It’s not often that a course leaves me this impressed. Security Operations (SOC) 101 by Andrew Prince over at TCM Security is one of the most comprehensive courses I’ve taken in a long time and that’s saying a lot.
This course doesn’t just cover SOC. It dives deep into everything surrounding it endpoint security, phishing analysis, network traffic, SIEM, digital forensics, and even incident response. It feels less like a single course and more like a full curriculum designed to shape you into a well-rounded SOC analyst.
One thing that makes this course even more valuable is what comes after: Practical SOC Analyst Associate (PSAA) certification.
Once you’ve completed SOC 101 and you’re confident in the skills you’ve learned, the next logical step is attempting the PSAA a hands-on, practical certification from TCM Security. This isn’t just another multiple-choice test. It’s a practical exam designed to simulate real-world SOC scenarios: phishing analysis, log analysis, incident handling, and more.
The SOC 101 course actually prepares you very well for the PSAA (I think, have not taking the exam yet). All those labs and challenges throughout the course? They’re the foundation you’ll need to be successful in the exam. So if you’re the kind of person who wants something tangible to show for your time and effort and maybe add some credibility to your resume the PSAA is a great target.
Let’s break it down.
Course Overview
Clocking in at around 30 hours of video content, this course already demands a decent time commitment but that’s just the beginning. If you really want to get the most out of it, you’ll need to roll up your sleeves and spend additional hours working through the labs. And trust me, it’s worth every second.
From the get-go, Andrew sets a strong tone for what’s to come. The introduction is short and informative, giving you everything you need to get started. The lab setup is very hands-on you’ll install Windows, Ubuntu, set up a virtual lab, and configure networking. For beginners, this might feel like a bit of work, but it pays off big time later in the course.
Foundation of Security Operations
This section lays the groundwork. Andrew explains the SOC’s role, typical analyst workflows, metrics, organizational models, and more. It’s all very well-structured and easy to follow. Even if you’ve worked in a SOC before, you’ll still pick up a few gems here.
Phishing Analysis
This section is massive. You learn everything from how to break down a phishing email to dynamic attachment analysis and URL forensics. The hands-on challenges really help solidify the concepts. By the end, you’ll be looking at your inbox a little differently.
Bonus: He introduces PhishTool for automated analysis — very cool if you’re into streamlining workflows.
Network Security
This part was a blast. You jump into tcpdump, Wireshark, and IDS/IPS with Snort. Andrew walks through packet captures and detection techniques with clarity and patience. Writing Snort rules from scratch and analyzing real traffic was one of the highlights for me.
There are challenges here too, which help reinforce everything in a real-world scenario.
Endpoint Security
Another huge section that doesn’t disappoint. From Windows core process analysis to autoruns and scheduled tasks, it’s packed. There’s also Linux coverage, including cron jobs and process analysis.
What stood out to me here was the use of LimaCharlie for modern EDR workflows. You even simulate your own malware to analyze behavior super hands-on and practical.
SIEM: Splunk & Log Analysis
Splunk gets a full treatment here. You go from setting it up to writing SPL queries and creating dashboards. The live challenges like the website defacement and ransomware scenarios are particularly engaging. If you’ve never touched Splunk before, this course will give you the confidence to start using it daily.
Threat Intelligence
MITRE ATT&CK, the Diamond Model, YARA rules, and MISP. This section feels like a mini threat intel masterclass. If you’re interested in moving into Threat Hunting or CTI, you’ll get a strong foundation here.
Digital Forensics
From memory analysis using Volatility to using FTK Imager for forensic imaging, this part surprised me in the best way. It’s not a full digital forensics course but what you get is very solid and applicable to SOC work, especially in triaging endpoints during an investigation.
Incident Response
The IR section wraps up the course with a breakdown of the full response lifecycle preparation, identification, containment, eradication, and recovery. There’s also a nice emphasis on documentation and lessons learned, which often gets overlooked.
Final Thoughts
It’s hard to put into words just how complete this course is. Whether you’re completely new to SOC or looking to brush up and deepen your knowledge, this course delivers.
Yes, you can always dive deeper into individual topics and you should but this course gives you the solid base you need to grow. In fact, I’d argue it should be mandatory for anyone entering the SOC world.
Andrew Prince does a phenomenal job balancing theory with practical skills, and the lab-heavy approach makes sure you’re not just watching you’re doing.
If you’re even thinking about a career in security operations, stop thinking and start this course.
Course Curriculum
Introduction
Course Introduction (8:31 )
Prerequisites and Course Resources (5:59 )
Course Discord and Support (2:32 )
Lab Setup
Installing Oracle VM VirtualBox (4:53 )
Installing Windows (12:08 )
Configuring Windows (10:51 )
Installing Ubuntu (12:35 )
Configuring Ubuntu (6:36 )
Configuring the Lab Network (5:23 )
Security Operations Fundamentals
The SOC and Its Role (18:40 )
Day in the Life of a SOC Analyst (9:44 )
Information Security Refresher (22:52 )
SOC Models, Roles, and Organizational Structures (11:27 )
Incident and Event Management (7:26 )
SOC Metrics (5:59 )
SOC Tools (16:12 )
Common Threats and Attacks (16:59 )
✏️ Quiz - Security Operations Fundamentals
Phishing Analysis
Introduction to Phishing (14:04 )
Email Fundamentals (12:33 )
Phishing Analysis Configuration (6:04 )
Phishing Attack Types (16:19 )
Phishing Attack Techniques (14:58 )
Email Analysis Methodology (5:41 )
Email Header and Sender Analysis (21:24 )
Email Authentication Methods (17:25 )
Email Content Analysis (12:49 )
The Anatomy of a URL (8:28 )
Email URL Analysis (21:51 )
Email Attachment Analysis (14:40 )
Dynamic Attachment Analysis and Sandboxing (21:17 )
Static MalDoc Analysis (6:53 )
Static PDF Analysis (10:46 )
Automated Email Analysis with PhishTool (6:11 )
Reactive Phishing Defense (27:25 )
Proactive Phishing Defense (13:18 )
Documentation and Reporting (11:51 )
🧪 Phishing Analysis Challenge 1
🧪 Phishing Analysis Challenge 2
🧪 Phishing Analysis Challenge 3
Additional Practice (3:55 )
✏️ Quiz - Phishing Analysis
Network Security
Introduction to Network Security (4:06 )
Network Security Theory (29:57 )
Packet Capture and Flow Analysis (11:50 )
Introduction to tcpdump (15:33 )
tcpdump: Capturing Network Traffic (14:17 )
tcpdump: Analyzing Network Traffic (13:45 )
tcpdump: Analyzing Network Traffic (Sample 2) (14:47 )
🧪 tcpdump Challenge 1
Introduction to Wireshark (15:51 )
Wireshark: Capture and Display Filters (11:59 )
Wireshark: Statistics (11:57 )
Wireshark: Analyzing Network Traffic (19:27 )
🧪 Wireshark Challenge 1
Intrusion Detection and Prevention Systems (7:41 )
Introduction to Snort (17:37 )
Snort: Reading and Writing Rules (24:44 )
Snort: Intrusion Detection and Prevention (20:54 )
🧪 Snort Challenge 1
Additional Practice (3:12 )
✏️ Quiz - Network Security
Endpoint Security
Introduction to Endpoint Security (3:07 )
Endpoint Security Controls (13:14 )
Creating Our Malware (13:42 )
Windows Network Analysis (24:11 )
Windows Process Analysis (28:54 )
Windows Core Processes (Part 1) (14:52 )
Windows Core Processes (Part 2) (17:15 )
The Windows Registry (13:51 )
Windows Autoruns (Part 1) (13:09 )
Windows Autoruns (Part 2) (16:03 )
Windows Service Analysis (13:49 )
Windows Scheduled Tasks (11:08 )
🧪 Windows Endpoint Analysis Challenge 1
Windows Event Logs (25:20 )
🧪 Windows Events Challenge 1
Introduction to Sysmon (10:22 )
Sysmon Events (29:16 )
Linux Network Analysis (16:49 )
Linux Process Analysis (25:37 )
Linux Cron Jobs (12:56 )
🧪 Linux Endpoint Analysis Challenge 1
Introduction to LimaCharlie (6:53 )
LimaCharlie: Endpoint Detection and Response (20:21 )
LimaCharlie: Deploying Endpoint Agents (17:04 )
✏️ Quiz - Endpoint Security
Security Information and Event Management (SIEM)
Introduction to SIEM and Log Management (7:06 )
SIEM Architecture (22:26 )
SIEM Deployment Models (9:56 )
Log Types (11:12 )
Log Formats (5:13 )
Common Attack Signatures: User Behavior (9:30 )
Common Attack Signatures: SQL Injection (6:32 )
Common Attack Signatures: Cross-Site Scripting (3:08 )
Common Attack Signatures: Command Injection (4:27 )
Common Attack Signatures: Path Traversal and Local File Inclusion (4:01 )
Command Line Log Analysis (24:45 )
Pattern Matching (8:31 )
Structured Log Analysis (7:57 )
🧪 Log Analysis Challenge 1
Introduction to Splunk (9:13 )
Splunk: Initial Walkthrough (7:36 )
Splunk: Importing and Exploring Events (24:03 )
Splunk: Search Processing Language (SPL) (19:20 )
Splunk: Search Commands (16:15 )
Splunk: Reports and Alerts (10:16 )
Splunk: Creating Dashboards (13:33 )
🧪 [Live] Splunk: Website Defacement Investigation (61:04 )
🧪 Splunk: Ransomware Challenge
Splunk: Deploying a Forwarder and Generating Real-Time Alerts (15:01 )
Section Cleanup
✏️ Quiz - SIEM
Threat Intelligence
Introduction to Threat Intelligence (5:10 )
Types of Threat Intelligence (8:14 )
The Threat Intelligence Cycle (11:02 )
The Diamond Model of Intrusion Analysis (16:05 )
The Cyber Kill Chain (16:09 )
The Pyramid of Pain (18:14 )
MITRE ATT&CK (25:05 )
🧪 MITRE ATT&CK Challenge 1
Introduction to YARA (12:48 )
YARA: Reading and Writing Rules (Part 1) (19:37 )
YARA: Reading and Writing Rules (Part 2) (14:37 )
🧪 YARA Challenge 1
Introduction to MISP (Malware Information Sharing Platform) (19:44 )
MISP: Event Management (18:59 )
MISP: Ingesting Threat Intelligence Feeds (14:48 )
✏️ Quiz - Threat Intelligence
Digital Forensics
Introduction to Digital Forensics (7:11 )
The Digital Forensics Investigation Process (20:22 )
Order of Volatility (19:11 )
Chain of Custody (9:40 )
Introduction to FTK Imager (20:04 )
FTK Imager: Forensic Image Acquisition (14:26 )
FTK Imager: Memory Acquisition (12:41 )
Common Windows Forensic Artifacts (18:50 )
Windows Forensic Artifacts: User and System (19:37 )
Windows Forensic Artifacts: Files (16:12 )
Windows Forensic Artifacts: Program Execution (13:28 )
LNK Files, Prefetch Files, and Jump Lists (25:56 )
Windows Forensic Artifact Triage (23:18 )
Introduction to Volatility (11:27 )
Volatility: Memory Analysis (8:48 )
Volatility: Network Memory Analysis (7:12 )
Volatility: Process Memory Analysis (17:02 )
Volatility: Registry Memory Analysis (9:28 )
🧪 Volatility Challenge 1
✏️ Quiz - Digital Forensics
Incident Response
Introduction to Incident Response (9:41 )
Incident Response Frameworks (7:31 )
Preparation (27:03 )
Identification (11:23 )
Containment (17:36 )
Eradication (11:44 )
Recovery (4:00 )
Lessons Learned (8:37 )
✏️ Quiz - Incident Response
Conclusion
Course Wrap Up (2:27 )
Next Steps: Practical SOC Analyst Associate (PSAA)
The End
Keep Hacking!
//Roger
Tips and Tricks 
Leave a comment