TryHackMe: SOC Role in Blue Team Walkthrough

Welcome to this walkthrough of the SOC Role in Blue Team Room on TryHackMe. In this room we discuss the different kinds of roles in a SOC team, and how one generally advances within a SOC career.

SOC Role in Blue Team Banner

Room URL:
https://tryhackme.com/room/socroleinblueteam

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on! This is going to be a long one!

Table of Contents

Task 1: Introduction

You’ve learned about a SOC L1 analyst role in the Junior Security Analyst Intro room. But where is it placed in a company structure? Who is overseeing your team? What other security departments exist? Which skills do you need to advance through your career ladder? Let’s find out!

Learning Objectives

  • Understand the concept and purpose of the Blue Team
  • Explore a place of the SOC within the company structure
  • Find out about your career path as a SOC L1 analyst

Prerequisites

Questions

Let’s find out!

Answer: No answer needed

Task 2: Security Hierarchy

Security Hierarchy

  • Cybersecurity priorities vary by industry:
    • Law firms prioritize document privacy
    • Factories focus on production line availability
    • Hospitals emphasize patient safety
  • Security structure is tailored to business needs.
  • In large organizations:
    • Technical staff (e.g., SOC analysts) report to a department manager
    • The manager reports to the CISO (Chief Information Security Officer)
    • The CISO reports to the CEO, who focuses on business strategy, not technical details

Security Departments in Larger Companies

  • CISO oversees multiple specialized teams:
    • Red Team: Offensive security (ethical hacking, penetration testing)
    • Blue Team: Defensive security (SOC analysts, incident response)
    • GRC Team: Governance, Risk, and Compliance (policy and regulation management)

Smaller companies may combine these roles into a single IT or InfoSec team.

Questions

Which senior role typically makes key cyber security decisions?

The highest position within cyber security is often the CISO, which stands for Chief Information Security Officer.

Answer: CISO

What is the common name for roles like SOC analysts and engineers?

SOC analysts and engineers are part of the Blue Team, a team which focuses on defensive security work. Let’s learn more about this team in the next section.

Answer: Blue Team

Task 3: Meet the Blue Team

Blue Team Overview

  • Focuses on defensive security: monitoring for attacks and responding quickly.
  • Team size varies (typically 3 to 50 members) depending on company size and sector.
  • Includes several specialized departments and roles.

Key Blue Team Departments

1. Security Operations Center (SOC)

  • Acts as the first line of defense.
  • Handles alerts, investigates incidents, and configures detection tools.
  • Typical roles:
    • L1 Analysts: Triage alerts, escalate complex cases.
    • L2 Analysts: Investigate advanced threats.
    • Engineers: Manage tools like EDR and SIEM.
    • Manager: Oversees SOC operations.

2. Cyber Incident Response Team (CIRT)

  • Called in for critical or uncontrolled incidents.
  • Works independently of tools when needed.
  • Roles include:
    • Forensics Experts
    • Threat Hunters
    • Malware Analysts
    • Threat Intelligence Specialists
  • Examples: JPCERT (Japan), Mandiant, AWS CIRT.

Specialized Defensive Roles

Found in large or tech-focused organizations:

  • Digital Forensics Analyst: Analyzes disk/memory for hidden threats.
  • Threat Intelligence Analyst: Tracks emerging threat actors.
  • AppSec Engineer: Secures software development processes.
  • AI Researcher: Investigates AI-related security risks.

Questions

Does Blue Team focus on defensive or offensive security?

This should be obvious by now. Blue team is defensive, while red team is offensive.

Answer: Defensive

Which department handles active or urgent cyber incidents?

If the SOC team can’t handle a case, or when incidents are very urgent, the incident will be send to the Cyber Incident Response Team (CIRT) department.

Answer: CIRT

Task 4: Advancing SOC Career

Starting as a SOC Level 1 (L1) Analyst is a great entry point into cybersecurity. You’ll handle real cyber threats, gain hands-on experience, and build foundational skills.

It’s engaging and educational, even at the junior level.

Steps to Begin Your SOC Career

  1. Learn core SOC skills (e.g., SIEM, incident response).
  2. Practice via CTFs (Capture The Flag competitions) and stay updated on cyber news.
  3. Consider certifications like SAL1 to boost credibility.
  4. Prepare for interviews and understand the difference between Internal SOC and MSSP.
  5. Apply for jobs and gain experience to move toward senior roles.

Internal SOC vs MSSP Comparison

AspectInternal SOCMSSP (Managed Security Services Provider)
ExampleProtecting a bank’s internal systemsProtecting multiple clients across regions
Work PaceGenerally calmer shiftsFast-paced, high alert volume
Tools UsedFew tools, deep expertiseMany tools, broad exposure
Incident ExposureLimited major attacks per yearFrequent exposure to diverse attacks

Next Career Steps After SOC L1

  • SOC L2 Analyst is the natural progression.
  • Other paths include:
    • Engineering (if you enjoy building systems)
    • CIRT (Cyber Incident Response Team)
    • Management (leading teams, potentially becoming a CISO)

Your first 1–2 years should focus on gaining real-world experience and exploring what areas excite you most.

Questions

How would you call a cyber security company providing SOC services?

Smaller size companies cannot afford their own SOC team, and will therefore often hire a Managed Security Services Provider (MSSP) to provide SOC services.

Answer: MSSP

Which role naturally continues your SOC L1 analyst journey?

What do you think comes after Level 1? Level2! The answer we are looking for is SOC L2 analyst.

Answer: SOC L2 analyst

Task 5: Final Challenge

For this task, imagine yourself as a CISO of TrySecureMe, a big multinational company. You oversee multiple departments and deal with incidents every month. This time, as many as seven incidents are happening at the same time, and you have to choose the right people to deal with every one of them. Do you know security roles well enough to complete this challenge?

Open the attached website by clicking the View Site button above and consider resizing or opening it in full screen for a better view. Then, drag and drop the roles from the left to the incidents on the right. If your choices are correct, claim your flag and complete the task! You can reset the website at any time by clicking the Reset button.

Questions

Alright, time for a fun challenge! Let’s go through this together, dragging roles into the correct incidents. If you have not done so, open the site. You will be met by the following screen:

TrySecureMe security tasks

There are seven tasks, and 7 roles: SOC L1 Analyst, SOC L2 Analyst, Threat Researcher, Penetration Tester, CERT Lead, GRC Auditor and SOC Engineer.

Let’s take the tasks in order:

SIEM created an alert about FW-NY-01 firewall brute-force. Who should triage the alert?

The SIEM has generated a fresh new alert. Responding to a alert like this is a classical SOC L1 role task, where SOC L1 analysts act as a first response unit responding on alert, before sending the alert to another person depending on the alert and urgency.

Answer: SOC L1 analyst

The HR manager Anna launched a phishing malware. Who should make a deep analysis?

Investigating a phishing malware is a more advanced type of attack, typically requiring the attention of a SOC L2 analyst.

Answer: SOC L2 analyst

The office in France was somehow hit with ransomware. Immediate response is required!

Immediate response it required, so we better call the CERT lead. The CERT department are the first responders if SOC expertise is not enough or the incident goes out of control.

Answer: CERT lead

Our servers storing the credit cards require PCI DSS audit. Who can help us here?

Audits are a typical GRC type job. GRC auditors manage policies and ensure compliance with regulations like PCI DSS or Dora in the EU.

Answer: GRC Auditor

Who can check the new version of tryhackme.thm for vulnerabilities?

Checking company websites and app for vulnerabilities is a classical job of a penetration tester, part of the Red Team.

Answer: penetration tester

The SIEM is unavailable due to a storage limit. Who can investigate the issue?

This type of problem typically requires the involvement of an engineer. In cyber security we call these engineers with a cyber security focus SOC Engineers.

Answer: SOC Engineer

FIN7 threat group actively targets our company. Who can analyze their tactics?

Investigating a new threat is the role of a threat researcher. They read up on the threat groups and other APTs and investigate whether the organisation is in danger.

Answer: threat researcher

What flag did you claim after completing the final challenge?

Your answers should look like this (the top right one can’t be read, but answer SOC L2 Analyst here!). I hope you all had fun!

TrySecureMe is secured. WOO!

Answer: THM{trysecureme_is_secured!}

Task 6: Conclusion

Great job completing the challenge! Now you know how SOC team works, where it is placed in the security structure, and what you to do to start your career journey. Now, continue to the next rooms and learn what does SOC actually protect: humans and systems.

Next Rooms in Path

  1. Humans as Attack Vectors
  2. Systems as Attack Vectors

Questions

Complete the room!

Answer: No answer needed

Congratulations on completing SOC Role in Blue Team!!!

Congratulations on completing SOC Role in Blue Team

Congratulations on completing the SOC Role in Blue Team room. This room provided a lot of fundamental knowledge about the basics and roles of blue teams in large organisations. I hope you learned something new.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other walkthroughs in the TryHackMe SOC Level 1 Path here.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

Background
Data Fundamentals Part 2: Structured Data and How It’s Stored
TryHackMe: SOC Role in Blue Team Walkthrough
TryHackMe: SOC L1 Alert Triage Walkthrough