Security Operations
SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.
What is Security Operations?
Security Operations is the nerve center of an organization's cyber defense — the 24/7 function responsible for monitoring, detecting, analyzing, and responding to security events in real time. The Security Operations Center (SOC) combines people, processes, and technology to maintain continuous visibility across the enterprise and coordinate incident response when threats materialize.
Modern SOCs rely on Security Information and Event Management (SIEM) platforms to aggregate and correlate logs from hundreds of data sources, Security Orchestration, Automation, and Response (SOAR) tools to automate repetitive triage tasks, and Extended Detection and Response (XDR) platforms that unify telemetry across endpoints, networks, cloud, and identity. Alert triage — the process of rapidly determining whether a security alert is a true positive requiring investigation — remains the core skill that separates effective SOC analysts from those drowning in noise.
The field is evolving toward AI-augmented operations where machine learning models handle initial alert triage and enrichment, freeing human analysts for complex investigation and threat hunting. The chronic talent shortage in SOC roles has accelerated adoption of automation, but the need for skilled analysts who understand log analysis, attack patterns, and incident escalation remains critical.
Why it matters
Security operations is the frontline of cyber defense. Without continuous monitoring and rapid response, even the best security controls are blind to active intrusions and emerging threats.
SecOps is the operational backbone that brings together outputs from every other security domain — network security, endpoint protection, identity, and cloud — into a unified monitoring and response capability.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Standards and frameworks
Curated resources
Authoritative sources we ground Security Operations questions in — frameworks, research, guides, and tools.
Mandiant M-Trends Report
Annual IR data: dwell time trends, initial access vectors, detection sources. Empirical data from thousands of engagements. One of the few sources for real-world detection/response metrics.
Verizon Data Breach Investigations Report (DBIR)
Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.
ENISA Threat Landscape Report
EU-focused annual threat assessment. Covers ransomware, supply chain, disinformation, state-sponsored threats. Useful counterpoint to US-centric sources.
CIS Controls v8
18 prioritized security controls organized into Implementation Groups (IG1, IG2, IG3). Practical and prescriptive — good for questions about prioritization and which controls matter most for different organization sizes.
Lockheed Martin Cyber Kill Chain
Seven phases from Reconnaissance to Actions on Objectives. Widely adopted but also widely critiqued (assumes perimeter-centric model). Good for compare/contrast with ATT&CK and Unified Kill Chain.
Splunk State of Security Report
Annual SOC operations survey: alert volumes, MTTD/MTTR, staffing challenges, tool sprawl. Vendor but based on broad survey data across SOC teams.
MITRE Engenuity ATT&CK Evaluations
Independent evaluations of security products against real-world attack scenarios. Good for questions about detection coverage, visibility gaps, and evaluation methodology.
NSA/CISA Top 10 Cybersecurity Misconfigurations
Based on real red/blue team assessments. Includes default configurations, improper privilege separation, lack of network segmentation. Excellent for practical scenario questions.
NIST SP 800-92 — Log Management Guide
Guide to computer security log management. Covers log generation, storage, analysis, and the role of logs in incident response.
Security Onion
Free and open-source Linux distribution for threat hunting, enterprise security monitoring, and log management.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
AWS Certified Security — Specialty (SCS-C02)
Deep AWS security: IAM, data protection, detection, incident response within AWS primitives.
Security Blue Team Level 1
The BTL1 is one of the most practical entry-level certifications in the defensive area of cybersecurity. The exam is a complete 24-hour incident response scenario in a real lab environment – not a multiple-choice test. For career changers and entry-level professionals, it is a credible proof of competency that offers employers more meaningful value than many purely knowledge-based certificates. The course covers phishing analysis, SIEM, digital forensics, threat intelligence, and incident response. The certificate never expires, making it attractive long-term.
Security Blue Team Level 2
Security Blue Team Level 2
Mile2 Certified Cybersecurity Analyst
Mile2 Certified Cybersecurity Analyst
Mile2 Certified Disaster Recovery Engineer
Mile2 Certified Disaster Recovery Engineer
Mile2 Certified Incident Handling Engineer
Mile2 Certified Incident Handling Engineer
Mile2 Certified Security Principles
Mile2 Certified Security Principles
Mile2 Certified Threat Intelligence Analyst
Mile2 Certified Threat Intelligence Analyst
ISFCE Certified Computer Examiner
ISFCE Certified Computer Examiner
Certified Cybersecurity Operations Analyst
ISACA certification for SOC analysts with hybrid exam of multiple choice and performance-based questions. Focus on incident detection, response, and threat analysis. New since 2024.
CertNexus CyberSec First Responder
CertNexus CyberSec First Responder
OpenText Certified Forensic Security Responder
OpenText Certified Forensic Security Responder
Cisco Certified CyberOps Associate Cyber Operations
Cisco Certified CyberOps Associate Cyber Operations
Cisco Certified CyberOps Professional
Cisco Certified CyberOps Professional
Certified Information Systems Security Professional
Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.
Mile2 Certified Master Digital Forensic Investigator
Mile2 Certified Master Digital Forensic Investigator
EC Council Certified Network Defender
EC Council Certified Network Defender
CREST Certified Host intrustion Analyst
CREST Certified Host Intrusion Analyst
CREST Practitioner Intrusion Analyst
CREST Practitioner Intrusion Analyst
CREST Registered Intrusion Analyst
CREST Registered Intrusion Analyst
CrowdStrike Certified Falcon Administrator
Day-to-day administration of the market-leading EDR platform — sensor deployment, policy authoring, and detection triage in Falcon.
EC Council Certified SOC Analyst
EC Council Certified SOC Analyst
Cyber Struggle AEGIS
Cyber Struggle AEGIS
IBITGQ Cyber Incident Response Management Foundation
IBITGQ Cyber Incident Response Management Foundation
ISACA Cybersecurity Practitioner
ISACA Cybersecurity Practitioner
CompTIA Cybersecurity Analyst+
SOC analyst skills: triage, log analysis, vulnerability management basics.
Dark Vortex Adversary Operations and Proactive Hunting
Dark Vortex Adversary Operations and Proactive Hunting
EC Council Certified Incident Handler
EC Council Certified Incident Handler
eLearnSecurity Certified Incident Responder
eLearnSecurity Certified Incident Responder
eLearnSecurity Certified Threat Hunting Professional
eLearnSecurity Certified Threat Hunting Professional
Elastic Certified Engineer
Stands up and operates Elastic Stack clusters — search, observability, and security-analytics workloads on a real cluster.
Fortinet Certified Professional - Security Operations
Fortinet Certified Professional - Security Operations
Fortinet Certified Solution Specialist - Security Operations
Fortinet Certified Solution Specialist - Security Operations
GIAC Certified Detection Analyst
GIAC Certified Detection Analyst
GIAC Certified Enterprise Defender
GIAC Certified Enterprise Defender
GIAC Certified Intrusion Analyst
Packet and log analysis, detection engineering fundamentals.
GIAC Certified Incident Handler
Incident handling methodology and lifecycle.
GIAC Enterprise Incident Response
GIAC Enterprise Incident Response
GIAC Response and Industrial Defense
Active defense and incident response for ICS environments.
GIAC Security Expert
The GIAC Security Expert (GSE) is the highest distinction in the GIAC certification system and was fundamentally reformed in 2023/2024: Instead of a single exam, it is now awarded as a portfolio certification. Those who demonstrate six Practitioner and four Applied Knowledge certifications (hands-on, proctored lab exams) automatically receive GSE status. The model enforces genuine breadth and depth – which increases credibility compared to earlier pure knowledge tests. However, the effort (cost, time, multiple exams) is considerable; the GSE is therefore clearly aimed at experienced experts pursuing SANS/GIAC as a career path. In Europe, awareness outside the SANS community is still limited.
GIAC Security Essentials
Broad defender fundamentals. Often paired with SANS SEC401.
GIAC Systems and Network Auditor
GIAC Systems and Network Auditor
GIAC Security Operations Certified
SOC operations, alert triage, metrics, SOAR.
Hack the Box Certified Defensive Security Analyst
Hack the Box Certified Defensive Security Analyst
MITRE ATT&CK Defender — SOC Assessment
MAD20 track for assessing SOC capabilities using the ATT&CK framework. 17 lectures, heatmap and defensive recommendation walkthroughs. Teaches methodology for systematic assessment of detection coverage. Not a traditional certificate, but a badge upon course completion (9 CPE hours).
MOIS Certified OSINT Expert Certification
MOIS Certified OSINT Expert Certification
ISECOM OSSTMM Professional Security Analyst
ISECOM OSSTMM Professional Security Analyst
ISECOM OSSTMM Professional Security Expert
ISECOM OSSTMM Professional Security Expert
Offensive Security Defense Analyst
Offensive Security Defense Analyst
IntelTechniques Open Source Intelligence Professional
IntelTechniques Open Source Intelligence Professional
Palo Alto Networks Certified Detection and Remediation Analyst
Palo Alto Networks Certified Detection and Remediation Analyst
Palo Alto Certified Cloud Security Automation Engineer
Palo Alto Certified Cloud Security Automation Engineer
Microsoft Certified: Security Operations Analyst Associate
The SC-200 is Microsoft's role-based certification for Security Operations – with clear focus on its own product ecosystem (Microsoft Sentinel, Defender XDR, Security Copilot). It is not a vendor-neutral SOC certificate, but specifically validates the ability to detect and respond to threats in Azure and M365 environments. For teams already heavily invested in Microsoft technologies, it is very practical and relevant to the job market. Outside this stack, it loses significant weight. The exam will be updated on April 16, 2026 – candidates should review the current Study Guide.
CompTIA Security+
Broad entry-level knowledge across threats, ops, IAM, network, and crypto basics.
Splunk Core Certified User
Foundational SPL fluency — search, filter, and report on Splunk data without breaking it.
Splunk Enterprise Security Certified Admin
Operates and tunes Splunk Enterprise Security — content, correlation searches, notable events, and risk-based alerting.
(ISC)2 Systems Security Certified Practitioner
The SSCP is ISC2's entry-level certification below the CISSP and targets technically active security professionals with initial work experience. Since October 2025, the exam uses Computerized Adaptive Testing (CAT), which customizes the exam experience individually and increases integrity. The SSCP covers seven technical domains, from access control through cryptography to network security, and positions itself as practical proof of operational security competence. It is less well-known than Security+ or GSEC, but benefits from ISC2's strong brand and serves well as an intermediate step toward the CISSP. The effort for annual certification maintenance (AMF + CPEs) is moderate.
Also touched
Microsoft Certified: Azure Security Engineer Associate
Azure-native security engineering: Entra ID, network controls, Defender, Sentinel.
Certified Cloud Security Professional
Cloud security architecture: shared responsibility, identity, data protection, crypto, and cloud-native detection.
CyberArk Defender — PAM (CDE-PAM)
Day-to-day administration of CyberArk PAM — the dominant enterprise privileged-access platform.
CyberArk Guardian — PAM
Top-tier CyberArk practitioner — leads complex PAM programs and contributes back to the community.
CyberArk Sentry — PAM
Designs and deploys CyberArk PAM at enterprise scale — vault architecture, HA/DR, and complex onboarding.
Google Cloud Certified — Professional Cloud Security Engineer
GCP-specific security engineering: identity, VPC SC, secrets, logging, compliance.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
Education and certifications
More in Cybersecurity
Test what you know about Security Operations
42 questions available. Beginner to expert questions, scored against the global leaderboard.