The Blue Team Cheat Sheet Every One Needs

If you’ve spent any time exploring a career in cybersecurity particularly on the defensive side, you’ve probably encountered the same overwhelming moment many newcomers face.

You decide to pursue blue teaming: security operations, incident response, threat detection. The motivation is there. The industry demand is obvious. So you open a browser, search for “learn cybersecurity,” and start exploring the available resources.

Within minutes, you’re staring at hundreds of courses, certifications, and training paths. Networking, ethical hacking, cloud security, programming, threat hunting, SIEM tools—every description sounds essential, every course promises to be the “starting point,” and yet none of them clearly explain what actually comes first.

Interestingly, most aspiring blue team professionals don’t abandon the journey because cybersecurity is too difficult. They step away because the learning ecosystem is chaotic. Without a clear sequence, even motivated learners struggle to determine what to study, when to study it, and why it matters.

So let’s simplify the landscape.

Below is the structured progression I recommend to anyone entering blue team security today, one that builds real capability step by step rather than overwhelming you with disconnected topics.

Build the Foundation Before You Touch a SIEM

The single most common mistake I see from people entering blue teaming is trying to skip the IT fundamentals layer because it feels unsexy.

They want to analyze malware and hunt threats, not study the OSI model. I understand the impulse. But skipping this layer is precisely why so many people hit a wall six months in and can’t figure out why things aren’t clicking.

Your first stop is the TryHackMe Pre-Security path. No prior IT background required , that’s the entire point of it.

It walks you through offensive and defensive security basics, network fundamentals like the OSI model, packets and frames, DNS, HTTP all presented in an interactive, lab-driven format that doesn’t drown you in abstract theory.

Then it moves into computer fundamentals: virtualization concepts, operating system basics, and introductory programming in Python and JavaScript.

This is the scaffolding everything else gets built on. Do not skip it.

If TryHackMe isn’t your preferred platform, the direct equivalent on HackTheBox is the SOC Analyst Prerequisites module.

The content covers similar ground such as Linux fundamentals, Windows fundamentals, networking, command line, web requests with some additions like Active Directory basics and the penetration testing process that reflect HTB’s orientation toward the CDSA certification track.

The core rule here is simple: pick one or the other, not both. Pre-Security and SOC Analyst Prerequisites are parallel tracks covering the same conceptual territory. Choose your platform and commit.

Getting Hands-On with Defensive Concepts

Once the fundamentals are solid, the next stop is the TryHackMe Cyber Security 101 path. This is where you transition from passive knowledge to active skill-building, and it’s where the actual blue team toolset starts appearing.

A few things in this path deserve particular attention.

Windows and Linux command line : I’ll be blunt about this one. If you cannot navigate the command line in both operating systems with reasonable fluency, stop and address that before moving forward.

Not because someone told you to, but because virtually every investigative workflow in a SOC environment runs through the command line. Logs, process analysis, file inspection, network queries all of it. This is non-negotiable.

Wireshark and tcpdump : your network sensors are capturing packets continuously. When an incident occurs, you will have a PCAP file to analyze. These tools are how you read it. Learn the basic filters, understand packet operations, know what you’re looking for. Wireshark in particular appears throughout every subsequent stage of your career.

SIEM fundamentals : the Cyber Security 101 path includes an introduction to SIEM concepts, and this matters because the SIEM is the technological heart of any SOC. Before you touch Splunk or Elastic, you need to understand how SIEMs work , log aggregation, correlation rules, alerting logic. The intro room builds that mental model before you’re asked to operate the tools themselves.

There’s also Metasploit coverage in this path. If you’re aiming purely for blue teaming, Metasploit isn’t immediately essential but I’d push back against ignoring it entirely.

Understanding the attack techniques and tooling that adversaries use gives you a meaningful advantage as a defender. Consider the offensive sections optional for now, but mark them for later. They become increasingly necessary as you progress.

The digital forensics section and the remnux rooms are genuinely valuable and often underestimated. Digital forensics isn’t just for law enforcement , understanding how to handle evidence, read file metadata, and establish a chain of custody is relevant to real SOC work, particularly when incidents escalate to legal or compliance proceedings.

SOC Level One

With fundamentals and security basics under your belt, you’re ready for the TryHackMe SOC Level One path, which received a significant update in 2026 with new content, new labs, and revised modules.

This path is designed to give you the knowledge required to operate as a junior SOC analyst , Tier One, the people who triage alerts, investigate initial indicators, and escalate what they can’t resolve.

A few honest words about this role before diving in: AI is genuinely disrupting Tier One SOC work. Tools are automating alert triage at a pace that is compressing the demand for purely reactive, low-context analysis. I won’t pretend otherwise.

That said, the knowledge in this path remains foundational not because the role is static, but because everything above Tier One is built on top of it. You cannot do Tier Two analysis without understanding what Tier One does. You cannot build detection rules without knowing what you’re detecting. The path still matters. Just approach it as a foundation for growth rather than a destination.

What you actually learn here:

SOC processes and structure : the three pillars of any SOC are people, technology, and processes. Section two of this path walks through all three. This is institutional knowledge that most online courses skip in favor of tool demos, and it’s the difference between someone who can use Splunk and someone who understands where Splunk fits inside an operational response workflow.

SIEM tools in practice : specifically Splunk and Elastic Stack. You don’t need to master every SIEM platform in existence. Splunk and Elastic are the dominant tools in the market, and learning their query languages and alerting frameworks is a practical, high-value investment. QRadar and AlienVault exist and matter in specific environments, but start here.

The Cyber Kill Chain and MITRE ATT&CK : these two frameworks are the shared language of SOC environments. The Kill Chain gives you a model for understanding the stages an attacker moves through. MITRE ATT&CK gives you a granular taxonomy for classifying specific tactics and techniques. Together, they’re how you build attacker profiles, structure investigations, and communicate findings to colleagues and leadership. Learn them properly.

Phishing analysis : I want to dwell on this one because it’s underappreciated. Phishing is statistically the most common initial access vector in enterprise compromises. A disproportionate percentage of incidents you’ll investigate in a real SOC trace back to a phishing email. Understanding how to analyze email headers, identify spoofing, decode obfuscated links, and recognize the infrastructure patterns attackers use isn’t a beginner skill to rush past — it’s a core analytical capability you’ll use constantly.

Malware concepts :you will not be doing deep reverse engineering at Tier One. That work gets escalated to Tier Two and Three analysts who specialize in it. But you need to understand what malware is, how it behaves, what indicators it leaves behind, and how to handle a sample correctly when you acquire it from an endpoint. The malware section in SOC Level One gives you that conceptual foundation.

Again, if you prefer HackTheBox, the HTB SOC Analyst path covers equivalent ground , incident handling processes, security monitoring fundamentals, Windows and Linux logging, threat hunting with Elastic and Splunk, network traffic analysis. Same rule applies: pick one track and go deep rather than doing both.

Intermediate Work : SOC Level Two

TryHackMe SOC Level Two is where things get genuinely interesting, and where the work stops feeling like fundamentals review and starts feeling like real analytical capability.

A few highlights worth calling out specifically:

Advanced Splunk :this path goes deep on SPL (Splunk Processing Language), building queries from scratch, troubleshooting configurations, and fixing things that break in production.

There’s a dedicated room literally called “fixit” that walks you through real Splunk errors. This is the kind of practical operational knowledge that doesn’t appear in most courses but absolutely appears in real jobs.

Threat hunting and intelligence :this is probably the most significant capability jump between SOC Level One and Level Two.

Threat hunting means proactively searching your environment for indicators of compromise before an alert fires using intelligence about current adversary infrastructure, tactics, and techniques to look for things your rules haven’t caught yet. This is where the work becomes analytical rather than reactive, and it’s also where AI has the hardest time replacing human judgment. Good threat hunters are and will remain valuable.

Detection engineering : building the rules that generate the alerts Tier One analysts triage. Understanding how detection rules are constructed, what makes them effective, and what creates false positive noise is a Tier Two and above skill. If you’re here, you’re no longer junior.

Static and dynamic malware analysis : basic reverse engineering concepts appear at this level. Not expert-level binary analysis, but enough to understand what a sample is doing, how to run it safely, and what artifacts it produces. This is the gateway to deeper specialization if that direction interests you.

Practice Environments That Fill the Gaps

Once you’ve completed the path structure above, there are two categories of additional practice worth pursuing.

HackTheBox Challenges and Sherlocks: in the HTB challenges section, you can filter by category: forensics, OSINT, reversing, and cryptography are all directly relevant to SOC work. Sherlocks are purpose-built defensive labs organized around DFIR, cloud forensics, SOC scenarios, and threat intelligence cases. These are excellent for deepening specific skills outside the structured path format.

Cloud SOC : this is the gap most blue team curricula don’t address adequately. Most learning resources focus on endpoint-centric SOC environments, but the reality of modern enterprise infrastructure is that significant workloads live in AWS, Azure, or Google Cloud.

Investigating incidents in cloud environments requires different tooling, different log sources, and different investigative techniques than traditional endpoint SOC work. If your target employers operate cloud infrastructure and most do , adding cloud SOC capability is a genuine differentiator.

The CyberDefenders platform has a strong catalog of cloud forensics labs across all three major providers.

Lastly for Cloud SOC, you can check out my FREE courses below:

Certifications

Here’s the practical certification alignment based on where you are in the path:

If you’re working toward BTL1 (Blue Team Labs Level 1), your primary preparation should be SOC Level One on TryHackMe, supplemented by the Blue Team Labs official content (which you should prioritize over third-party material when preparing for a vendor-specific exam) and CyberDefenders’ SOC v1 labs.

For CDSA (HackTheBox Certified Defensive Security Analyst), the preparation load is heavier , SOC Level One, SOC Level Two, and additional Splunk practice. CDSA is reportedly more demanding than BTL1, and the extra preparation reflects that density.

The broader principle is this: use whatever structured path you follow to build the skill set, then use the official certification preparation materials in the final stretch to align with the specific exam format and scope.

Your SOC Analyst Cheat Sheet

At the end, I’ve organized my pick of blue team certifications and mapped suitable online labs that you should practice while preparing in addition to most popular tools used by SOC analysts all in one interactive sheet that allows you also to track your progress:

0 comments

Our Best Pick of Cyber Security Notes

Certified Security Blue Team Level 2 (BTL2) Study Notes (Unofficial)

Cyber Security Certification Notes

Cyber Security Study Guides

Master AI for Content Creation, Business & Marketing

AI & ML Study Guides

The Definitive Networking Cheat Sheet (Tools)

IT Study Guides

Cybersecurity · Offensive & Defensive · Practitioner-First

Stop reading docs.
Start thinking like an attacker.

Field-ready notes, methodology breakdowns, and certification cheat sheets built by a practitioner for practitioners.

Browse Free Notes Unlock Premium →

62K+YouTube Subscribers

20K+Web Visitors

4K+Students and Professionals Using The Notes

What's in the vault

Two tiers.
One clear mission.

Whether you're just getting started or deep in the trenches, there's a tier built for where you are right now. Free notes cover the essentials — premium unlocks the full playbook.

Free Access

The essentials,
on the house.

A curated library of beginner and intermediate notes you can access right now — no signup, no friction.

Introductory walkthroughs on core concepts
Tool overviews: Nmap, Burp Suite, Metasploit & more
Selected HTB writeup summaries
Foundational blue team methodology notes
YouTube companion write-ups

Start Reading Free

Premium

The full
practitioner playbook.

Every note, every cheat sheet, every methodology breakdown — structured the way a senior analyst actually thinks.

Full OSCP, CPTS, OSWE, HTB CDSA prep DISCOUNTS
Complete HTB machine writeups (Guardian, Expressway & more)
AI Red Teaming tooling comparison notes
SOC analyst learning roadmaps & playbooks
Threat intelligence methodology guides
Malware analysis case studies (NotPetya & more)
New content added continuously

Become a Member →

Coverage

What you'll actually use.

Notes built around real engagements, real exam objectives, and real SOC workflows — not a rehash of vendor documentation.

#Penetration TestingOSCP · CPTS · HTB

#Web App SecurityOSWE · Bug Bounty

#SOC & Blue TeamCDSA · SIEM · IR

#Threat IntelligenceTAXII · YARA · MITRE

#Malware AnalysisReverse Engineering

#AI Red TeamingGarak · PyRIT · LLM Sec

#Network SecurityActive Directory · Pivoting

#Tooling & AutomationScripts · Integrations

Cert Coverage

OSCP CPTS OSWE HTB CDSA CEH CompTIA Sec+ eJPT

The author

Motasem Hamdan

I'm a cybersecurity practitioner, technical writer, and content creator who got tired of resources that treat readers like beginners forever.

My notes are built the way I wish someone had built them when I was grinding through certs and CTFs — methodology-first, practitioner-grade, and structured for how analysts actually think on the job.

Over 62,000 people on YouTube follow along. Thousands more read on the site every month. These aren't notes for passing an exam and forgetting everything — they're references you'll keep coming back to.

▶ YouTube Channel @MotasemHamdan · 62K+ subscribers ✦ Main Site motasem-notes.net ⊡ Store shop.motasem-notes.net

motasem_notes — practitioner.sh

❯ whoami

motasem_hamdan — cybersec_practitioner

❯ cat expertise.txt

offensive_security: advanced

blue_team_soc: advanced

threat_intel: advanced

technical_writing: practitioner-grade

❯ ls content/

htb_writeups/ cert_cheatsheets/

ai_red_team/ soc_methodology/

threat_intel/ malware_analysis/

❯ cat philosophy.txt

"teach how to think,

not just what to type."

❯ _

Membership

One subscription.
Everything unlocked.

Skip the hours lost searching fragmented resources. One membership gives you the full library, updated continuously as the threat landscape evolves.

Free $0 forever

Foundational notes library
Selected HTB summaries
YouTube companion write-ups
Tool overview guides

Start Reading

Most Popular Premium Member $15 / month · cancel anytime

Full notes library (100+ resources)
Cert prep DISCOUNTS: OSCP, CPTS, OSWE, CDSA
Complete HTB machine writeups
SOC analyst methodology playbooks
AI Red Teaming notes
Threat intelligence guides
New content every week
Priority access to new releases

Become a Member →

Store : One-Time Pay What You Want

Buy individual cheat sheets
Downloadable PDFs & guides
No recurring commitment
Yours to keep permanently

Browse Store

FAQ

Good questions.

The free tier has solid foundational content. Premium notes are written for intermediate-to-advanced practitioners — they assume you know the basics and want to go deeper. If you're grinding toward OSCP or working in a SOC, you'll feel right at home.

Continuously. New walkthroughs, methodology updates, and cheat sheets drop regularly — aligned with new HTB machines, cert updates, and emerging threat topics. As a member, you get access to everything as it lands.

Yes, absolutely. Membership is managed through Buy Me a Coffee — you can cancel any time directly from your account. No long-term lock-in, no awkward cancellation flows.

The membership gives you ongoing access to the full library for a monthly fee. The store lets you buy individual resources once and own them permanently — good if you just need one specific cert pack.

Definitely. Head to @MotasemHamdan on YouTube — over 62K subscribers and a large back-catalogue of walkthroughs, tool demos, and methodology breakdowns. Best way to see if the teaching style clicks for you before committing to anything.