raghv.dev
Back to Blog
Career
8 min read
June 7, 2026

SOC Analyst Study Roadmap: From Zero to Security+

The exact resources, labs, and certifications I used to go from no IT background to Security+ certified and hunting SOC analyst roles.

TABLE OF CONTENTS

Background

I didn't come from a traditional IT background. I worked as a security guard, then pivoted into software development, and now I'm building toward cybersecurity — specifically SOC Tier 1 on the path to penetration testing.

This is the exact roadmap I followed.

Phase 1: Security+

Resources I used:

  • Professor Messer's free video series — best free resource available
  • Jason Dion's Udemy practice exams — 1000+ questions, brutal but necessary
  • CompTIA CertMaster Practice — for weak area drilling

Don't just memorize. Understand WHY each control exists. SY0-701 tests application, not recall.

Phase 2: Hands-On Labs

Certifications without hands-on skills don't get you hired.

TryHackMe SOC Level 1 covers Splunk, Wireshark, SIEM analysis, and threat hunting in a structured path.

Home Lab with Wazuh — I built a full AD environment and configured Wazuh as my SIEM. This single project taught me more than 50 hours of studying theory.

Certifications Timeline

| Cert | Status | |---|---| | Security+ SY0-701 | Earned | | ISC2 CC | Earned | | Google Cybersecurity | Earned | | TryHackMe SOC L1 | In Progress | | CompTIA CySA+ | Planned | | OSCP | Goal |

What Actually Gets You Hired

  1. Home lab documentation — show you've done the work, not just studied it
  2. Security+ — minimum bar for most SOC roles
  3. GitHub activity — detection rules, scripts, writeups
  4. Active LinkedIn — recruiters hunt there daily

The biggest mistake I see: studying forever without building anything. Ship the lab. Document it. Post it publicly.

careersocsecurity-plustryhackmeroadmap
← All Posts
[INFO] Wazuh agent heartbeat · DC-01 · homecorp.local · OK·[WARN] Failed SSH auth attempt · 192.168.56.102 · Rule 5710 · Level 5·[INFO] Nmap scan completed · WEB01 · 23 open ports detected · Logged·[ALERT] Hydra brute-force detected · admin@192.168.56.101 · BLOCKED·[INFO] SPL query executed · index=security · 4,892 events returned·[INFO] ISC2 CC · PASSED · 2024 · Credential active·[INFO] CompTIA Security+ SY0-701 · PASSED · 2025 · Credential active·[WARN] Gobuster scan detected · /api/admin · 403 returned · Alert fired·[INFO] Wireshark PCAP capture · eth0 · 12,441 packets · Saved·[INFO] System status · LEARNING · BUILDING · AVAILABLE FOR SOC ROLES·[INFO] GPO applied · homecorp.local · Password policy · min 12 chars·[ALERT] Nikto scan from KALI01 · WEB01 · Wazuh alert · Severity: High·[INFO] Wazuh agent heartbeat · DC-01 · homecorp.local · OK·[WARN] Failed SSH auth attempt · 192.168.56.102 · Rule 5710 · Level 5·[INFO] Nmap scan completed · WEB01 · 23 open ports detected · Logged·[ALERT] Hydra brute-force detected · admin@192.168.56.101 · BLOCKED·[INFO] SPL query executed · index=security · 4,892 events returned·[INFO] ISC2 CC · PASSED · 2024 · Credential active·[INFO] CompTIA Security+ SY0-701 · PASSED · 2025 · Credential active·[WARN] Gobuster scan detected · /api/admin · 403 returned · Alert fired·[INFO] Wireshark PCAP capture · eth0 · 12,441 packets · Saved·[INFO] System status · LEARNING · BUILDING · AVAILABLE FOR SOC ROLES·[INFO] GPO applied · homecorp.local · Password policy · min 12 chars·[ALERT] Nikto scan from KALI01 · WEB01 · Wazuh alert · Severity: High·