← Academy Hub
📡
Learning Track · 20 modules

Blue Team / SOC Operations

How defenders actually work. SOC structure, SIEM, detection engineering, EDR, malware triage.

Why this track

Blue team is where most cyber careers in India actually live — SOC analyst, detection engineer, incident responder. This track teaches the operational craft: how a real SOC works, how SIEM rules are written and tuned, how detections survive contact with reality, and how incidents are triaged, contained, and closed. You will leave with the skills to be a productive Tier-2/3 analyst on day one of a new SOC role.

What you will be able to do
  • Design SIEM detection use-cases mapped to MITRE ATT&CK
  • Triage alerts efficiently using Pyramid of Pain prioritisation
  • Run an end-to-end incident response from detection through after-action review
  • Hunt for threats proactively using EDR telemetry and threat intel
  • Build a SOC operating model that scales from 24/5 to 24/7 properly
Prerequisite: Networking fundamentals. Linux + Windows comfort. SQL helpful for log queries.
20
Modules
16.3 h
Total time
20
Free modules
Quiz retries
Difficulty mix
Beginner · 1 Intermediate · 10 Advanced · 9

Module sequence

M1
SOC Fundamentals
SOC tiered analyst model, triage workflow, shift patterns, runbooks, and India-specific operational constraints.
Beginner 60 min
M2
SIEM Fundamentals
SIEM architecture, log pipeline, parsing and normalization, retention tiering, and vendor landscape for 2026.
Intermediate 90 min
M3
Detection Engineering with Sigma
Sigma rule anatomy, the two mistakes beginners make, tuning workflow, and detection-as-code in Git.
Intermediate 90 min
M4
EDR Fundamentals
EDR telemetry, process lineage, response actions, vendor landscape, and the live-response triage sequence.
Intermediate 90 min
M5
Malware Triage
Static + behavioural triage, sandbox workflow, 30-minute triage playbook, and when to escalate to a reverse engineer.
Advanced 120 min
M7
Incident Response Lifecycle — NIST + SANS in Practice
Why this module exists. Every CISO knows the NIST IR lifecycle (Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned). Few have actually executed it under pressure. The translation from textbook diagram to “the breach is happening, what do we do at 02:30 IST” is what separates exercises from outcomes. The lifecycle in operational terms Phase What […]
Advanced 35
M7
Threat Hunting Workflow
Threat hunting is proactive — actively searching for adversary activity that automated detection missed. Unlike SOC triage (reactive, works from alerts), hunting starts with a hypothesis and tests it against available data. This module covers the workflow, the hypothesis-driven method, and practical queries to start hunting tonight. Why hunt Automated detections catch KNOWN patterns; hunts […]
Intermediate 90 min
M8
Log Management at Scale — Patterns and Pitfalls
Why this module exists. Logs are the SOC’s primary data. Bad log architecture means missed detections, slow investigations, and impossible audit response. Good architecture means hunts complete in seconds and forensic timelines reconstruct in hours. The difference is mostly upfront planning. The log-management problem in 2026 numbers A medium Indian enterprise (5,000 endpoints, 200 servers, […]
Intermediate 30
M9
SOAR Playbooks — Practical Automation
Why this module exists. SOAR (Security Orchestration, Automation, Response) is the highest-leverage SOC investment after a competent SIEM. Done right, it cuts MTTR by 60-80%. Done wrong, it generates false confidence (“our automation handled it”) while alerts pile up in queues. The difference is playbook design discipline. What SOAR actually does Three layers of automation: […]
Intermediate 30
M10
Insider Threat Detection
Why this module exists. External attackers get the headlines; insiders cause more breaches by volume. Verizon DBIR consistently shows ~20% of breaches are insider-driven (deliberate + accidental combined). Detecting them requires different signals from external-attack detection, and operating in the privacy-respecting envelope DPDP / labour law / cultural norms allow. The insider-threat taxonomy Malicious insider […]
Advanced 30
M11
Email Security & Phishing Triage
Why this module exists. Email is still the primary initial-access vector in 2026. Verizon DBIR: ~30% of breaches start with phishing. Modern phishing is sophisticated (AI-generated content, MFA-aware), and email-security tools have advanced (sandboxing, behavioural detection, DMARC enforcement). Defenders who haven’t kept pace have a 2018-grade email defence. The four phishing variants you’ll see Bulk […]
Intermediate 30
M12
DNS-Based Detection Strategy
Why this module exists. Almost every internet attack starts with a DNS query — beaconing to C2, exfiltration via DNS tunneling, phishing-link resolution, malware updating itself. DNS logs are the highest-signal-per-byte log source in your environment, and most SOCs underuse them. What DNS logs reveal Beaconing — same source contacting same destination at fixed intervals […]
Intermediate 25
M13
SOC Metrics & MTTR Reduction
Why this module exists. “Is our SOC effective?” CISOs need a measurable answer. Common metrics — alert volume, ticket count — measure activity, not effectiveness. The metrics that matter are MTTD (mean time to detect), MTTR (mean time to respond), false-positive rate, and ATT&CK technique coverage. Each has a target; each has specific operational levers. […]
Intermediate 25
M14
Threat Intelligence Operations
Why this module exists. Threat intelligence is one of the most-purchased and least-utilised security investments. Companies subscribe to feeds that nobody reads, vendor reports that nobody actions. Done well, TI shapes detection, prioritisation, and strategy. Done badly, it’s expensive noise. The three altitudes of TI Type Audience Outputs Cadence Strategic Executives, board Threat landscape, risk-driven […]
Advanced 30
M15
Purple Teaming Methodology
Why this module exists. Red teams find what defenders missed. Blue teams build detections. Purple teams put both in the same room — making a single exercise simultaneously a test, a learning event, and a detection-engineering session. The output: detections that work for the techniques attackers actually use. What purple team isn’t Not “let’s all […]
Advanced 30
M16
SOAR — Security Orchestration, Automation, Response
What SOAR does Orchestration: connect security tools via API; trigger actions across them. Automation: execute repeatable workflows without human intervention. Case management: structured incident workflow with audit trail. Playbook execution: pre-defined response runbooks triggered by alert type. The platforms Splunk SOAR (formerly Phantom), Palo Alto XSOAR (Demisto), IBM QRadar SOAR, Microsoft Sentinel SOAR, Tines, Torq. […]
Advanced 35
M17
Threat Hunting Operationalised — Hypotheses, Pivots, Dashboards
What threat hunting is Proactive search for adversary presence based on hypothesis, not alert. The defender assumes a sophisticated attacker may already be present and searches for traces that current detection rules would miss. The hunt cycle Hypothesis: state what you’re looking for. “Adversaries may be using WMI for lateral movement.” Data sources: identify what […]
Advanced 35
M18
Detection Engineering — Sigma, ATT&CK Coverage, Validation
What detection engineering is Design rules that fire on adversary behaviour, not noise. Test rules against historical data and red-team data. Tune to acceptable signal-to-noise. Deploy with documentation. Maintain — update when adversary techniques evolve. The detection-engineering lifecycle Source: hunt finding, TI report, red-team exercise, ATT&CK coverage gap. Hypothesis: state what the rule should catch. […]
Advanced 35
M19
SOC Metrics That Actually Drive Improvement
The bad metrics Total alerts processed — measures volume, not value. Encourages keeping noisy rules. Alerts per analyst per shift — encourages superficial triage. Closed-without-investigation rate — encourages closure, not analysis. Mean-time-to-acknowledge alone — encourages clicking without thinking. The good metrics For analysts Mean Time To Detect (MTTD): from compromise to detection. Hard to measure […]
Intermediate 30
M20
Purple Team — Operationalising Adversary Emulation
Red vs purple — what differs Red team Purple team Adversary emulation, blue blind Adversary emulation, blue collaborating Goal: demonstrate impact Goal: improve detection Output: detailed report; blue may not see techniques used Output: detection rules + visibility-gap remediation Annual or quarterly engagement Continuous or monthly cadence The purple-team operating model Red team executes a […]
Advanced 35

Related tracks

🔎
Track
Cyber Threat Intelligence
OSINT, ATT&CK, Pyramid of Pain, and intel-driven hunting — actionable CTI.
🛰️
Track
Attacker Mindset — Network
Segmentation, Layer 2 trust, C2 evasion, Kerberos, VPN, BGP, OT, wireless — why each class of network attack persists.
🛡
Track
System Security
Hardening and operating systems defensively. Linux, Windows, logging, containers.

Common questions about this track

Which SIEM does this teach? +

Tool-agnostic methodology — examples in Splunk SPL, Elastic / Kibana KQL, and Microsoft Sentinel KQL. Once you understand detection logic, syntax becomes substitutable.

Will I be ready to apply for SOC analyst roles? +

Yes — Tier 1 and Tier 2 roles are within reach after this track. Tier 3 / detection engineering benefits from also completing Threat Intel and one of the Attacker Mindset tracks.

Does this cover EDR specifically? +

Yes — dedicated module on EDR telemetry, querying, and hunting using CrowdStrike-style and Defender for Endpoint examples.

Where does threat intelligence fit? +

Adjacent track. Blue team consumes intel; threat intel produces it. Detection engineering bridges them. Most senior analysts master both over time.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map