SOC Analist | IT-Security Expert course

Register nowBook as incompany

What will you learn?

  • 9How a SOC operates, technologies and services offered and how they interconnect. What it takes to work within a SOC and how to continuously improve security operations based upon the SOC Implementation Model and SOC Maturity Model
  • 9How to set up and execute data collection strategies, based on attacker techniques and identified critical and key systems / assets of the organization
  • 9Solid understanding of threat detection and threat intelligence and the capabilities, technology and people supporting the threat intelligence process
  • 9How to manage and create use cases for security monitoring purposes
  • 9Hands on experience in threat detection, analysis, reporting and delivering board level presentations
  • 9Solid understanding on incident response planning and in-class experience how to manage an incident from preparation to post-incident analysis


  • 5 course days
  • 24 hours of self study

Your trainers

Bas van den Berg
Ethical Hacker

About Bas

Bas started out as a developer and moved then to a solution architect and later on to enterprise architect. Security always had his interest so he changed to his current position as a security consultant. His main focus is on secure development and security assessment. Combining this with his good understanding of people and how they think, his goal is to create a better and more secure world.

Rob van Os
Cyber Defense Specialist,
SOC Manager

About Rob

Rob van Os is a cyber security professional with extensive experience in cyber defense and security operations. Rob has played various roles over the years, including SIEM consultant, security architect, security specialist and is now product owner of the Cyber Defense Center of de Volksbank.

Rob thinks it is important that students acquire the correct theoretical baggage, but also relevant hands-on experience in the course and can put it into practice directly in their own SOC.

About the SOC | IT-Security Expert course

The SOC Analyst course was developed by a group of SOC- Managers and the creator of the SOC Maturity Model (SOC-CMM). It offers a comprehensive 5- day training that immerses you into the processes, data flows, models and capabilities of a Security Operations Center with hands on, real-world tasks of a SOC- Analyst: You will work on business cases where you’re assigned to support in the deployment of a new SOC and set up, select and execute business-driven and threat-driven data collection strategies based on Attacker Techniques, Key Systems and Company Critical Assets. You will deliver a board level presentation based on your threat analysis of a dataset, and you’ll work on an assignment where you’ll be managing an incident from preparation to post-incident analysis. The course delivers a simulated SOC environment including a SIEM with large datasets for the exercises and ends with a Capture the Flag, a 1- day experience in a virtual SOC.

    Who should attend?

    • Those that are pursuing a career and certification as a SOC Analyst.
    • SOC Teams that want to set a baseline requirement for their Tier1,2 Analysts. Cyber Defense teams that are building their SOC operations / insourcing a SIEM solution and that want to have their security team trained. Security Vendors and Managed Service Providers that want to get their experts certified in a cost-effective and efficient way.
    • Security managers keen to learn how to build and manage efficient SOC Operations based on a more practical understanding of its working
    • Security experts from other domains that want to get a fundamental understanding of how the SOC operates and their blue team activities
    • Universities that want to have their students ‘job- ready’, with industry subjects which lead to industry certifications


    Basic understanding of TCP/IP, operating system fundamentals and common security concepts. Students are expected to have a basic understanding of application layer protocols such as http, smtp, ssh and ftp. Understanding of Linux command-line is a big plus/ desirable.

    You may want to consider attending the IT Security Practitioner course as a prep towards this training. When you’re in doubt if this is the right course for you, feel free to connect with us.

    This training attracts students with different backgrounds and expertise that may often even differ per each domain covered. This has been considered with the setup of the training (1 day per week with homework, exercises and reference materials for you to explore in between the course modules) and on premise by your trainer with the distribution of exercises amongst students. We keep the classes small to give each individual student the attention he / she is entitled to.

    Course Materials & Laptop Requirements

    You’ll receive the official course material from SECO-Institute through our student portal. The course materials are in English. The language during the course is either English or Dutch, depending on the students.
    For this course you’ll need to bring a suitable laptop to participate in the exercises:

    • CPU: 64-bit Intel i5 / i7 2.0+ GHz processor
    • BIOS: Enabled “Intel-VT”
    • RAM: 16 GB RAM (8 GB min)
    • Hard Drive: 150 GB free space
    • Wifi
    • Windows 10 operating system
    • Virtualbox or VMware (a .vmdk file must be started)
    • Firefox or Chrome browser

    If you’re unable to bring a laptop with the above-mentioned specifications yourself, please contact us.

    Classroom training or Online Live?

    • Classroom Training: You’re our guest and threated as such

    When you take our Classroom Training you are our guest, and that’s how we’ll threat you! You’ll train in an inspiring training environment handpicked based on the highest quality standards. All trainings include a delicious lunch, when you register to your training you can indicate any dietary requirements that we should consider.

    • Online Live Training: Prepare, train and certify from the comfort of your home or work

    For those of you preferring an online experience, we offer Online Live Training through the SECO – Institute Online Learning Platform based on BigBlueButton, a secure platform specifically designed for Online Training that requires collaboration and (hands on) exercises. Course materials are delivered via a designated Student Portal prior to your training. For the SECO – Institute trainings, the examination is also conducted online via a certified Proctor. Everything you need to prepare, train and certify from the comfort of your home or work.

    * Our classroom trainings are delivered in Dutch or English, depending on the composition of the student group
    * Our Online Live Trainings are delivered either in Dutch or in English. Make sure that you register for the right class!

    What’s included?

    At the start of the training you will receive the official course material from SECO-Institute through our student portal. The course material is in English and the language during the course is either English or Dutch, depending on the students.

    The following is included:

    • The SECO-Institute course material
    • The online SECO Institute IT-Security Expert/SOC exam
    • 1 year free SECO-Membership when you pass the exam
    • A delicious lunch

     Why SECO-Institute?

    This training was developed by a group of SOC Managers and the creator of the SOC Maturity Model that is used globally by Enterprise SOC Teams and consultants for improving Security Operations. The training is based on the requirements that they have set for their own teams, so you can feel comfortable that it offers practical, relevant and job-ready content. Lastly and most important: Our instructors! SECO- Institute trainers work within the world’s most challenging environments. They have been involved in building, managing and maturing SOC/CSIRT Teams, have worked on large-scale international cyber investigations, and participated in responding to attacks from renowned campaigns and cyber criminals. Each instructor has gone through a rigorous accreditation process. They are strong communicators, passionate about the domain and eager to share their knowledge and skills.


    Course modules


    Module 1 – Organisation and Implementation Strategies

    This module covers the ways in which a SOC can be organised and the actions that need to be taken to run and continuously improve an effective SOC based upon the SOC Implementation Model and SOC Maturity Model. Throughout the module, students will work on a business case, where they are assigned to deploy a SOC. They will be asked to identify the SOC’s business drivers, describe the SOC’s mission, determine roles and responsibilities, relevant metrics and technology tools and services the SOC should offer.

    Topics covered:
    • SOC models, SOC types and organisational positioning
    • SOC implementation, growth and continuous improvement
    • SOC Maturity Model and SOC-CMM tool
    • Business drivers, Customers, Charter, Governance, Privacy
    • Roles and hierarchy, People-, team- and knowledge management, training
    • SOC management, Operations and facilities, Reporting, Use case management
    • SOC- Core Technologies: SIEM, IDPS, Analytics and SOAR
    • SOC- Services: Security Monitoring, Incident Response, Security Analysis, Threat Intelligence, Threat Hunting, Vulnerability Management, Log Management

    Frameworks, best practices, references for this module:
    SOC Implementation Model, SOC Maturity Model, The Library of Cyber Resilience Metrics, NIST NICE

    Module 2 – Log Collection and Monitoring

    This module delivers the theory behind log monitoring and security monitoring systems along with hands-on exercises in security logging and analysing log collections. The module offers an introduction to attacker techniques, critical and key systems and assets identification, and how to set up, select and execute business- driven and threat- driven data collection strategies.

    Topics covered:
    • Introduction to Attacker techniques and processes
    • Data Collection Strategies: Log content, use cases & SIEM rules, Threat-based & business requirement-based logging, log retention
    • Logs and Log Collection: Mechanisms, Syslog, SNMP, Agents, File- based logging, Log formats, Indexing and log normalization, log parsing, Regular expressions, Anchors, Repetitions
    • Key IT Systems and Their Logs (exercise)
    • SIEM (hands on)
    • Alerting (hands on)
    • Reporting and Dashboarding (hands on)
    • Event Analysis, correlation (hands on)

    Frameworks, best practices for this module:
    Pyramid of Pain and TTP’s, Cyber Kill Chain versus MITRE ATT&CK Framework, OODA loop, Diamond model of intrusion analysis


    Module 3 – Threat Detection, Threat Intelligence and Use Case Management for Threat Monitoring

    Module 3 starts with threat intelligence, how it is applied to obtain situational awareness, and the capabilities, technology and personnel supporting the threat intelligence process. It then dives deeper into the Pyramid of Pain and MITRE ATT&CK framework, how use cases are applied to monitor the use of attack techniques in the infrastructure and how to apply a use case framework for structured security monitoring. During the hands-on practice, students get to analyse a dataset in order to find indications of threats. The hands-on section prepares students for a complex homework assignment they will complete after this module.

    Topics covered:
    • Threat Intelligence types, protocols & standards, feeds, platforms
    • ISACs and other communities, Chatham House Rule
    • CTI process, CTI infrastructure management
    • CTI skills: NIST NICE – CTI Analyst
    • Attack Techniques
    • Security Monitoring Use Cases, MaGMa, MaGMa UCF
    • Hands-On Exercise

    Frameworks, best practices, references for this module:
    CSAN Threat Actors, Threat intelligence protocols and standards. Pyramid of Pain and TTP’s, Cyber Kill Chain versus MITRE ATT&CK and PRE-ATT&CK Frameworks, OODA loop, Diamond model of intrusion analysis. Chatham House Rule. MaGMa, MaGMa UCF Tool, NIST NICE.


    Module 4 – Threat Hunting, Analysis and Reporting

     During this module, students will present the findings of their homework assignments. It will evaluate if students are able to correlate events and determine their context, identify and quantify vulnerabilities and hunt for threats. Finally, after an in- depth analysis, translate technical findings to a management summary and deliver a board level presentation.


    Module 5 – Incident Response

     Module 5 starts with an introduction on Incident Response and the NIST Computer Security Incident Handling Guide. It then evaluates the policies that govern incident response, incident response plans, the procedures you should have in place and CERT models and services. From thereon the incident handling process and activities are evaluated, including detection, analysis and reporting, with 2 exercises where students will manage an incident from preparation to post-incident evaluation.

    Topics covered:
    • Introduction to Incident Response
    • Incident Response Policy, Plan, and Procedure Creation
    • Incident Handling
    • Information Sharing and Reporting

    Frameworks, best practices, references for this module:
    NIST Computer Security Incident Handling Guide


    Module 6 – A one day experience in a virtual SOC

     The training ends with a Capture the Flag, a 1- day experience in a virtual SOC. Throughout the day, you’ll be asked to perform impact analysis about possible threats, classify and respond to different incidents and create and present a report. The Capture the Flag is part of your exam.

    About the Exam

    The SOC | IT-Security Expert course is the last level of the SECO Institute Cyber Security & Governance Certification program. The IT-Security Expert certification exam covers a set of industry-established competencies that are essential for aspiring SOC Analysts.

    Exam information

    • Exam language: choice between English and Dutch
    • Type of exam: online exam (you must reserve this exam yourself)
    • Type of questions: 40 multiple choice questions
    • Exam time: 60 minutes

    About the certificate

    By passing the ITSE certification exam and earning a SECO-IT-Security Expert (S-ITSP) certificate, you showcase your ability to:

    • Demonstrate an in-depth understanding of SIEM, Splunk, IDPS, security analytics, SOAR, EDR, NTA, TIP and vulnerability scanners;
    • Provide direction and consultation on log collection and log monitoring (define data gathering strategies, develop an effective pattern management strategy, set up and configure log monitoring/analysis, analyse log collections and evaluate the findings);
    • Identify and detect network and infrastructure security threats (recognise network and infrastructure security threats and analyse the environment to identify all security threats);
    • Analyse basic network and infrastructure security threats;
    • Report on the severity of threats and provide advice for remediation using adequate reporting techniques;
    • Adequately respond to basic network and infrastructure security threats.

    What are the benefits of an S-ITSE certificate?

    An S-ITSE certificate demonstrates that you have acquired the knowledge and skills necessary to assume responsibility for threat detection, analysis and response, and that you are able to use your skills to improve your organisation’s overall security posture. In the possession of this qualification, you will be able to benefit from abundant career opportunities in government and public-sector Security Operations Centres. The certificate also has benefits for you if you are considering further advancing your career and working your way to SOC Manager.

    Practical Information

    • Course times: 9 am to approximately 4:30 pm. The coffee is ready at 8:30.
    • Lunch is included and consists of a buffet with, among other things, fresh sandwiches. Do you have allergies or dietary requirements? Please communicate this in time.
    • Training location:
      Quinten Matsijslei 25
      2018 Antwerp
    • By participating in a course or training you agree with our terms and conditions

    Register now

    Book as incompany or stay up to date