Now Enrolling — CyberBlueSOC Fundamentals

From Zero to Battle-Ready SOC Analyst

15+ real enterprise tools. 95 hands-on labs. YARA. Sigma. Incident Response. Not simulations. Not slides. Real SOC work.

Built on CyberBlueSOC — an open-source platform with Wazuh, Suricata, MISP, Velociraptor, TheHive, Cortex, Shuffle, and more. One install. Everything included.

Start Learning — FreeView Full Syllabus
18
Modules
95
Hands-On Labs
60+
Hours of Content
15+
Real Tools
The Problem
3.5M
Unfilled cybersecurity jobs worldwide
The Barrier
$8,000+
Typical SANS course cost
Our Answer
$29/mo
Same quality. Real tools. Hands-on.

Tools You’ll Master

Every tool is pre-installed in CyberBlueSOC. One install. Nothing extra to configure.

SIEM12+ hours

Wazuh

Log management, alert generation, compliance monitoring

NIDS6+ hours

Suricata + EveBox

Network intrusion detection, alert management, traffic analysis

Threat Intel6+ hours

MISP + ATT&CK

IOC management, threat feeds, technique mapping

EDR6+ hours

Velociraptor

Endpoint investigation, artifact collection, VQL hunting

Malware Detection6+ hours

YARA

Rule-based malware detection, 523+ community rules included

Detection Engineering6+ hours

Sigma

Universal detection rules, 3,047+ rules, SIEM conversion

Incident Response6+ hours

TheHive + Cortex

Case management, automated analysis, observable enrichment

Automation4+ hours

Shuffle (SOAR)

Playbook automation, tool integration, workflow orchestration

UtilitiesThroughout hours

CyberChef

Decoding, deobfuscation, data transformation

Full Syllabus

18 modules. 95 hands-on labs. 6 skill arcs from SOC fundamentals through threat hunting, detection engineering, and a full-incident capstone. Click any module to explore.

1

Inside the SOC

Master your tools and become the eyes of the SOC

2

Deep Analysis

Know what's normal, spot what isn't, and triage with confidence

3

Threat Investigator

Follow the trail across network, intel, endpoint, and disk

4

Detection Engineer

Write the rules that catch tomorrow's threats

5

Threat Hunter

Hunt what detections miss, respond when it's real, automate the rest

6

Battle-Ready Operator

Validate defenses, defend the cloud, prove you're ready

Continuous Narrative Thread

One Attack. 18 Modules. 15 Tools.

“Operation Shadow Broker” — a realistic APT campaign that unfolds across the entire course. The same attacker. The same victim. Seen from every tool a SOC analyst uses.

M5

Phishing Delivery

Email Gateway

M2-M3

Macro Execution

Wazuh Sysmon

M6

C2 Callback

Suricata

M8

Credential Theft

Velociraptor

M4

Lateral Movement

Wazuh SIEM

M12

Persistence

Sigma Rules

M13

DNS Exfiltration

Threat Hunting

M17

Cloud Pivot

CloudTrail

185.220.101.42
Attacker IP — tracked across every module
WS-HR-01
Patient zero — phishing email to cloud pivot
12 agents · 4 subnets
Full enterprise network in your browser
FINAL MISSION

Operation Shadow Breach

Everything you’ve learned. One full-scale incident. All tools. No hints. You’re the analyst. Your SOC receives alerts at 02:00 AM…

1

Detection

Review the alert queue. Identify 5 real alerts among 30+ events. Triage and prioritize.

Wazuh, EveBox
2

Investigation

Pivot from alerts: who is the user? what host? what process? what IP? Build the timeline.

Wazuh, Velociraptor
3

Threat Intel

Look up every IOC. What campaign? What malware family? What else should you look for?

MISP, ATT&CK Navigator
4

Hunt

Write a YARA rule for the malware. Write a Sigma rule for the technique. Deploy both. Scan for more victims.

YARA, Sigma, Velociraptor, Wazuh
5

Respond

Create the case. Document everything. Make containment recommendations. Write the incident report.

TheHive, Cortex
6

Automate

Build one Shuffle playbook that would have caught this faster next time.

Shuffle

8 Deliverables Required to Pass

1Triage worksheet (30 alerts classified)
2Investigation timeline (minute-by-minute)
3Threat intel brief (campaign + IOCs + ATT&CK map)
4Custom YARA rule (tested, zero false positives)
5Custom Sigma rule (converted, deployed to Wazuh)
6TheHive case (complete with observables & tasks)
7Incident report (executive + technical)
8Shuffle playbook (working automation)

CyberBlueSOC Certified Analyst

CBSCA

Prove your skills with a practical exam. Not multiple choice guessing — a real incident to investigate.

Part 1: Knowledge (60 min)

  • 40 multiple-choice questions
  • SOC fundamentals, triage methodology, threat intel
  • YARA rule concepts & syntax
  • Sigma detection concepts & conversion
  • IR lifecycle & case management

Part 2: Practical Lab (180 min)

  • Multi-stage attack investigation scenario
  • Triage alerts in Wazuh and EveBox
  • Investigate endpoint with Velociraptor
  • Write 1 YARA rule + 1 Sigma rule
  • Create TheHive case + incident report
80%
Passing Score
4 Hours
Total Exam Time
$49
3 attempts included • Free with Learner/Pro

Simple, Transparent Pricing

Pricing plans coming at launch. Join the waitlist to get early access.

Free

$0forever

Get started with core materials and self-hosted labs

  • Learning materials & written content
  • Self-hosted labs (CyberBlueSOC)
  • Community Discord access
  • Module 1 full access
  • Progress tracking
  • Quizzes & assessments
  • Certification exam
  • Lab guides for Modules 2-14
Most Popular

Learner

$29/month

Full access to all content, labs, quizzes, and certification

  • All 14 modules + Final Mission
  • 76 lab guides with screenshots
  • All quizzes & assessments
  • Progress tracking & dashboard
  • CBSCA certification exam (3 attempts)
  • Completion badges
  • Priority Discord support

Pro

$99/month

Everything in Learner plus career support and mentorship

  • Everything in Learner
  • 2x monthly mentorship calls
  • Resume & LinkedIn review
  • Interview preparation
  • Job board access
  • Early access to new content
  • Cloud-hosted labs (on-demand)

Universities & teams: custom pricing from $5K/year. Contact us