals job readiness. Combined with the Certificate of Completion, it demonstrates commitment and follow-through.
How It Compares to Certifications
The path completion certificate carries less weight than formal certifications like Security+ or the SAL1. However, it demonstrates practical skills that theory-heavy certifications don't test. Many employers value the combination: certification proves you know security concepts, path completion shows you can apply them.
Interview Preparation
The path directly prepares you for SOC analyst interview questions. You'll be able to explain your alert triage process, describe how you'd investigate a phishing report, and demonstrate familiarity with SIEM platforms. These practical answers stand out compared to candidates who only memorized textbook definitions. For a complete guide to SOC analyst careers, see our SOC analyst career guide.
Realistic Expectations
The SOC Level 1 path alone probably won't get you hired. Use it as part of a broader preparation strategy that includes:
- At least one recognized certification (Security+, CySA+, or SAL1)
- Home lab experience documented on GitHub
- Networking with security professionals
- Tailored resume highlighting relevant skills
Competitive advantage: The 2025 revamp aligned SOC Level 1 content with actual entry-level job duties. Candidates who complete this path demonstrate exactly the skills hiring managers need. That alignment gives you a genuine edge in interviews.
Frequently Asked Questions
How much is TryHackMe SOC Level 1?
TryHackMe SOC Level 1 requires a Premium subscription, which costs $14/month or $126/year. A few introductory rooms are available on the free tier, but completing the full path requires the paid subscription to access all 40+ rooms.
How long does SOC Level 1 TryHackMe take?
TryHackMe estimates 40+ hours to complete the SOC Level 1 path. Realistically, expect 50-80 hours for thorough completion if you're learning the material properly. At 5-10 hours per week, this means 6-12 weeks of study. Rushing through faster compromises learning quality.
Is TryHackMe SOC Level 1 good for beginners?
Yes, with caveats. The SOC Level 1 path teaches Security Operations Center skills from the ground up but assumes basic IT knowledge. If terms like "IP address," "port," or "protocol" are unfamiliar, complete TryHackMe's Pre-Security path first.
What's the difference between the new and legacy SOC Level 1 paths?
The 2025 revamp focuses on alert triage workflows and removed deep forensics content. The legacy path included memory forensics and tools like Volatility. For entry-level positions, the new path is more relevant. The legacy path remains available for those who started it.
Should I do SOC Level 1 before or after Security+?
Either order works. Security+ teaches broader security concepts, while SOC Level 1 focuses on operational skills. Some prefer Security+ first for foundational theory, then SOC Level 1 for practical application. Others start with SOC Level 1 to discover whether they enjoy blue team work before investing in certification exams.
Is TryHackMe SAL1 free?
No, the SAL1 (Security Analyst Level 1) certification exam costs $349, which includes 12 months of TryHackMe Premium access. The SOC Level 1 learning path that prepares you for SAL1 requires a separate Premium subscription ($14/month), but SAL1 purchasers get Premium included with the exam fee.
Is TryHackMe SOC simulator good?
Yes, the SOC simulator rooms in the SOC Level 1 path are excellent for building real-world skills. These interactive simulations put you in realistic scenarios where you triage alerts, investigate phishing emails, and make escalation decisions. Unlike passive video courses, the simulator forces you to apply what you've learned under conditions similar to actual SOC work.
Does completing SOC Level 1 prepare me for the SAL1 exam?
Partially. The SOC Level 1 path teaches relevant skills, but the SAL1 exam tests different competencies under time pressure. TryHackMe recommends completing both SOC Level 1 and Cyber Security 101 paths before attempting SAL1. The exam format (timed SOC simulations) requires additional preparation beyond the learning path.
Can I put SOC Level 1 completion on my resume?
Yes. List it under certifications or training with "TryHackMe SOC Level 1 Path - Certificate of Completion" and the completion date. It shows structured practical training, which employers value alongside traditional certifications.
What should I do after completing SOC Level 1?
Options include: pursuing the SAL1 certification for formal validation, completing complementary paths (Cyber Defense, Security Engineer), obtaining Security+ or CySA+ for HR-friendly credentials, or starting your job search while continuing to build skills. The best choice depends on your current job market and career goals.
Responsible Learning and Ethical Practice
The skills you develop in the SOC Level 1 path apply to real security operations. Use them responsibly.
Legal boundaries: Only analyze systems, networks, and data you have explicit authorization to examine. TryHackMe's lab environments are legal practice spaces. Applying investigation techniques to systems without permission is illegal, even with good intentions.
- Practice in authorized environments. Use TryHackMe labs, HackerDNA Labs, and your own home lab for skill development.
- Protect data confidentiality. If you work with real security data in your job, handle it according to your organization's policies and applicable laws.
- Report responsibly. If you discover security issues, follow proper disclosure procedures rather than exploiting or publishing them.
- Support the security community. Share knowledge through blogs, write-ups, and mentorship while avoiding information that helps attackers.
Start Your SOC Analyst Career with TryHackMe SOC Level 1
The TryHackMe SOC Level 1 path delivers structured, hands-on SOC analyst training for anyone serious about working in a Security Operations Center. The 2025 revamp ensures the content matches what employers actually need from entry-level candidates: alert triage skills, SIEM proficiency, proper reporting, and understanding of when to escalate cyber incidents.
Key takeaway: The TryHackMe SOC Level 1 path teaches you to work like a junior security analyst, not just learn about SOC operations. That practical focus makes it valuable preparation for both job interviews and actual job performance.
Your Next Steps
- Assess your prerequisites If networking basics are unfamiliar, complete Pre-Security first
- Subscribe to TryHackMe Premium Required for most SOC Level 1 rooms
- Set a consistent schedule 5-10 hours weekly for 6-12 weeks
- Complete the path thoroughly Focus on learning, not just completion
- Consider SAL1 certification For formal validation of your skills
The cybersecurity industry needs skilled SOC analysts. Organizations face more network threats and cyber incidents than ever, and qualified defenders are in short supply. The TryHackMe SOC Level 1 learning path gives you the practical foundation to become one of those defenders. Start your SOC analyst training today.