Skip to main content

Rod Soto - SOC 101 - SOC 1 Analyst Bootcamp $1,900 (Early $1,700)


Name of Training:

SOC 101 - SOC 1 Analyst Bootcamp


This course will provide students with extensive hands-on exercises and labs that emulate real-life security operation center tasks and related technologies.

Training description:

During this comprehensive course, tools and methodologies that are used in Security Operation Centers will be introduced and detailed. This course will provide students with extensive hands-on exercises and labs that emulate real-life security operation center tasks and related technologies.

From text handling, packet dissection, and analysis, to adversarial simulation and detection engineering, this course will provide students with a solid base of skills and a comprehensive understanding of a Security Operations Center (SOC) Analyst job.

The focus will be geared toward basic, hands-on skills that allow students to perform and excel at baseline SOC tasks.

Hardware & Minimum Course Requirements:
A laptop with 16GB of RAM and the ability to run Virtual Machines. Understanding of basic networking concepts and basic Linux comprehension.

Target Audience:
This training is geared towards Information Technology, Computer System, or Computer Network Professionals seeking to enter the Information Security Industry while enriching those who seek to develop the skills and knowledge necessary to work at a Security Operations Center.

Skills that will be learned:
This course will provide students with the necessary skills and knowledge to work in a Security Analyst 1 job and understand the dynamics of a Security Operations Center

Past content:

Rod Soto Udacity Instructor
Rod Soto RSA Conference 2021
Rod Soto - Red Team Village - Adversarial Simulation Workshop 2 hours.
Rod Soto - Linux Threat Detection using Attack Range - Texas CyberSummit 2022
For new Trainers, so the Review Board is able to get a sense of your presentation style, do you have a video sample of any previous conference presentations or training? (Optional)
Rod Soto - Red Team Village - Adversarial Simulation Workshop 2 hours.

Trainer(s) bio:

Rod Soto has over 15 years of experience in information technology and security. Has worked in Security Operations Centers as a support engineer, soc engineer, security emergency response, and incident response. Currently working as a detection engineer and researcher at Splunk Threat Research Team. Previously worked at Prolexic/AKAMAI, Splunk UBA, JASK (SOC Automation).
Rod Soto was the winner of the 2012 BlackHat Las Vegas CTF competition and Red Alert ICS CTF at DEFCON 2022 contest. He has spoken at ISSA, ISC2, OWASP, DEFCON,  RSA Conference,Hackmiami, DerbyCon, Splunk .CONF, Black Hat,BSides, Underground Economy and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision, BBC, Forbes, VICE, Fox News and CNN.

Trainer(s) social media links: : @rodsoto


Day 1:

Introduction to SOC & SOC-related technologies (2 hours)
What is a SOC
Types of SOC
What is expected of a SOC Analyst (SOC 101)
Security Principles
Access Controls
SOC Security Technologies
Principles of Defense in Depth
Defense in Depth technologies
SOC main focus - Endpoints (Linux - Windows)
Linux Access Controls (DAC, MAC), Access Log locations
Exercise 1. Linux Access Controls, Linux Access Logs (grep, awk, and cli tools)
Exercise 2. Windows Access Controls - NTFS & Active Directory
(SysIinternals AccessEnum, Powershell & Windows CLi commands)
User Groups, Permissions, NTFS folder and file permissions.
Security Events & Data Manipulation (2 hours)
What is a security event?
Security Event Types
Triage of Security Events/Incidents
Logs & Text manipulation
- Logs, metadata, management, ETL, storage
- Linux, PowerShell, Batch - GREP, AWK, SED, REGEX
- Log and Metadata Standards - CIM, WWW, JSON, XML, SYSMON, SYSLOG, CSV
    - Linux Logs → locations and structure
- Windows Logs → locations and structure
Exercise -
Use Regex against CSV, WWW, RAW logs to find security events relevant metadata
Use PowerShell to view, parse and find data in files
Use cat, grep, sed, and awk to manipulate, find data and understand the structure of log files (syslog, sysmon, json, xml)
Identify attack vector in logs
Networking   - Threat Detection & Analysis (2 hours)
Network Basics
Basic TCP/IP – OSI Layers, distribution by protocol RFCs
Packet Capture
Wireshark, TCPDump
PCAP readers – Chaos Reader, Foremost, Network Miner, Arkime
Network Analysis and threat detection
Exercise -
Use TCPdump & Wireshark to find attack signatures in attack pcaps
Use NetworkMiner to mine and identify information
Use Arkime to capture and obtain pcaps
Replay pcap and visualize detection in Suricata
Vulnerabilities & Attacks (2 hours)
Vulnerabilities & Attacks SOCs are exposed
Industry Nomenclature
Mitre CVEs, Mitre ATT&CK, OWASP TOP 10
TLP Protocol
Industry Compliance Frameworks
Risk & Threat Modeling
Exercise -
Identify vulnerability, score RISK, and calculate CVSS
Identify APT 28 TTPs
Perform RDP attack against a windows host and find related policies and security logs
Identify OWASP Top 10 attack in a campaign (sqli / nginx logs)

Day 2:

Management of logs (3 hours)
How to send logs to a centralized location 
→ syslog, rsyslog, netcat
-  Windows Event Subscription
– malware related logs
Malware-centric logs → registry, evtx/xml, json, www
Management of centralized logs
Introduction to EDR
Use docker to create a Splunk Instance and upload data, find a threat in the uploaded data
Use docker to create Elastic instance upload data and find threat
Operate a Wazuh Instance to load data and discover and analyze threats
Install OpenEdr and detonate threats to verify detection
Use EICAR file to visualize windows defender and logs at endpoint and SIEM
Use Elastic EDR to find threats
Adversarial Simulation & Detection Engineering (3 hours)
Infrastructure as Code
Adversarial Simulation Frameworks
Atomic Red Team
Splunk Attack Range
Manual exploitation
Detection engineering Windows (Sysmon)
Detection Engineering Linux (Syslog)
Execute Atomic Red Team atomics against a target
Device a detection from collected logs
Execute an attack on Linux host, detect an attack from collected logs 
SOC challenges and interactions (1 hour)
Cryptography and the SOC
Incident Response
SOC Periphery teams
CTF  (1 hour)

Technical difficulty:


Suggested Prerequisites:

Basic understanding of Windows and Linux Command Line, as well as basic networking skills (TCP/IP)

What students should bring:

A laptop with 16GB of RAM and the ability to run Virtual Machines. Understanding of basic networking concepts and basic Linux comprehension.

*Due to virtualization issues with M2 Apple Chip based laptops, these types of laptops are NOT supported for this training. Please bring Intel-based laptops that support x86 virtualization. 

DATE: August 12th-13th, 2024
TIME: 8am to 5pm PDT
VENUE: Sahara Las Vegas

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before July 1st, the processing fee is $250.

Trainings are non-refundable after July 10th, 2024.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.