TryHackMe SAL1 Security Analyst
TryHackMe SAL1 Security Analyst Certification
Overview
This project summarizes my completion of the TryHackMe Security Analyst Level 1 certification path. SAL1 is a practical security analyst certification focused on developing the core skills needed for SOC analyst work.
The certification focuses on analyst fundamentals, cyber defense concepts, alert triage, threat detection, case report writing, and decision making inside a simulated SOC environment. The goal of the certification is to help learners prove they can investigate alerts, prioritize incidents, document findings, and make sound analyst decisions under time pressure.
Certification Scope
The SAL1 path focused on practical SOC analyst skills, including:
- Computing foundations
- Cyber defense frameworks
- Threat detection
- Alert triage
- Case report writing
- Analyst mindset
- SOC simulator investigation
- Incident prioritization
- Evidence review
- Escalation decisions
- Report writing
Objective
The objective of this certification was to demonstrate the ability to:
- Review and triage security alerts
- Investigate suspicious activity in a simulated SOC
- Prioritize incidents based on available evidence
- Identify when activity should be escalated
- Write clear analyst reports
- Apply cyber defense knowledge to practical scenarios
- Work through alerts under realistic time pressure
- Explain findings in a structured way
Skills Demonstrated
- SOC alert triage
- Security analysis
- Threat detection
- Evidence review
- Incident prioritization
- Case report writing
- Analyst decision making
- Cyber defense framework understanding
- Computing fundamentals
- Escalation judgment
- Investigation documentation
- Time management during an assessment
Tools and Concepts Used
- TryHackMe SOC simulator
- Alert queue review
- Case management concepts
- Incident triage workflow
- Threat detection concepts
- Cyber defense frameworks
- Analyst reporting
- Evidence review
- Incident prioritization
- Practical SOC decision making
Methodology
1. Learning Phase
The certification began with training designed to build core security analyst knowledge. This included computing foundations, cyber defense concepts, threat detection, alert handling, and report writing.
The goal of this phase was to build the baseline knowledge needed to investigate alerts and understand how security analysts make decisions in a SOC environment.
2. SOC Alert Review
The SOC simulator portion required reviewing security alerts and determining what needed investigation.
I practiced looking at alerts from an analyst perspective by asking:
- What triggered the alert?
- What asset, user, or system was involved?
- Is the activity expected or suspicious?
- What evidence supports the finding?
- Does the alert require escalation?
- What should be documented in the case report?
3. Investigation and Triage
The investigation process involved reviewing alert details, analyzing available evidence, and determining the correct response.
The focus was not just on finding suspicious activity, but also on deciding how serious the activity was and whether it required action.
This helped reinforce the importance of prioritization in SOC work. Not every alert carries the same risk, and analysts must decide what matters most based on evidence.
4. Case Report Writing
A major part of SAL1 involved communicating findings clearly through case reports.
The report writing process focused on:
- Summarizing what happened
- Explaining why the activity mattered
- Documenting evidence
- Stating the likely risk
- Recommending next steps
- Communicating in a way that another analyst or manager could understand
This helped strengthen my ability to explain security findings clearly instead of only identifying technical indicators.
5. Practical Exam
The certification exam included a timed assessment where I had to demonstrate both knowledge and practical SOC investigation ability.
The exam tested:
- Security fundamentals
- Alert triage
- SOC simulator investigation
- Analyst judgment
- Incident prioritization
- Case report writing
- Decision making under time pressure
What I Did
During this certification, I completed the learning path and worked through practical SOC simulation activities focused on alert handling and analyst decision making.
I reviewed alerts, investigated suspicious activity, prioritized incidents, made escalation decisions, and wrote reports explaining the evidence and recommended actions.
This helped me build confidence in SOC workflows because the certification required more than memorizing definitions. It required applying analyst judgment inside a realistic alert handling environment.
Key Takeaways
SAL1 helped strengthen my understanding of what entry level SOC analysts are expected to do in real investigations.
The most valuable part of the certification was the SOC simulator. It forced me to think like an analyst by reviewing alerts, validating evidence, prioritizing risk, and writing clear case reports.
The certification also reinforced that good SOC work is not only technical. A strong analyst must communicate clearly, document evidence, explain decisions, and know when to escalate.
What This Project Demonstrates
This project demonstrates my ability to:
- Triage alerts in a SOC style environment
- Investigate suspicious activity using available evidence
- Prioritize incidents based on risk
- Make escalation decisions
- Write clear case reports
- Apply cyber defense concepts to practical scenarios
- Think through alerts with an analyst mindset
- Work under time pressure during a practical assessment
- Communicate findings in a professional way
Disclosure Notice
This writeup does not include SAL1 exam questions, answers, private exam content, protected simulator material, screenshots, or assessment solutions.
The purpose of this page is to document the skills and defensive security concepts practiced during the certification while respecting exam integrity.