By: Jake Mayhew
The SOC-200 course and OffSec Defense Analyst (OSDA) certification has stood out in the cybersecurity industry due to its technical, hands-on demonstration of skills as well as its focus on defensive capabilities. The industry has had a plethora of hands-on, skill-based certifications and challenges for offensive security, such as the industry-leading OffSec Certified Professional (OSCP), TCM’s Practical Network Penetration Tester (PNPT), and the Certified Red Team Operator (CRTO) from Zero Point Security. However, until recently there has been a dearth of hands-on trainings for defenders and blue teamers. The OSDA has stood out as a technical challenge-based certification that requires defenders to demonstrate real-world skills to detect & track an attacker employing a realistic attack chain. The 24-hour certification challenge culminates in providing a threat report to communicate the attacker’s actions to management.
SOC-200 covers a wide range of technical topics including (but not limited to):
- Identify web attacks
- Windows & Linux logging
- Windows client-side attacks
- Detecting privilege escalation activities: Linux, Windows, and Active Directory
- Lateral movement & persistence in Active Directory
- Anti-virus alerting & detecting AV evasion
Each topic is covered from a number of angles in several formats: video content, written content, and hands-on lab exercises. The course culminates in a deep dive into SIEM using the ELK stack. The prior foundational topics are roped together and you’re taught how to use the ELK SIEM to detect and track an attacker leveraging the techniques taught in the course.
Finally, although the course material is fantastic, the main value of the course (in my opinion) is the twelve Challenge Labs. These labs present the learner with increasingly more complex attack scenarios in multiple stages that challenge the student to track every step a malicious attacker takes to compromise a target environment. The final two labs are most like the exam environment.
Value of the Certification
An OSDA holder has proven they have a strong, hands-on-keyboard command of foundational blue team technologies & concepts including logging, monitoring, and understanding how to track an attacker’s activities in a SIEM. SOC managers and team leads can see this on an application or resume and be assured that the candidate is able to hit the ground running with security operations activities and immediately begin adding value.
In the U.S., SOC roles can result in a salary of $90,000 a year or more, depending on the organization you work for and the region of the country. Salary data can vary widely, but below are a few sources that can help you understand the ranges:
- According to ZipRecruiter, SOC analysts make an average of $99,000/year.
- GlassDoor provides a wider range of $72,000 to $121,000 yearly, with an average of $93,000 (base pay).
It is also important to note that salary will typically be commensurate with skills and experience. Entry-level positions will be on the lower end of this spectrum, but SOC analysts who have proven their skills and have maturity in their profession can even have a much higher salary. One of the best ways to hone your skills is to participate in continuous learning through certification courses, and certificate holders can reference hands-on certifications as an objective standard to prove their skills and experience.
Tips on Passing
While the OSDA exam is a challenging 24-hour test, it is straightforward and should be attainable for any motivated candidate who has worked through the content, exercise labs, and challenge labs. The best tip I can give is to take the challenge labs seriously as they will mirror the exam the most. Approach them in order as as they increase in complexity and difficulty.
If you have methodically worked through all of the content described above, you should be well equipped to pass! Get a good night’s sleep before the exam, plan to eat some brain powering food (and caffeine!) and find a quiet place to tackle the test. Finally, report as you go, take copious notes, and ensure you leave plenty of time to craft the report in the 24 hours after the exam ends — it takes more time than you’d expect!
Another fantastic resource is the “OffSec Academy” videos that OffSec provides with their exam. These are taught by Gervin Appiah who walks students through some of the challenge labs and offers valuable insights into the SIEM environment and navigating the challenges and OSDA exam.
Live Training Offerings
While it is entirely possible for motivated individuals to pass this exam by working through the course, Applied Technology Academy (OffSec’s official live training partner) offers instructor-led trainings to lead students through the course. These trainings are taught by highly experienced, certified professionals who not only will equip you with the skills needed to pass the exam, but also provide valuable and meaningful insights from their professional experience.
This year, Applied Technology Academy is partnering with OffSec to offer instructor-led trainings at BlackHat USA 2024 on August 3rd through August 6th.
- Penetration Testing with Kali Linux (PEN-200) to prepare students for the OSCP
- Foundational Security Operations and Defensive Analysis (SOC-200) to prepare students for the OSDA
- Advanced Windows Exploitation (EXP-401) to prepare students for the OSEE
Enrollees registered for the Black Hat PEN-200 or SOC-200 trainings will also receive a one year Learn Unlimited subscription to the OffSec library. This is a $5499 value including access to all course content, labs, and material with unlimited exam attempts to enable students to pursue multiple OffSec certifications!
Learn More About SOC-200 at Black Hat 2024