SOC Analysis Core Track
Become the defender. Master SIEM platforms, threat hunting, and real-time incident response in live SOC environments.
Duration
3 Months · 12 Weeks
Weeks
12
Modules
84
Access
Curriculum
SOC Foundations and Tooling
4w · 28 modules
SIEM Platforms Deep Dive
Splunk · Microsoft Sentinel · IBM QRadar
SIEM Architecture — How Log Data Flows Into Detection
Ingestion pipelines, normalization, correlation engines, alert generation. Understanding the full SIEM lifecycle.
Splunk Fundamentals — Search, Index, and Dashboards
SPL queries, field extraction, building searches that find threats. Core tool for most SOC environments.
Microsoft Sentinel — Cloud-Native SIEM in Azure
Workspaces, KQL queries, analytics rules, SOAR playbooks. Growing fast in Indian enterprises.
Writing Correlation Rules — Turning Raw Logs Into Detections
Logic-based rules, threshold alerts, multi-event correlations. Building detections that actually fire on real threats.
Log Source Integration — Windows, Linux, Firewall, Proxy, EDR
Onboarding log sources, understanding each source's event types, what each source reveals about attacker activity.
False Positive Tuning — Making Alerts Actionable
Why alert fatigue kills SOC teams, how to tune rules, whitelisting vs blacklisting, building high-fidelity detections.
Week 1 Lab — Investigate 10 Real Alerts in a Splunk Environment
Students triage a full alert queue, identify true positives, close false positives, and document findings.
Threat Intelligence Operations
IOCs · TTP mapping · MITRE ATT&CK
MITRE ATT&CK Framework — The SOC Analyst's Playbook
Tactics, techniques, sub-techniques. Mapping alerts to ATT&CK. Using the Navigator for threat hunting.
IOC Lifecycle — From Detection to Blocking to Expiry
IP, domain, hash, URL IOCs. Enrichment workflows, IOC confidence scoring, automated blocking.
Threat Intelligence Platforms — MISP, OpenCTI, VirusTotal, AlienVault OTX
How to consume, share, and operationalise threat intel feeds. Hands-on with free platforms.
Threat Actor Profiling — APT Groups, TTPs, and India-Specific Threats
Major APT groups targeting India, their TTPs, and how to build detections specific to their attack patterns.
OSINT for SOC — Investigating Suspicious Indicators
Shodan, Censys, AbuseIPDB, Whois, PassiveDNS — the analyst's open-source investigation toolkit.
Threat Hunting Basics — Proactive Detection Beyond Alerts
Hypothesis-based hunting, hunting for living-off-the-land binaries, LOLBins, scheduled tasks, and persistence mechanisms.
Week 2 Lab — Hunt a Simulated APT in a Real Log Dataset
Students receive a 30-day log dataset with a hidden APT intrusion and must find it using threat hunting techniques.
Network and Endpoint Detection
EDR · NDR · Traffic Analysis
EDR Platforms — CrowdStrike Falcon, Microsoft Defender, SentinelOne
What EDR captures, how to read EDR telemetry, investigating process trees and file events.
Process Injection and Living off the Land — What to Look For
PowerShell abuse, WMI abuse, LOLBins — how attackers blend into legitimate OS activity and how analysts spot it.
Network Detection and Response — Zeek, Suricata, and IDS Rules
Writing Suricata signatures, reading Zeek logs, identifying C2 beaconing and data exfiltration in traffic.
Malware Traffic Analysis — Identifying C2, Beacons, and Exfil
Reading network captures for malware patterns. Domain generation algorithms, fast flux, encrypted C2 detection.
Active Directory Attack Detection — Kerberoasting, Pass the Hash, Golden Ticket
What these attacks look like in event logs and EDR. The specific event IDs that betray each technique.
Email Threat Detection — Phishing, BEC, Malicious Attachments
Email header analysis, sandbox detonation, URL analysis, BEC detection patterns in mail logs.
Week 3 Lab — Full Network + Endpoint Investigation Scenario
Correlated investigation using both EDR and network logs to reconstruct a complete attack chain.
Incident Response and Case Management
IR process · Ticketing · Escalation
SOC Tier Structure — L1, L2, L3 Roles and Responsibilities
What each tier does, escalation criteria, how to write a proper escalation note that doesn't waste L2's time.
Incident Response Playbooks — Building and Following Runbooks
Ransomware playbook, phishing playbook, insider threat playbook. How to follow and how to write them.
SOAR Platforms — Automating SOC Workflows with TheHive and Cortex
Case management, automated enrichment, playbook automation. Reducing MTTR with orchestration.
Containment and Eradication — Isolating Hosts, Blocking Threats
When and how to isolate an endpoint, revoke credentials, block IPs, and communicate with stakeholders.
Metrics That Matter — MTTD, MTTR, Alert Volume, SOC KPIs
How SOC performance is measured, how to report upward, what good looks like vs what burnout looks like.
Shift Handover and Incident Documentation Standards
How to write incident tickets that tell the full story. Shift handover protocols. Evidence chain of custody in SOC.
Month 1 Capstone — Full SOC Shift Simulation (8-Hour Scenario)
Students run a simulated SOC shift: triage queue, investigate alerts, escalate, document, and hand over. Scored.
Advanced Detection and Threat Hunting
4w · 28 modules
Advanced Log Analysis and Forensic Triage
Windows events · Linux audit · Memory triage
Windows Event Log Deep Dive — The 50 Event IDs Every SOC Must Know
Logon types, process creation, scheduled tasks, service installs, account management — mapped to attacker techniques.
Linux Audit Logs and Syslog — Detecting Attacker Activity on Linux
auditd rules, /var/log analysis, bash history tampering, cron job abuse — Linux attacker TTPs in logs.
Prefetch, Shimcache, Amcache — Execution Artefacts in Windows
Forensic artefacts that prove a program ran — critical for SOC analysts investigating malware execution.
Memory Analysis for SOC — Extracting IOCs from RAM Without Full Forensics
Quick memory triage using Volatility, finding injected processes, extracting network connections from memory.
Detecting Ransomware — From First File Encryption to Full Detonation
Ransomware behavioural signatures in logs, EDR, and network. The 10-minute window before full encryption.
Insider Threat Detection — Behavioural Analytics and DLP Signals
UEBA concepts, anomalous access patterns, bulk download detection, exfiltration via email and cloud storage.
Week 5 Lab — Detect and Respond to a Ransomware Attack in Progress
Simulated ransomware scenario — students detect, contain, and document before full encryption occurs.
Cloud and Identity Threat Detection
AWS/Azure threats · IAM attacks · Okta
Cloud Attack Patterns — What Attackers Do After Getting Cloud Access
Privilege escalation, persistence, cryptomining, data exfil — the cloud attacker playbook and how to detect each step.
AWS CloudTrail Analysis — Reading the Story of a Cloud Breach
Critical API calls, IAM enumeration, S3 exfil indicators, EC2 abuse — all readable from CloudTrail logs.
Azure AD and Entra ID Threat Detection
Sign-in logs, risky users, conditional access bypass, token theft — Microsoft identity threat signals.
Identity Provider Attacks — Okta, Azure AD, MFA Bypass Techniques
MFA fatigue attacks, SIM swapping indicators, OAuth token abuse — modern identity threat landscape.
SaaS Security — Detecting Threats in M365, Google Workspace, Salesforce
Audit logs from SaaS platforms, data exfiltration via SaaS, OAuth app abuse detection.
Zero Trust Detection Architecture — Logging What Matters in a Perimeterless World
What to log when everything is cloud and remote, detection gaps in Zero Trust architectures, coverage mapping.
Week 6 Lab — Investigate an AWS Cloud Breach from CloudTrail Logs
Students receive CloudTrail and identity logs from a simulated breach and reconstruct the full attack timeline.
Advanced Threat Hunting
Hypothesis hunting · Purple team · KQL/SPL mastery
Threat Hunting Methodology — Structured vs Unstructured Hunting
The hunt lifecycle, building hypotheses from threat intel, documenting hunts, converting hunts into detections.
KQL Mastery for Threat Hunters — Microsoft Sentinel Advanced Queries
Advanced KQL — joins, summarize, time series analysis, anomaly detection functions for threat hunting.
SPL Mastery — Advanced Splunk for Threat Hunting
Statistical SPL, rare and outlier commands, building hunting dashboards in Splunk.
Hunting for Persistence — Registry, Scheduled Tasks, WMI, Services
Every persistence mechanism in Windows and Linux, what they look like in logs, how to hunt them systematically.
Purple Team Concepts — Working With Red Teams to Improve Detection
How purple team exercises work, running Atomic Red Team tests, validating detection coverage, gap analysis.
Detection Engineering — Building Production-Ready Detection Rules
Sigma rules, detection-as-code concepts, testing detections against real attack data.
Week 7 Lab — Conduct a Full Threat Hunt and Convert Findings to Detections
Students hunt a dataset, find attacker activity, document the hunt, and write a Sigma rule for the technique found.
Automation, Reporting and Month 2 Capstone
SOAR · Python automation · Executive reporting
SOC Automation with Python — Enrichment, Alerting, and Ticketing Scripts
Auto-enriching alerts with VirusTotal and AbuseIPDB, auto-creating Jira tickets, Slack alerting bots.
Building SOAR Playbooks — Automated Response Workflows
Designing playbooks in TheHive/Cortex, automated phishing response, automated IOC blocking.
Executive Incident Reports — Writing for CISOs and Management
Translating technical findings into business impact. What executives need to see. Incident report templates.
SOC Metrics Dashboards — Building Visibility Into SOC Performance
Splunk and Sentinel dashboards for MTTD, MTTR, alert volume trends, team performance tracking.
Career Progression — From L1 Analyst to Threat Hunter to CISO
The SOC career ladder, certifications that matter (BTL1, CySA+, GCIH), skills to build at each stage.
Month 2 Review — Technical Assessment Prep
Comprehensive practice questions across all Month 2 topics. Gap analysis before Month 3.
Month 2 Capstone — Multi-Stage APT Investigation Across SIEM, EDR, and Cloud Logs
Full-day scenario: students investigate a simulated APT across all log sources, write a complete incident report.
Job-Ready and Certification
4w · 28 modules
Real-World SOC Scenarios and Case Studies
Live breach simulations · India-specific threats
Case Study — Analysing the AIIMS Delhi Ransomware Attack
Reconstructing the attack timeline from public information. What a prepared SOC could have detected and when.
Case Study — Supply Chain Attack (SolarWinds TTPs in a SOC Context)
How SOC teams missed and could have detected the SolarWinds compromise. Detection opportunities at each stage.
Responding to a Live Phishing Campaign — Full Workflow
Email received → header analysis → URL detonation → endpoint check → user notification → block and report.
Financial Sector Threats — What Banks and Fintech SOCs Deal With Daily
Card fraud patterns, UPI fraud detection, banking trojan TTPs — tailored for India's largest SOC hiring sector.
Government and Critical Infrastructure Threats
Nation-state TTPs targeting India, CERT-In notifications, OT/SCADA security basics for critical infrastructure SOCs.
CTF for SOC Analysts — BlueTeamLabs and CyberDefenders Walkthroughs
Working through real CTF challenges from BlueTeamLabs Online and CyberDefenders to sharpen investigation skills.
Week 9 Lab — Full Threat Hunt + Incident Response Simulation (Timed)
Timed scenario under exam-like conditions. Students hunt, respond, document, and present findings.
Interview Preparation and Portfolio
Resume · Mock interviews · LinkedIn
SOC Analyst Resume — What Hiring Managers Actually Look For
Skills section, tools list, how to describe lab experience, what not to include. Real resume review examples.
Top 30 SOC Interview Questions — With Model Answers
Technical and behavioural questions from real Indian company interviews. What L1 and L2 hiring looks like.
Building Your SOC Portfolio — GitHub, WriteUps, and Lab Documentation
How to document your lab work publicly, CTF writeups, and how to present hands-on experience to hiring managers.
Certifications That Accelerate Hiring — BTL1, CompTIA CySA+, GCIH
What each cert tests, cost, difficulty, and which Indian companies recognise them in hiring.
Mock Interview — Technical SOC Scenario Round
Students are walked through a mock scenario-based interview. Answer evaluation and feedback provided.
Networking in Cybersecurity — LinkedIn Strategy, ISAC Communities, CERT-In
How to build a professional network in Indian cybersecurity, who to follow, communities to join.
Week 10 Lab — Live Mock Interview with Feedback
Full 45-minute mock interview conducted by Zharnyx mentor. Recorded, reviewed, and scored.
ZSA Certification Preparation
Exam prep · Practice tests · Final review
ZSA Exam Format and Scoring — What to Expect
Exam structure, time limits, theory vs practical split, passing criteria, what happens if you don't pass first time.
Full Revision — SIEM, Threat Intel, Network and Endpoint Detection
Month 1 and 2 comprehensive review session with practice questions and flashcards.
Full Revision — Threat Hunting, Cloud Detection, Automation
Month 2 advanced topics revision. Focus on areas where students typically drop marks.
Practice Exam 1 — 40 Theory Questions (Timed)
Full mock exam under timed conditions. Answers reviewed and explained after submission.
Practice Exam 2 — Practical Lab (4-Hour Investigation)
Full practical mock exam. Students investigate a complete incident across SIEM, EDR, and cloud logs.
Weak Area Remediation — Targeted Revision Based on Practice Exam Results
Personalised revision plan based on mock exam performance. Targeted modules to close gaps before the real exam.
Pre-Exam Session — Mindset, Strategy, and Confidence
Exam-day strategy, time management tips, how to approach practical questions, confidence-building session.
ZSA Certification Exam and Graduation
Exam · Certification · Placement launch
ZSA Theory Exam — 40 Questions, 90 Minutes
Proctored theory examination covering all 3 months of SOC curriculum. Pass mark: 70%.
ZSA Practical Exam — 4-Hour Live Investigation
Proctored practical in a sandboxed SOC environment. Students investigate a full incident and submit a report.
ZSA Certificate Issued — Zharnyx SOC Analyst Certification
Digital certificate with verification QR code. Shared with hiring partners. Posted to LinkedIn.
Placement Kickoff — Resume Submission to Hiring Partners
Zharnyx submits your profile to the active hiring partner network. Interview scheduling begins.
Graduation Session — Cohort Celebration and Alumni Network
Cohort graduation, alumni community access, mentorship network, Zharnyx Dragons alumni badge.
30-Day Post-Graduation Check-In Plan
Weekly mentor touchpoints, job search accountability, continued access to SOC lab environment for 30 days.
Continuous Learning Path — What to Study After ZSA
Recommended next certifications, skill progression to L2 and L3, pathways into threat hunting and detection engineering roles.