It took me exactly 30 days to complete the TryHackMe SOC Level 1 path. Not rushed, not dragged — just consistent, focused effort after every day hustle. Looking back now, it wasn’t just about finishing a course. It was about learning how to think like a defender.

This post is not just a celebration. It’s a reflection of how my mindset evolved through real scenarios, mistakes, and breakthroughs.

What I Saw First

At the beginning, everything looked structured and simple on the surface. Blue Team concepts, SOC roles, phishing, SIEM, logs — it all felt like pieces of a puzzle I could quickly assemble. I understood the idea of a SOC analyst, alert triage, and how attacks happen from both human and system vectors. It felt like I was just learning definitions and workflows.

As I moved forward, tools like Splunk, Elastic Stack, and EDR started appearing. At first glance, they seemed like dashboards and search bars — nothing too intimidating. Even phishing analysis looked straightforward: open email, inspect headers, identify malicious links.

Then the deeper sections came.

Why It Looked Normal

Most of the content initially felt “normal” because it was presented in guided steps. You follow instructions, run queries, and get answers. It creates the illusion that detection is linear and predictable.

Even in phishing simulations and early SIEM labs, it felt like:

“If I follow the steps, I’ll always get the answer.”

That belief didn’t last long.

What Felt Off

Things started to shift when I got into:

• Cyber defence frameworks (MITRE, Kill Chain, Pyramid of Pain)
• Network traffic analysis (Wireshark)
• Detection logic (Snort rules)
• Real log investigation (Sysmon, PowerShell, Elastic)

The biggest discomfort came from not knowing what to look for.

Logs were noisy. Wireshark felt overwhelming. MITRE had too much information at once. I remember thinking:

“There’s too much data… what actually matters?”

Network traffic analysis especially humbled me. At first, everything looked like random packets. But over time, patterns started forming, and what once looked chaotic began to make sense.

Where I Got It Wrong

My biggest mistake early on was treating investigations like checklists.

• I searched for exact keywords instead of understanding behavior
• I relied too much on tools instead of thinking through the attack flow
• I expected every answer to be obvious

For example:

• I missed relationships between parent and child processes
• I ignored timeline correlation
• I sometimes focused on the wrong artifact entirely

Even writing Snort rules — I initially chased the wrong pattern until I refined my logic and finally understood what the rule was actually detecting.

What Changed My Thinking

Everything changed when I stopped asking:

“What is the answer?”

…and started asking:

“What happened here?”

That shift made everything click.

I began to:

• Follow process chains (parent → child → execution)
• Correlate logs across sources (Sysmon + DNS + PCAP)
• Recognize attacker patterns instead of isolated events
• Use frameworks like MITRE as context, not just theory

Phishing analysis became more than spotting links — it became understanding delivery → execution → impact.
Network traffic became readable.
SIEM stopped being a dashboard and became a timeline of attacker behavior.

And the capstone challenges (Tempest, Boogeyman series) brought everything together.

Those rooms forced me to:

• Reconstruct full attack chains
• Decode payloads
• Track persistence mechanisms
• Identify lateral movement
• Recover exfiltrated data

That’s when it stopped feeling like practice… and started feeling real.

Final Conclusion

Completing SOC Level 1 in 30 days wasn’t about speed — it was about consistency and depth.

I now understand:

• How attackers gain initial access (phishing, payloads)
• How they execute and persist
• How they move laterally
• How data is exfiltrated
• And most importantly — how to detect each stage

One of the biggest personal highlights was the web security monitoring section. Coming from a WordPress background and having experienced a real credential compromise incident, that part felt natural. I could directly connect theory with real-world experience.

What I Would Do in a Real SOC

If I were handling an alert today, my approach would be:

1. Validate the alert — Is it real or noise?
2. Identify the entry point — How did this start?
3. Trace execution — What processes were spawned?
4. Check persistence — Is there a way back in?
5. Look for lateral movement — Did it spread?
6. Investigate exfiltration — What was taken?
7. Document everything clearly

And most importantly:

Think in timelines, not isolated events.

What’s Next

This is not the end — it’s the foundation.

I’ll be:

• Going deeper into SIEM and detection engineering
• Practicing more real-world simulations
• Strengthening network traffic analysis
• Expanding into offensive knowledge to improve defensive thinking

Related Write-Ups

To connect this journey with hands-on investigations I’ve documented, here are three related posts:

• Analyzing Network Attacks with Wireshark & Snort: From Visibility to Detection
• Phishing Analysis in Practice: Dissecting a Real Phishing Kit (SwiftSpend Case Study)
• SIEM Triage & Log Correlation: Investigating Real Attack Scenarios

It has been a long road — from Google Cybersecurity to TCM SOC, and now THM SOC — all in the effort to understand Security Operations from multiple angles and build real investigative confidence.

This phase was never about stacking courses. It was about building depth, connecting patterns, and learning how attacks actually unfold beyond theory.

Now, it’s time to move beyond structured learning and into more real-world simulations, deeper investigations, and practical detection work.

Months ago, I was learning concepts.
Today, I can investigate attacks.