<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:media="http://search.yahoo.com/mrss/"><channel><title><![CDATA[TryHackMe Blog]]></title><description><![CDATA[Learn Cyber Security]]></description><link>https://blog.tryhackme.com/</link><image><url>https://blog.tryhackme.com/favicon.png</url><title>TryHackMe Blog</title><link>https://blog.tryhackme.com/</link></image><generator>Ghost 5.48</generator><lastBuildDate>Sat, 18 Jul 2026 16:11:22 GMT</lastBuildDate><atom:link href="https://blog.tryhackme.com/rss/" rel="self" type="application/rss+xml"/><ttl>60</ttl><item><title><![CDATA[Cyber leaders, don't measure what you've built. Measure what you can do under pressure.]]></title><description><![CDATA[Sooner or later , the question arrives, usually from the people an organization least wants to improvise in front of such as the auditor, the insurer, the regulator, the board: can your team execute under pressure?]]></description><link>https://blog.tryhackme.com/cyber-security-execution-gap/</link><guid isPermaLink="false">6a5894749f011e0001996307</guid><category><![CDATA[B2B Blog]]></category><category><![CDATA[Business]]></category><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Joanna Duffy]]></dc:creator><pubDate>Thu, 16 Jul 2026 08:29:51 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/executiongapbanner.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/executiongapbanner.svg" alt="Cyber leaders, don&apos;t measure what you&apos;ve built. Measure what you can do under pressure."><p>A financial services team recently ran one of our breach-response exercises and performed almost flawlessly. They knew exactly which host to isolate, which account to disable, which step came next. And then they stopped, because no one in the room could authorize the action without a senior sign-off that wasn&apos;t available. They had the capability, but they couldn&apos;t execute it.</p><p>That gap, between what a team has built and what it can actually do when under pressure, is the most consistent thing we see at TryHackMe. We work with more than a thousand security teams, through skills development, our SOC simulator, and tabletop exercises, and the same pattern surfaces again and again. Similar controls, comparable tooling, trained staff, documented playbooks. However, underneath the surface, a wide variance in what any of it amounts to in a real incident.</p><p>We call it the <strong>execution gap</strong>: the distance between what an organisation has built and what its people, processes, technology, and measurement can actually execute under pressure. It&apos;s the distance between owning a playbook and being able to pull the trigger on it. We see it in five specific places.</p><h2 id="where-we-see-the-execution-gap">Where we see the execution gap</h2><p>Across the teams we assess, the execution gap lives in the same <a href="https://tryhackme.com/business/resources/reports/SOC-Maturity-Model?ref=blog.tryhackme.com">five dimensions of a SOC&apos;s maturity</a> and each one fails in a recognizable way:</p><ul><li><strong>People and culture:</strong> <em>trained does not equal ready.</em> Certifications completed; capability never validated under pressure.</li><li><strong>Processes and procedures:</strong> <em>documented does not equal executable.</em> A playbook on the shelf is not the same as one a team can run mid-crisis.</li><li><strong>Technology:</strong> <em>deployed does not equal effective.</em> Tools bought and switched on, then left to drown the team in alerts.</li><li><strong>Testing and validation:</strong> <em>tested does not equal improved.</em> The exercise happens; the change doesn&apos;t.</li><li><strong>Measurement and continuous improvement:</strong> <em>tracked does not equal acted on.</em> Dashboards that look good in a board pack but drive no behaviour.</li></ul><p>The published data bears it out. In Sygnia&apos;s 2026 survey of 600 security leaders, 99% had a formal incident response plan, but still 73% of CISOs said they could not execute it under pressure if a major attack landed tomorrow. Ninety-nine percent was documented; yet seventy-three percent not executable. That is the gap, in two numbers, and we see the same shape across defence, financial services, retail, and telecommunications. These are the same gaps across different industries.</p><h2 id="and-then-theres-ai">And then there&apos;s AI</h2><p>Every conference, every booth, every board pack now comes with AI attached. <strong>But not only does AI not close the execution gap, it amplifies it.</strong> It makes strong SOC teams faster and weak ones more dangerous to themselves.</p><p>The uplift is real, as highlighted in a peer-reviewed Microsoft trial in late 2025 showing its phishing-triage agent producing six-and-a-half times more true positives per analyst minute. But that only holds when the underlying playbook is right. AI on a broken process doesn&apos;t fix that process; it runs the broken process at scale: faster wrong answers, delivered with more confidence. Gartner expects around 70% of large SOCs to be piloting agentic AI by 2028, and only 15% to reach sustainable production. The other 85% will have the dashboards. They won&apos;t have a loop that actually closes.</p><p>Asking whether to invest in AI isn&apos;t needed. Everyone will. Organizations should question whether the gap is small enough that the multiplier helps. Because if the gap is wide, AI widens it.</p><p>Sooner or later , the question arrives, usually from the people an organization least wants to improvise in front of such as the auditor, the insurer, the regulator, the board: <em>can your team execute under pressure?</em></p><p>Closing the gap isn&apos;t something we can prescribe from the outside because every organization knows its own environment best. But the takeaway is the frame, not the framework:</p><p>Don&apos;t measure what you&apos;ve built. Measure what you can do under pressure.<br><br>Want to close execution gaps within your cyber security team? Explore <a href="https://tryhackme.com/business?ref=blog.tryhackme.com">TryHackMe for Business.</a> </p>]]></content:encoded></item><item><title><![CDATA[Incident Response training for security teams: What good actually looks like]]></title><description><![CDATA[When it comes to cybersecurity training, three things tend to separate the solutions with actual impact from what just looks good on paper: realism, hands-on practice, and a genuine feedback loop.]]></description><link>https://blog.tryhackme.com/incident-response-training-for-security-teams/</link><guid isPermaLink="false">6a55ed959f011e00019962c1</guid><category><![CDATA[B2B Blog]]></category><category><![CDATA[Business]]></category><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Joanna Duffy]]></dc:creator><pubDate>Tue, 14 Jul 2026 08:09:41 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/IR-training-for-security-teams.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/IR-training-for-security-teams.svg" alt="Incident Response training for security teams: What good actually looks like"><p>When it comes to cybersecurity training, three things tend to separate the solutions with actual impact from what just looks good on paper: realism, hands-on practice, and a genuine feedback loop. Skip any of them and training still produces something that looks like capability but doesn&#x2019;t test whether that capability can survive the pressure or ambiguity of a real incident.</p><p>Incident response makes that gap between checked boxes and performance under pressure more urgent than almost any other area of security work. There&apos;s no room to pause and study mid-breach, no partial credit for a mostly-right containment call, and no do-over if the wrong decision gets made while an attacker is still active.</p><p>Good incident response training operates across multiple layers, building the skill and testing whether it holds. These layers are related, but they&apos;re not interchangeable, yet most programs only ever focus, superficially, on the former.</p><h2 id="whats-the-difference-between-building-ir-capability-and-validating-ir-capability">What&apos;s the difference between building IR capability and validating IR capability ?</h2><p><strong>Capability building</strong> is individual and technical. Its goal is competence: can this analyst read a memory dump, interpret Windows event logs, follow an attacker&apos;s movement across a file system, work confidently across Windows, Linux, and macOS. It&apos;s structured, progressive, and knowledge-driven.This is the foundation everything else depends on.</p><p><strong>Capability validation</strong> operates at a different level entirely. It isn&apos;t just about whether the team coordinates well, it&apos;s about whether all the scattered pieces an analyst has picked up separately, a SOC simulation here, a learning path there, months of individual on-the-job experience, actually come together coherently. When executed effectively, a cyber range forces that integration: bringing the team together has to draw on all of that learning at once.</p><p>That difference in focus is where the character of each layer becomes clear. Skill-building and skill-testing are sequential, not competing: one produces the skills, the other checks whether they survives contact with something that behaves like a real incident.</p><p>Think of it like training for a rescue team: individual members can be excellent swimmers, strong navigators, calm under pressure, each on their own. None of that guarantees they&apos;ll coordinate well during an actual rescue, with incomplete information, in the water, together. That coordination is its own skill, and it only gets tested when the team is actually in it.</p><p>Here&apos;s how the two compare, category by category:</p><ul><li><strong>Primary goal</strong></li><li>Capability building: Build individual technical competence</li><li>Capability testing: Prove coordinated team performance</li><li><strong>Pace</strong></li><li>Capability building: Self-paced, progressive</li><li>Capability testing: Real-time, pressured</li><li><strong>Key question</strong></li><li>Capability building: Can this analyst perform the task correctly?</li><li>Capability testing: Do the team&apos;s scattered skills and experience come together as one capability? Can they contain a live attacker before time runs out?</li><li><strong>Output</strong></li><li>Capability building: Certified, competent individuals</li><li>Capability testing: A pressure-tested, coordinated team</li><li><strong>Who needs it</strong></li><li>Capability building: The analyst, for career progression</li><li>Capability testing: The security leader, for operational assurance</li><li><strong>When it happens</strong></li><li>Capability building: Ongoing, throughout an analyst&apos;s development</li><li>Capability testing: Quarterly, or after major team or environment change</li><li><strong>How it informs the other</strong></li><li>Capability building: Provides the raw capability a team draws on</li><li>Capability testing: Surfaces the gaps individual training can&apos;t see</li></ul><h2 id="how-hands-on-practice-fits-into-an-ir-training-program">How hands-on practice fits into an IR training program</h2><p>Hands-on practice runs through both layers, it just changes character as the training progresses.</p><p>At the skill-building stage, hands-on means realistic labs: messy, multi-host environments with incomplete logging and red herrings, not sanitized single-artefact exercises that hand an analyst a clean dataset. Judgment starts to form here, beyond vocabulary. As training moves toward team readiness, hands-on practice means live, unfolding scenarios where the &quot;environment&quot; is the whole incident, not a single task, and where a wrong decision has a consequence inside the simulation, beyond a scorecard.</p><p>Feedback connect the two. A pass/fail result at the end of a module or a simulation is a data point, but it&#x2019;s not a loop. Real improvement comes from reviewing the decision, as well as the outcome: two analysts can reach the same right answer through very different reasoning, and only one of those paths holds up in a different scenario. Debriefs immediately after a simulation, while the reasoning is still fresh, do more for a team&apos;s development than any score attached to the exercise itself.</p><p>TryHackMe&apos;s own <a href="https://tryhackme.com/room/identificationandscoping?ref=blog.tryhackme.com">Identification &amp; Scoping</a> room makes this concept explicit rather than incidental, treating identification and scoping as a continuous loop, with event notification, documentation, evidence collection, artefact identification, and pivot point discovery, feeding back into itself as new evidence surfaces.</p><h3 id="where-ir-training-sits-in-a-security-teams-development">Where IR training sits in a security team&apos;s development</h3><p>The need for real skill-testing tends to surface as a security function matures. Early-stage teams are focused on getting foundational detection and response coverage in place. As the function grows, and as the incidents it faces get more complex, the gap between &quot;our analysts are trained&quot; and &quot;our team is ready&quot; becomes harder to ignore.</p><p>That evolution maps onto individual career progression too. Detection and triage skills at L1, deeper investigation at L2, and increasingly senior IR roles as forensic and coordination skills grow. Each stage builds on the last, and giving analysts visible progression through this path is one of the more practical ways security leaders develop and retain senior talent.</p><p>What makes strong incident response capability distinctive is that modules only get a team to the threshold. The rest is built through repeated exposure to realistic, pressured conditions, which is exactly what a checklist of completed courses can&apos;t demonstrate.</p><h2 id="building-the-skill-and-testing-whether-it-holds-individual-vs-team-training">Building the skill and testing whether it holds: individual vs team training</h2><p>Individual skill development follows a logical progression: foundational SOC skills first, then deeper investigation capability, then the specialized forensic and response skills that senior IR work demands, file system analysis, memory forensics, artefact interpretation across operating systems. Cross-platform breadth matters because real environments aren&apos;t uniform, and an analyst who&apos;s only comfortable on one platform is a limited one.</p><p>Team readiness is a different challenge entirely. The coordination between analysts, the escalation calls, the handoffs, the communication while working from incomplete information, none of that gets tested by individual training, no matter how advanced the content. It only gets tested in conditions that behave like a real incident.</p><p>That gap between individual readiness and team readiness is one of the least visible problems in security training, and one of the most consequential. It doesn&apos;t show up in a training record or a completion rate. It shows up mid-incident, when discovering the gap is no longer useful information. A team that&apos;s individually strong but has never been pressure-tested together is working on assumption.</p><h2 id="where-individual-skill-building-actually-happens">Where individual skill-building actually happens</h2><p>Within the TryHackMe platform, the &quot;capability building&quot; layer is a specific set of hands-on modules, each building a different piece of incident response skills that an analyst eventually has to bring together in a live incident.</p><ul><li><a href="https://tryhackme.com/module/defensive-security?ref=blog.tryhackme.com"><strong>Defensive Security</strong></a> &#x2014; A foundation across SOC fundamentals, digital forensics fundamentals, incident response fundamentals, and log fundamentals in one place, the starting point before specializing</li><li><a href="https://tryhackme.com/module/core-soc-solutions?ref=blog.tryhackme.com"><strong>Core SOC Solutions</strong></a> &#x2014; Practical fluency with the tooling a SOC runs on: EDR, SIEM (via Splunk and the Elastic Stack), and SOAR</li><li><a href="https://tryhackme.com/module/managing-incidents?ref=blog.tryhackme.com"><strong>Managing Incidents</strong></a> &#x2014; The security engineer&apos;s side of an incident: logging and monitoring, acting as a first responder, and cyber crisis management</li><li><a href="https://tryhackme.com/module/incident-response?ref=blog.tryhackme.com"><strong>Incident Response</strong></a> &#x2014; The tactical mindset of an effective responder, walking through preparation, identification and scoping, threat intel and containment, eradication and remediation, and lessons learned</li><li><a href="https://tryhackme.com/module/incident-response-lifecycle?ref=blog.tryhackme.com"><strong>Incident Response Lifecycle</strong></a> &#x2014; One real attack chain worked start to finish across, aligned with NIST phases, with findings from each phase carrying into the next, the same way an analyst would work it on the job</li><li><a href="https://tryhackme.com/module/cyber-defence-frameworks?ref=blog.tryhackme.com"><strong>Cyber Defence Frameworks</strong></a> &#x2014; Applied use of the Pyramid of Pain, Cyber Kill Chain, Unified Kill Chain, and MITRE to map telemetry, build framework-driven triage notes, and harden detection and response</li><li><a href="https://tryhackme.com/module/incident-response-and-forensics?ref=blog.tryhackme.com"><strong>Incident Response and Forensics</strong></a> &#x2014; Artifact analysis with Volatility, Redline, and Autopsy to understand the scope of an incident and contain it</li><li><a href="https://tryhackme.com/module/digital-forensics-and-incident-response?ref=blog.tryhackme.com"><strong>Digital Forensics and Incident Response</strong></a> &#x2014; Deeper forensic work across Windows and Linux artifacts, using KAPE, Zimmerman&apos;s tools, Autopsy, Volatility, and TheHive to collect, organize, and act on evidence</li></ul><p>A few of these up close, to show what &quot;hands-on&quot; actually means in practice:</p><ul><li><a href="https://tryhackme.com/room/identificationandscoping?ref=blog.tryhackme.com"><strong>Identification &amp; Scoping</strong></a> (Incident Response module) walks a real scenario at a fictional company, SwiftSpend Financial, introducing the Asset Inventory and the Spreadsheet of Doom as working tools, not just concepts to memorize.</li><li><a href="https://tryhackme.com/room/responseandrecovery?ref=blog.tryhackme.com"><strong>Response and Recovery</strong></a> (Incident Response Lifecycle module) continues a single incident at another fictional company, Nexus Financial, where analysts use MITRE ATT&amp;CK to inform containment decisions and Splunk to analyze what the attacker did after the initial compromise.</li><li><a href="https://tryhackme.com/room/introtoirandim?ref=blog.tryhackme.com"><strong>Intro to IR and IM</strong></a> and <a href="https://tryhackme.com/room/becomingafirstresponder?ref=blog.tryhackme.com"><strong>Becoming a First Responder</strong></a> (Managing Incidents module) cover the distinction between incident response and incident management, and what to do in the first minutes after discovering an incident, before the formal IR team takes over.</li><li><a href="https://tryhackme.com/room/winincidentsurface?ref=blog.tryhackme.com"><strong>Windows Incident Surface</strong></a> puts analysts on a live, compromised Windows VM to hunt for hijacked environment variables, suspicious services and scheduled tasks, and other persistence mechanisms, exactly the kind of triage work a real investigation starts with.</li></ul><p>Worked through in sequence, these cover the full individual arc: foundational awareness, core tooling, the operational response process, the full lifecycle against one continuous incident, the analytical frameworks that structure how a team reads adversary behavior, and increasingly deep forensic capability.</p><h2 id="how-tryhackme-supports-incident-response-training">How TryHackMe supports incident response training</h2><p>For most security teams, building this capability starts with the individual layer, the modules above, along with the broader blue team learning roadmap: SOC L1 and L2 paths build the detection and investigation skills everything else depends on, and the Advanced Endpoint Investigations path extends that into digital forensics across Windows, Linux, and macOS for analysts ready to go deeper.</p><p>Individual training gets a team to the threshold, but it leaves those skills scattered: a SOC simulation here, a learning path there, individual experience picked up on the job. What it can&apos;t do is pull all of that together into one coherent capability. That&apos;s the gap Live Breach is built to close: a realistic, end-to-end, time-limited IR scenario in a relevant environment, where a team has to bring everything they&apos;ve learned separately into a single live incident, and contain the attacker while the attack is still actively executing. It&apos;s a true test of whether all their scattered skills and experience actually add up to one real capability under pressure.<br><br>Want to turn theoretical cyber security training into proven capability? <a href="https://tryhackme.com/business?ref=blog.tryhackme.com">Explore TryHackMe for Business</a></p><h2 id="faq">FAQ</h2><p><strong>What does good incident response training actually look like?</strong> Good incident response training combines individual skill-building, modules and hands-on labs that build technical competence, with regular, live team simulations that test whether that competence converts into coordinated performance under real time pressure. Programs that stop at the individual layer look complete but leave team readiness untested.</p><p><strong>What&apos;s the difference between individual training and team-based incident response training?</strong> Individual training builds technical skill: forensic analysis, log interpretation, platform-specific investigation, but it stays scattered across separate modules and experiences. Team-based training, usually a live, time-limited scenario, forces all of that to come together at once, testing whether a team can actually contain a live attacker while the attack is still executing, not just whether the pieces exist individually.</p><p><strong>How often should security teams run live incident simulations?</strong> Most mature security teams run team-based simulations quarterly at minimum, with additional sessions after significant team changes, new tooling, or a meaningful shift in the threats relevant to their environment.</p><p><strong>Why do feedback loops matter more than pass/fail scores?</strong> A pass/fail result shows whether the outcome was correct, not why. Reviewing the decision-making behind a result, ideally in a debrief immediately after a simulation, is what actually helps a team improve, since two people can reach the same right answer through reasoning that won&apos;t hold up in a different scenario.</p>]]></content:encoded></item><item><title><![CDATA[Is your security team AI ready? What genuine AI capability looks like]]></title><description><![CDATA[Teams are being asked to protect systems they do not understand end to end, so what usually gets deployed in response is a patchwork of small, disconnected controls rather than a coherent framework built around an actual understanding of the risk]]></description><link>https://blog.tryhackme.com/security-team-ai-readiness/</link><guid isPermaLink="false">6a50c5459f011e000199628d</guid><category><![CDATA[B2B Blog]]></category><category><![CDATA[Blog]]></category><category><![CDATA[Business]]></category><dc:creator><![CDATA[Joanna Duffy]]></dc:creator><pubDate>Fri, 10 Jul 2026 10:23:09 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/Is-your-team-AI-ready.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/Is-your-team-AI-ready.svg" alt="Is your security team AI ready? What genuine AI capability looks like"><p>Ask most security leaders whether their team is ready for AI risk and you&#x2019;ll get some variation of a yes. Ask them to specify what exactly they&#x2019;re ready for, and the answer will get murky. The industry has been nodding along to &quot;AI ready&quot; for some time, without agreement on a definition<a href="http://definition.ai/?ref=blog.tryhackme.com">.</a> <br><br>AI-readiness is more than having deployed a tool. It means being clear on the problem you expect AI to solve, where the limitations of its remit are, and understanding specifically what risk you are taking on by using AI in a given part of your business. Crucially, it&#x2019;s also knowing whether your team actually has the skill to identify and manage that risk. Too few organizations have not done the work needed to clearly answer on all these points. In fact, they need to revisit these questions continuously as the answers evolve.</p><h2 id="ai-adoption-has-outpaced-the-problem-definition">AI adoption has outpaced the problem definition</h2><p>We spoke with security leaders across healthcare, finance, automotive, manufacturing and insurance while building <a href="https://tryhackme.com/resources/blog/ai-security-path-for-business?ref=blog.tryhackme.com">our new AI security path</a>, and one theme came back again and again: AI systems are already running in production, handling sensitive data, in every one of those industries, and much of that happened without anyone stopping to define what problem the AI was actually solving or what new exposure it was creating in return.</p><p>Teams are being asked to protect systems they do not understand end to end, so what usually gets deployed in response is a patchwork of small, disconnected controls rather than a coherent framework built around an actual understanding of the risk. That is the same pattern that shows up whenever a tool gets adopted ahead of a clear problem statement.</p><p>Supply chain risk came up unprompted in nearly every conversation TryHackMe had, and it is a clean example of the same challenge: organizations adopting models and dependencies without first asking what they would need to verify or monitor once those components were inside their environment.</p><h2 id="training-built-on-the-wrong-assumption-doesn%E2%80%99t-protect">Training built on the wrong assumption doesn&#x2019;t protect</h2><p>Part of why this keeps happening is that most available training reinforces the assumption that AI risk is a known, static thing you can learn once and check off. Watching a lecture on prompt injection can make the concept click instantly, and then fall apart the moment someone sits in front of a real system with actual guardrails and tries to extract the system prompt themselves.</p><p>Teams that can pass a knowledge check often cannot reason through a genuinely novel problem, which suggests the theory never really transferred into judgment. Much of the training on the market only simulates the AI itself, which makes it deterministic: the same input always produces the same output.</p><p>Real AI systems do not behave that way. Two identical prompts can return two different responses, and that unpredictability is the actual attack surface defenders are up against. If your training does not reproduce that unpredictability, it cannot teach anyone to define the real problem they are facing, only a simplified stand-in for it.</p><h2 id="readiness-means-defining-the-scope-of-ai%E2%80%99s-remit">Readiness means defining the scope of AI&#x2019;s remit</h2><p>Genuine AI readiness looks a lot like the discipline any good problem definition requires, applied specifically to security. It means being able to say, for a given system, exactly what you are trying to protect against, who owns that risk, and where the human needs to stay in the loop regardless of how convincing the AI&apos;s output looks.</p><p>That accountability does not sit exclusively with the security team. Every engineer writing code with an LLM, every team pulling a model from a repository, every workflow with AI stitched into it is expanding the exposure, and a manager who pushes AI adoption for the sake of productivity is also, whether they realize it or not, taking on responsibility for what happens if that usage was never scoped properly. A security incident tied to ungoverned AI use rarely stays contained to the security function. It carries consequences for brand trust, regulatory standing, and revenue, and it traces back to the point where nobody paused to ask what specifically was being adopted, and why.</p><h2 id="building-capability-across-teams">Building capability across teams</h2><p>Getting your organization ready for safe AI implementation does not start with more tooling. In a security context, it means hands-on practice against real, non-deterministic AI systems rather than simulations, coverage broad enough to span the full threat landscape rather than one narrow slice of it, and honest engagement with supply chain risks that most training skips past entirely. Things like backdoored tokenizers, poisoned checkpoints, and typosquat dependencies hiding in a model repository. It also has to reach past the security team itself, since developers, DevOps, and engineers are already on the front line of AI usage whether or not their job title reflects that.</p><h2 id="ai-is-an-opportunity-to-reframe-the-role-of-the-security-team">AI is an opportunity to reframe the role of the security team</h2><p>AI is an opportunity for the security team to break out of its reputation as the as the team that says no, and claim a strategic role in guiding the business through implementation and adoption.</p><p>Security has spent a long time earning a reputation as a blocker, preventing or stalling decisions made elsewhere in the business, often without its involvement. AI adoption is happening at a pace and with a level of executive pressure that makes that old posture untenable. Saying no to a board level mandate does not work, and it should not be the goal. What works, and what actually builds influence, is being the voice in the room asking the question necessary to prevent legal liability, lost reputation and reputational damage that can&#x2019;t be easily undone. Far from obstruction, this is strategic leadership that can align a group of stakeholders feeling the rushed to achieve vaguely defined goals.</p><p>To make that shift, teams need to push to be looped in while decisions are still being shaped, proving they can move at the speed of the business. Success will be more than a successful implementation of new technology, it&#x2019;ll be a redefinition of the organization&#x2019;s relationship to security as a discipline and as an organizational function.</p><p>That redefinition includes taking on a greater role as stewards of understanding across the org. With the vulnerabilities AI usage creates, security needs to become a shared language, shared goal and shared responsibility in every department. Superficial yearly awareness training isn&#x2019;t enough to manage threats in a post-AI world. The cyber team can lead this change, building strategic allies along the way.<br><br>Want to turn theoretical cyber security training into proven capability? <a href="https://tryhackme.com/business?ref=blog.tryhackme.com">Explore TryHackMe for Business</a></p>]]></content:encoded></item><item><title><![CDATA[How to Become a Threat Intelligence Analyst: Career Path, Skills and First Steps]]></title><description><![CDATA[This guide walks through what the role actually involves day to day, the skills and certifications that matter, and the concrete first steps to take if this is the direction you want your career to go.]]></description><link>https://blog.tryhackme.com/how-to-become-a-threat-intelligence-analyst-career-path-skills-and-first-steps/</link><guid isPermaLink="false">6a4e205c9f011e0001996255</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Wed, 08 Jul 2026 10:24:32 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-4.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-4.svg" alt="How to Become a Threat Intelligence Analyst: Career Path, Skills and First Steps"><p>A threat intelligence analyst studies attackers rather than just their attacks, turning raw data about threat actors, malware, and campaigns into intelligence that helps an organisation defend itself before an incident happens rather than after. It sits within blue team work, but it is a distinct discipline from SOC analysis or incident response, closer to research and pattern recognition than real-time alert triage. Most people reach it after a year or two in a SOC or security analyst role, though a direct path is possible for anyone who builds the right foundation early.</p><p>This guide walks through what the role actually involves day to day, the skills and certifications that matter, and the concrete first steps to take if this is the direction you want your career to go.</p><h2 id="what-does-a-threat-intelligence-analyst-do"><strong>What does a threat intelligence analyst do?</strong></h2><p>A threat intelligence analyst collects information about threat actors, campaigns, and malware from internal telemetry, commercial feeds, and open sources, then turns that raw data into intelligence a security team can actually act on. Day to day work includes tracking specific threat groups and their tactics, enriching indicators of compromise so a SOC can triage alerts faster, mapping adversary behaviour against frameworks like MITRE ATT&amp;CK, and writing intelligence reports that translate technical findings into decisions a security leader or executive can use.</p><p>The distinction that matters most is between reacting and anticipating. A SOC analyst responds to what is happening right now on the network. A threat intelligence analyst spends more time answering who is likely to target the organisation, how they typically operate, and what that means for where defences should be strengthened next.</p><h2 id="what-skills-do-you-need-to-become-a-threat-intelligence-analyst"><strong>What skills do you need to become a threat intelligence analyst?</strong></h2><p>Strong analytical thinking matters more here than in almost any other blue team role, because the job is fundamentally about connecting scattered, ambiguous data points into a coherent picture of adversary behaviour. Alongside that, a working knowledge of the MITRE ATT&amp;CK framework is close to non-negotiable, since it is the shared language most teams use to describe and compare attacker tactics, techniques, and procedures.</p><p>Open source intelligence gathering is a core practical skill, covering how to responsibly collect and validate information from public sources including forums, technical blogs, and social media without compromising an investigation. Familiarity with malware analysis fundamentals helps too, not necessarily at a reverse engineer&apos;s depth, but enough to understand what a sample reveals about the actor behind it. Intelligence report writing is the skill that is most often underestimated. A brilliant analysis that nobody outside the security team can understand or act on has limited value.</p><h2 id="do-you-need-soc-analyst-experience-first"><strong>Do you need SOC analyst experience first?</strong></h2><p>Not strictly, but it is the most common and most practical route in. Working as a SOC or security analyst first builds the foundational understanding of how alerts, logs, and incidents actually look in a live environment, which makes intelligence work far more grounded once you get there. It also gives you real internal telemetry to contextualise against, which is one of the four broad categories of intelligence sources alongside commercial feeds, open source data, and information sharing communities.</p><p>Career changers without a security background typically start with a foundational certification and an entry-level analyst role, then move into intelligence work once they have a year or two of that operational context behind them. It is a slower path than jumping straight into a niche specialism, but it produces analysts who understand what actually happens to the intelligence they produce once it reaches a SOC.</p><h2 id="which-certifications-matter-for-threat-intelligence"><strong>Which certifications matter for threat intelligence?</strong></h2><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;"> <table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;"> <thead> <tr style="background-color:#1a1a2e; color:#a3ea2a;"> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Certification</th> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Provider</th> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Best for</th> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Prerequisites</th> </tr> </thead> <tbody> <tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">SAL1</td> <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/certification/security-analyst-level-1?ref=blog.tryhackme.com" style="color:#c0392b;">TryHackMe</a></td> <td style="padding:10px 12px; color:#1a1a2e;">Entry-level analysts building the practical SOC skills threat intelligence work is usually built on top of</td> <td style="padding:10px 12px; color:#1a1a2e;">None</td> </tr> <tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Security+</td> <td style="padding:10px 12px; color:#1a1a2e;">CompTIA</td> <td style="padding:10px 12px; color:#1a1a2e;">Career changers building a security foundation</td> <td style="padding:10px 12px; color:#1a1a2e;">None</td> </tr> <tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">CySA+</td> <td style="padding:10px 12px; color:#1a1a2e;">CompTIA</td> <td style="padding:10px 12px; color:#1a1a2e;">Analysts moving from foundational security into detection and analytics</td> <td style="padding:10px 12px; color:#1a1a2e;">Security+ recommended</td> </tr> <tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">CTIA</td> <td style="padding:10px 12px; color:#1a1a2e;">EC-Council</td> <td style="padding:10px 12px; color:#1a1a2e;">Entry to mid-level analysts specialising in threat intelligence</td> <td style="padding:10px 12px; color:#1a1a2e;">Official training or 2+ years of experience</td> </tr> <tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">GCTI</td> <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://www.giac.org/certifications/cyber-threat-intelligence-gcti?ref=blog.tryhackme.com" style="color:#c0392b;">GIAC</a></td> <td style="padding:10px 12px; color:#1a1a2e;">Dedicated threat intelligence specialists, the field&apos;s gold standard</td> <td style="padding:10px 12px; color:#1a1a2e;">None formal, working security knowledge assumed</td> </tr> </tbody> </table> </div><!--kg-card-end: html--><p>No single certification is required to break into the field, and hiring managers generally value one foundational credential paired with one threat-intelligence-specific one over a long list of unrelated badges. According to <a href="https://www.ziprecruiter.com/Salaries/Cyber-Threat-Intelligence-Analyst-Salary?ref=blog.tryhackme.com">ZipRecruiter&apos;s July 2026</a> data, the average annual pay for a Cyber Threat Intelligence Analyst in the United States sits at $109,848, with the middle range of salaries falling between roughly $87,500 and $130,000 depending on experience and location.</p><h2 id="how-do-you-build-a-portfolio-without-real-client-data"><strong>How do you build a portfolio without real client data?</strong></h2><p>The lack of access to real intelligence feeds and internal telemetry is the biggest practical barrier for anyone trying to break in from outside a security role, but it is not an unsolvable one. Writing analysis on publicly documented threat actors and campaigns using open source reporting builds exactly the same skills a job would ask for, and it produces something tangible to show a hiring manager.</p><p>Public malware repositories and threat feeds provide real samples and indicators to practise against without needing employer access to anything sensitive. Structuring that practice around a defined methodology, rather than ad hoc research, is what makes it read as professional work rather than a hobby project.</p><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;"> <table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;"> <thead> <tr style="background-color:#1a1a2e; color:#a3ea2a;"> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Career stage</th> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Focus</th> <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">TryHackMe</th> </tr> </thead> <tbody> <tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">1. Foundations</td> <td style="padding:10px 12px; color:#1a1a2e;">Core security concepts, networking basics, how alerts and logs actually look</td> <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/presecurity?ref=blog.tryhackme.com" style="color:#c0392b;">Pre Security path</a></td> </tr> <tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">2. SOC experience</td> <td style="padding:10px 12px; color:#1a1a2e;">Alert triage, SIEM basics, incident response fundamentals</td> <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com" style="color:#c0392b;">SOC Level 1 path</a></td> </tr> <tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;"> <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">3. CTI specialisation</td> <td style="padding:10px 12px; color:#1a1a2e;">Intelligence lifecycle, MITRE ATT&amp;CK, OSINT, indicator enrichment</td> <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/module/cyber-threat-intelligence?ref=blog.tryhackme.com" style="color:#c0392b;">Cyber Threat Intelligence module</a></td> </tr> </tbody> </table> </div><!--kg-card-end: html--><h2 id="start-building-the-foundation-for-threat-intelligence-work"><strong>Start building the foundation for threat intelligence work</strong></h2><p>Threat intelligence rewards people who can turn scattered, ambiguous information into a clear picture of what an adversary is likely to do next. That skill is built through structured practice against real frameworks and real attacker behaviour, not by reading about the role from the outside.</p><p></p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/module/cyber-threat-intelligence?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Start Learning Threat Intelligence </button>  </a></div>
<!--kg-card-end: html--><p></p><h2 id="frequently-asked-questions"><strong>Frequently asked questions</strong></h2><p><strong>How long does it take to become a threat intelligence analyst?</strong> Expect roughly 18 to 24 months if you are starting from an IT or general security background, and longer if you are starting from outside the field entirely. The timeline mostly depends on how quickly you build hands-on SOC or analyst experience first.</p><p><strong>Do you need a degree to work in threat intelligence?</strong> No specific degree is required, though the analytical and research skills the role demands are often developed through higher education or equivalent self-directed study. Employers generally care more about demonstrated analytical ability and a portfolio of work than the credential itself.</p><p><strong>What is the difference between GCTI and CTIA?</strong> GCTI from GIAC is the more advanced, specialist-focused credential with no formal prerequisites but an assumption of existing security knowledge. CTIA from EC-Council targets entry to mid-level analysts and requires either official training or two or more years of experience.</p><p><strong>Is threat hunting the same as threat intelligence?</strong> They overlap but are not identical. Threat hunting is the proactive search for signs of compromise already present in an environment, while threat intelligence is the broader discipline of understanding who attackers are and how they operate, which often informs what a threat hunter goes looking for.</p><p><strong>What career progression comes after threat intelligence analyst?</strong> Common next steps include senior threat analyst, threat intelligence team lead, or threat research manager roles. Some analysts specialise further into areas like nation-state threats or financial crime intelligence, while others move into strategic security advisory or leadership positions.</p><h2></h2>]]></content:encoded></item><item><title><![CDATA[SQL Injection From Scratch: How to Practise It Safely in a Lab]]></title><description><![CDATA[This guide walks through what SQL injection actually is, how it works under the hood, the main types you will encounter, and how to practise finding and exploiting it safely, without ever touching a system you do not have permission to test.]]></description><link>https://blog.tryhackme.com/sql-injection-from-scratch-how-to-practise-it-safely-in-a-lab/</link><guid isPermaLink="false">6a4d25de9f011e000199623a</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Wed, 08 Jul 2026 09:55:56 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-3.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-3.svg" alt="SQL Injection From Scratch: How to Practise It Safely in a Lab"><p>SQL injection is a web application vulnerability that lets an attacker interfere with the queries an application sends to its database, by sneaking their own SQL code into a field the application never expected to contain code at all. Done successfully, it can expose an entire database, bypass a login screen without a password, or hand an attacker control of the server underneath. It has been a known vulnerability class since the late 1990s, it still ranks among OWASP&apos;s top web application risks today, and it remains one of the first things any penetration tester or bug bounty hunter learns to test for.</p><p>This guide walks through what SQL injection actually is, how it works under the hood, the main types you will encounter, and how to practise finding and exploiting it safely, without ever touching a system you do not have permission to test.</p><h2 id="what-is-sql-injection"><strong>What is SQL injection?</strong></h2><p>Most web applications talk to a database behind the scenes. A login form checks a username and password against a database table. A product page pulls its description from a database record. A search box queries the database for anything matching what you typed. All of that happens through SQL, the language almost every relational database understands.</p><p>SQL injection happens when an application takes something a user typed and drops it directly into a SQL query without properly separating the data from the command structure. If an attacker can shape their input carefully enough, the database stops treating it as data and starts treating part of it as an instruction. A username field becomes a place to alter what a login query actually checks. A search box becomes a place to pull data the application was never designed to return.</p><h2 id="how-does-sql-injection-actually-work"><strong>How does SQL injection actually work?</strong></h2><p>Picture a simple query behind a blog&apos;s article page, structured something like this:</p><p>&lt;code&gt;SELECT * FROM articles WHERE id = 1 AND private = 0;&lt;/code&gt;</p><p>That query fetches the article with an ID of 1, but only if it is marked public. If the application builds this query by directly inserting whatever value comes from the URL, an attacker can change the id parameter to something like &lt;code&gt;1; --&lt;/code&gt;. The semicolon tells the database the query has ended, and the double dash comments out everything that follows, including the &lt;code&gt;AND private = 0&lt;/code&gt; check. The result: an article that was supposed to be private gets returned anyway, because the condition that would have blocked it never actually ran.</p><p>That is the essence of every SQL injection attack. The application trusted user input to behave like data. The attacker made it behave like code instead.</p><h2 id="what-are-the-different-types-of-sql-injection"><strong>What are the different types of SQL injection?</strong></h2><p>Not every SQL injection vulnerability behaves the same way, and the type you are dealing with changes how you detect and exploit it.</p><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;">
  <thead>
    <tr style="background-color:#1a1a2e; color:#a3ea2a;">
      <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Type</th>
      <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">How it behaves</th>
      <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">How you detect it</th>
    </tr>
  </thead>
  <tbody>
    <tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">In-band (classic)</td>
      <td style="padding:10px 12px; color:#1a1a2e;">Results appear directly in the application&apos;s response</td>
      <td style="padding:10px 12px; color:#1a1a2e;">Injecting a payload and seeing data or errors returned immediately</td>
    </tr>
    <tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Error-based</td>
      <td style="padding:10px 12px; color:#1a1a2e;">The database&apos;s own error messages leak structural information</td>
      <td style="padding:10px 12px; color:#1a1a2e;">Triggering a deliberately malformed query and reading the error text</td>
    </tr>
    <tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Union-based</td>
      <td style="padding:10px 12px; color:#1a1a2e;">The UNION operator combines a malicious query with the original</td>
      <td style="padding:10px 12px; color:#1a1a2e;">Matching column counts, then extracting data through the combined result</td>
    </tr>
    <tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Blind (boolean)</td>
      <td style="padding:10px 12px; color:#1a1a2e;">No data or errors are shown, only a true or false change in behaviour</td>
      <td style="padding:10px 12px; color:#1a1a2e;">Asking the database yes or no questions and watching how the page reacts</td>
    </tr>
    <tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Blind (time-based)</td>
      <td style="padding:10px 12px; color:#1a1a2e;">No visible difference at all, only a delay in the response</td>
      <td style="padding:10px 12px; color:#1a1a2e;">Injecting a command that pauses the database if a condition is true</td>
    </tr>
  </tbody>
</table>
</div><!--kg-card-end: html--><p>Classic and union-based injection are the easiest starting point for beginners because the feedback is immediate. Blind injection takes longer to master because you are inferring the answer one true or false question at a time, but the underlying logic is exactly the same.</p><h2 id="where-can-you-practise-sql-injection-safely-and-legally"><strong>Where can you practise SQL injection safely and legally?</strong></h2><p>Every technique above needs to be practised somewhere, and that somewhere cannot be a live website you do not own or have explicit permission to test. Doing this against a real, unauthorised target is illegal, regardless of intent, and it is also unnecessary. Realistic, deliberately vulnerable environments exist specifically so you can build this skill without any legal or ethical grey area.</p><p>TryHackMe&apos;s<a href="https://tryhackme.com/room/sqlinjectionlm?ref=blog.tryhackme.com"> SQL Injection room</a> walks through exactly the scenario described earlier in this guide, a vulnerable blog application where you progress from a basic in-band injection through to union-based data extraction, with a mock browser and live SQL query view so you can see precisely how your input reshapes the query in real time. Once the fundamentals feel solid, the<a href="https://tryhackme.com/room/advancedsqlinjection?ref=blog.tryhackme.com"> Advanced SQL Injection room</a> covers blind and time-based techniques against a target that gives you no direct feedback at all, forcing you to build the inference skills that real-world blind injection demands.</p><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;">
  <thead>
    <tr style="background-color:#1a1a2e; color:#a3ea2a;">
      <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Skill stage</th>
      <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">TryHackMe resource</th>
      <th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">What it builds</th>
    </tr>
  </thead>
  <tbody>
    <tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Fundamentals</td>
      <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/room/sqlinjectionlm?ref=blog.tryhackme.com" style="color:#c0392b;">SQL Injection room</a></td>
      <td style="padding:10px 12px; color:#1a1a2e;">In-band and union-based injection against a mock browser with live query feedback</td>
    </tr>
    <tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Advanced technique</td>
      <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/room/advancedsqlinjection?ref=blog.tryhackme.com" style="color:#c0392b;">Advanced SQL Injection room</a></td>
      <td style="padding:10px 12px; color:#1a1a2e;">Blind and time-based injection with no direct feedback</td>
    </tr>
    <tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
      <td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Broader context</td>
      <td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#c0392b;">Jr Penetration Tester path</a></td>
      <td style="padding:10px 12px; color:#1a1a2e;">SQL injection alongside the rest of the OWASP Top 10 in a structured, guided order</td>
    </tr>
  </tbody>
</table>
</div><!--kg-card-end: html--><h2 id="how-do-you-detect-and-confirm-an-sql-injection-vulnerability"><strong>How do you detect and confirm an SQL injection vulnerability?</strong></h2><p>Detection starts with breaking things on purpose. Add a single quote to any input field that touches a database query, a URL parameter, a login form, a search box, and watch what happens. A clean application handles it gracefully. A vulnerable one throws a database error, behaves unexpectedly, or changes its output in a way that reveals the query underneath.</p><p>From there, the process is methodical rather than clever. Confirm the injection point, work out how many columns the original query returns, then build up from a simple proof of concept toward whatever the vulnerability actually allows, whether that is reading data, bypassing authentication, or in the most severe cases, writing to the database or the underlying file system.<a href="https://owasp.org/Top10/2025/A05_2025-Injection/?ref=blog.tryhackme.com"> OWASP</a> classifies injection as one of the most heavily tested vulnerability categories in modern web applications, and SQL injection specifically still accounts for more than 14,000 recorded CVEs, which tells you how often this exact mistake still makes it into production code.</p><h2 id="how-do-you-prevent-sql-injection"><strong>How do you prevent SQL injection?</strong></h2><p>Every reliable defence against SQL injection comes down to the same principle: never let user input become part of the query structure itself. Parameterised queries, sometimes called prepared statements, are the standard fix. They separate the SQL command from the data being passed into it at the database driver level, so no matter what a user types, it is always treated as a value and never as executable code.</p><p>Object-relational mapping libraries provide this protection by default in most modern frameworks, which is part of why classic SQL injection has become less common in new applications, even as it remains widespread in older or poorly maintained code. Input validation and least-privilege database accounts add further layers, but they are supplements to parameterised queries, not substitutes for them.</p><p></p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/room/sqlinjectionlm?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore TryHackMe&apos;s SQL Injection Room </button>  </a></div>
<!--kg-card-end: html--><p></p><h2 id="frequently-asked-questions"><strong>Frequently asked questions</strong></h2><p><strong>Is SQL injection still a real threat in 2026?</strong> Yes. It remains part of OWASP&apos;s injection category, and legacy applications along with poorly reviewed new code continue to introduce it. It has fallen in ranking as awareness has grown, but it has not disappeared.</p><p><strong>Do you need to know SQL to learn SQL injection?</strong> Basic SQL helps but is not a strict requirement to start. Understanding simple SELECT statements and how a WHERE clause filters results is usually enough to begin, and the rest builds naturally through hands-on practice.</p><p><strong>What is the difference between error-based and blind SQL injection?</strong> Error-based injection reveals information directly through database error messages. Blind injection reveals nothing directly, so you infer the answer to yes or no questions through changes in the application&apos;s behaviour or response time instead.</p><p><strong>Can SQL injection be automated with tools?</strong> Yes, tools exist to automate detection and exploitation, but relying on them without understanding the underlying mechanics limits how effectively you can adapt when a target behaves differently than expected. Learning it manually first makes any tool far more useful later.</p><p><strong>Does SQL injection only affect websites?</strong> No. Any system that builds SQL queries from user-controlled input is potentially vulnerable, including desktop applications, APIs, and internal tools, not just public-facing websites.</p><h2 id="start-practising-sql-injection-the-safe-way"><strong>Start practising SQL injection the safe way</strong></h2><p>SQL injection is not a niche skill. It is one of the most consistently useful things a beginner in offensive security can learn, precisely because the underlying idea, that mixing data and commands is dangerous, shows up again and again across other vulnerability classes once you understand it here first.</p><p><a href="https://tryhackme.com/room/sqlinjectionlm?ref=blog.tryhackme.com">Start the SQL Injection room on TryHackMe</a></p>]]></content:encoded></item><item><title><![CDATA[Bug Bounty Hunting for Beginners: Your First Practical Guide]]></title><description><![CDATA[Every week, companies pay strangers on the internet to break into their websites. Not illegally. Not maliciously. On purpose, with permission, and often for genuinely good money. That is bug bounty hunting, and if you have ever wondered how people get paid to hack, this is where it actually starts.]]></description><link>https://blog.tryhackme.com/bug-bounty-hunting-for-beginners-your-first-practical-guide/</link><guid isPermaLink="false">6a4d1f7d9f011e0001996213</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Tue, 07 Jul 2026 16:13:00 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-2.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-2.svg" alt="Bug Bounty Hunting for Beginners: Your First Practical Guide"><p>Every week, companies pay strangers on the internet to break into their websites. Not illegally. Not maliciously. On purpose, with permission, and often for genuinely good money. That is bug bounty hunting, and if you have ever wondered how people get paid to hack, this is where it actually starts.</p><p>Here is the part most beginner guides skip. Bug bounty hunting is not a shortcut into cyber security, and it is not a get rich quick scheme either. It is a skill you build the same way you would build any other technical skill: methodically, with the right foundations, on the right targets, in the right order. Skip the foundations and you will spend months submitting reports that get marked as duplicates or not applicable. Build them properly and your first valid finding becomes a matter of consistency rather than luck.</p><p>This guide walks through what bug bounty hunting actually is, how the ecosystem works, what you need to know before you touch a target, and how to get your first hands-on practice safely.</p><h2 id="what-is-bug-bounty-hunting"><strong>What is bug bounty hunting?</strong></h2><p>A bug bounty program is an open invitation from a company for security researchers to test their systems and get paid for anything they find. The company defines a scope, which is the exact list of what you are allowed to test, sets reward tiers based on severity, and reviews every report that comes in. Find something real and valid inside that scope, and you get paid. Find something outside the scope, and at best it gets ignored. At worst, it gets you banned from the platform.</p><p>This is what separates bug bounty hunting from the kind of hacking that gets people arrested. You are operating with explicit, written permission, against a defined target, under a defined set of rules. That permission is what makes it legal, and it is also the single most important thing a beginner needs to understand before doing anything else.</p><h2 id="how-do-bug-bounty-platforms-actually-work"><strong>How do bug bounty platforms actually work?</strong></h2><p>Most bug bounty hunting happens through a handful of platforms that connect companies with researchers. HackerOne and Bugcrowd are the two largest, hosting programs for household names alongside thousands of smaller companies. Intigriti has strong momentum in Europe, YesWeHack runs a similar model with its own community, and Synack operates a vetted, invite-only tier for more experienced researchers.</p><!--kg-card-begin: html--><table> <thead> <tr> <th style="background-color:#1a1a2e; color:#a3ea2a;">Platform</th> <th style="background-color:#1a1a2e; color:#a3ea2a;">Best for beginners</th> <th style="background-color:#1a1a2e; color:#a3ea2a;">Notable feature</th> </tr> </thead> <tbody> <tr> <td>TryHackMe</td> <td>Yes, the right place to start</td> <td>Structured, guided rooms and paths for building the skills bounty hunting depends on, before you touch a live program</td> </tr> <tr> <td>HackerOne</td> <td>Yes, open registration</td> <td>Hacktivity feed of disclosed public reports</td> </tr> <tr> <td>Bugcrowd</td> <td>Yes, open registration</td> <td>Bugcrowd University training resources</td> </tr> <tr> <td>Intigriti</td> <td>Yes, growing programs</td> <td>Strong European presence, fast triage</td> </tr> <tr> <td>YesWeHack</td> <td>Once you have some experience</td> <td>DOJO practice environment</td> </tr> <tr> <td>Synack</td> <td>Not for beginners</td> <td>Invite-only, vetted researchers</td> </tr> </tbody> </table><!--kg-card-end: html--><p>TryHackMe is not a bug bounty platform itself, it does not run programs or pay bounties, but it is where the skills tested on every platform above are actually built, which is why it sits at the top of this list rather than off to the side.</p><p>Every one of these platforms is free to join. Sign up, browse public programs, and read a handful of scope documents before you write a single line of a report. That single habit, reading the scope properly, is what most beginners skip and most experienced hunters insist on.</p><h3 id="what-should-you-look-for-in-a-scope-document"><strong>What should you look for in a scope document?</strong></h3><p>A scope document tells you what is in scope, what is explicitly excluded, which vulnerability types the program does not pay for, and what legal protections you have while testing. Programs with wide scopes, active response times, and a track record of paying out are the ones worth starting on. A program where every public report says the team is slow or dismissive is not worth your time, no matter how well known the company is.</p><p>Avoid the temptation to hunt on the biggest names first. Google, Meta, and Apple attract thousands of experienced researchers who have been testing those same targets for years. As a beginner, you are far more likely to find a genuine, valid bug on a smaller company or a Vulnerability Disclosure Programme, where the attack surface has had far less scrutiny.</p><h2 id="what-do-you-need-to-know-before-you-start"><strong>What do you need to know before you start?</strong></h2><p>Bug bounty hunting rewards a specific kind of technical foundation, and web applications are where almost every beginner starts. You do not need a computer science degree or years of programming experience, but you do need to genuinely understand how the web works underneath the interface.</p><p>That means understanding how HTTP requests and responses are structured, how cookies and sessions keep a user logged in, how authentication and authorization actually differ, and how data moves between a browser and a server. It also means having a working knowledge of the vulnerability classes that show up again and again in real programs: cross-site scripting, SQL injection, insecure direct object references, cross-site request forgery, and server-side request forgery. The OWASP Top 10 exists because these categories account for the overwhelming majority of real-world findings, and learning them properly is worth more than jumping straight to advanced techniques.</p><p>Burp Suite is the one tool almost every hunter relies on daily. It sits between your browser and the target, letting you intercept, inspect, and manipulate requests before they are sent. Learning Burp Suite properly, rather than relying on someone else&apos;s automated macros, is one of the highest-value skills you can build early.</p><h2 id="where-can-you-practise-before-touching-a-live-program"><strong>Where can you practise before touching a live program?</strong></h2><p>This is the step that separates people who quietly quit after a few weeks from people who land their first valid report. Testing on a live company&apos;s assets before you understand what you are doing is how beginners get banned, waste their own time, or worse, cause real harm to a system they do not fully understand. Practising first, on safe and legal environments, is not optional.</p><p>TryHackMe&apos;s<a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com"> Jr Penetration Tester path</a> builds exactly the web application foundation this guide has been describing, walking through HTTP fundamentals, the OWASP Top 10, and Burp Suite in a structured, hands-on order rather than leaving you to piece it together from scattered blog posts. The<a href="https://tryhackme.com/module/learn-web-application-security?ref=blog.tryhackme.com"> Web Fundamentals module</a> covers how web applications are built and how that structure creates the vulnerabilities you will spend your career finding. Rooms like NahamStore simulate a realistic, deliberately vulnerable e-commerce application, giving you a safe space to practise real bug classes without any legal or ethical grey area.</p><!--kg-card-begin: html--><table> <thead> <tr> <th style="background-color:#1a1a2e; color:#a3ea2a;">Skill area</th> <th style="background-color:#1a1a2e; color:#a3ea2a;">TryHackMe resource</th> <th style="background-color:#1a1a2e; color:#a3ea2a;">What it builds</th> </tr> </thead> <tbody> <tr> <td>Structured beginner route</td> <td>Jr Penetration Tester path</td> <td>HTTP fundamentals, OWASP Top 10, Burp Suite, in order</td> </tr> <tr> <td>Core web app theory</td> <td>Web Fundamentals module</td> <td>How web applications are built and where that creates risk</td> </tr> <tr> <td>Safe, realistic practice</td> <td>NahamStore room</td> <td>Hands-on testing against a deliberately vulnerable e-commerce app</td> </tr> </tbody> </table><!--kg-card-end: html--><p>Once the fundamentals feel comfortable, look for a Vulnerability Disclosure Programme rather than a paid bounty program for your first real-world attempt. VDPs do not pay cash, but they accept beginners more readily, tend to have simpler scopes, and let you build a track record and reputation score without the pressure of chasing a payout.</p><h3 id="how-long-does-it-actually-take-to-find-your-first-bug"><strong>How long does it actually take to find your first bug?</strong></h3><p>Longer than most people expect, and that is normal. Most beginners take several weeks of consistent, focused effort before their first valid report, and that is with a solid foundation already in place. Depth on a single target consistently beats switching between dozens of programs looking for something easy. Pick one target, spend real time understanding how it works, and work through every input field, form, and endpoint methodically rather than relying purely on automated scanners.</p><h2 id="how-do-you-write-a-report-that-actually-gets-paid"><strong>How do you write a report that actually gets paid?</strong></h2><p>A vulnerability is only as valuable as the report describing it. Triage teams see hundreds of submissions, and a clear, well-structured report gets reviewed faster and taken more seriously than a vague one. A strong report includes a short, impact-focused summary, numbered steps to reproduce the issue exactly, a proof of concept, and a plain-language explanation of why the vulnerability matters. Screenshots, short recordings, or copy-pastable commands all reduce the back and forth a triage team needs before they can validate what you found.</p><p>Treat every interaction with a program&apos;s triage team professionally, even when a report gets marked as informational or a duplicate. Reputation compounds on these platforms. Researchers who submit thoughtful, well-documented reports and respond quickly to follow-up questions get invited to private programs faster than those chasing volume over quality.</p><h2 id="frequently-asked-questions"><strong>Frequently asked questions</strong></h2><p><strong>Do you need to know how to code to start bug bounty hunting?</strong> No. A basic understanding of HTML, JavaScript, and how HTTP requests work is more useful than programming ability. Most beginner-friendly bug classes, like XSS or IDOR, are found through careful manual testing rather than writing code.</p><p><strong>Is bug bounty hunting legal?</strong> Yes, as long as you stay within a program&apos;s defined scope and follow its rules. Testing anything outside that scope, or testing a system without a program or written permission at all, is not legal and can carry serious consequences.</p><p><strong>How much can beginners realistically earn from bug bounty hunting?</strong> Earnings vary enormously and most beginners earn very little in their first few months. Rewards for valid bugs commonly range from around fifty dollars for low-severity issues to several thousand for critical ones, but consistency and skill take time to build.</p><p><strong>Do you need a cyber security degree or certification to start?</strong> No. Bug bounty hunting rewards demonstrated skill over credentials. Certifications like OSCP can help later for career purposes, but they are not required to find and report valid vulnerabilities.</p><p><strong>What is the difference between a bug bounty program and a Vulnerability Disclosure Programme?</strong> A bug bounty program pays cash rewards for valid findings. A VDP accepts vulnerability reports and provides recognition or reputation points but does not pay. VDPs are generally more accessible for beginners building a track record.</p><h2 id="start-where-the-fundamentals-are-strongest"><strong>Start where the fundamentals are strongest</strong></h2><p>Bug bounty hunting rewards people who understand web applications deeply, not people who memorise a list of payloads. Build that understanding properly first, practise on safe and legal ground, and the transition to real programs becomes a natural next step rather than a leap of faith.</p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">    Explore Jr Pentester Path </button>  </a></div>
<!--kg-card-end: html-->]]></content:encoded></item><item><title><![CDATA[Adversarial Machine Learning for Cyber Defenders: What It Is and How to Learn It]]></title><description><![CDATA[For cyber defenders in 2026, this is no longer a research topic. It is operational reality. The ML-based detection tools in your SOC, the AI models processing threat intelligence, the LLM-powered automation in your security workflow: all of them are targets.]]></description><link>https://blog.tryhackme.com/adversarial-machine-learning-for-cyber-defenders-what-it-is-and-how-to-learn-it/</link><guid isPermaLink="false">6a4d1a5f9f011e00019961ee</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Tue, 07 Jul 2026 15:46:06 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-1.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/W27---Banner-1.svg" alt="Adversarial Machine Learning for Cyber Defenders: What It Is and How to Learn It"><p>Machine learning models are not neutral tools. They are systems with attack surfaces, and those surfaces are being actively exploited. Adversarial machine learning is the discipline that studies how attackers manipulate, evade, and compromise ML systems, and how defenders protect them.</p><p>For cyber defenders in 2026, this is no longer a research topic. It is operational reality. The ML-based detection tools in your SOC, the AI models processing threat intelligence, the LLM-powered automation in your security workflow: all of them are targets. Understanding how adversarial attacks against ML systems work is what makes you able to defend against them.</p><hr><h2 id="what-is-adversarial-machine-learning"><strong>What Is Adversarial Machine Learning?</strong></h2><p>Adversarial machine learning (AML) is the study of attacks against machine learning systems and the defences built to counter them.<a href="https://www.vectra.ai/topics/mitre-atlas?ref=blog.tryhackme.com"> NIST documents four main adversarial ML attack categories: evasion, poisoning, privacy, and abuse attacks.</a> Each targets a different phase of the ML lifecycle and requires different defensive controls.</p><p>The term &quot;adversarial&quot; refers to the adversary-centric framing: rather than asking &quot;how does this model perform on clean data?&quot;, adversarial ML asks &quot;how does this model perform when an intelligent attacker is deliberately trying to make it fail?&quot;</p><p>For defenders, the practical implication is this: if your organisation depends on ML-based tools for detection, classification, or decision-making, those tools have attack surfaces that traditional security controls were not designed to address.<a href="https://www.vectra.ai/topics/mitre-atlas?ref=blog.tryhackme.com"> MITRE ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) is the definitive framework for understanding and defending against these threats.</a> As of February 2026, ATLAS v5.4.0 contains 16 tactics, 84 techniques, and 42 real-world case studies - growing rapidly as the attack surface expands.</p><hr><h2 id="what-are-the-four-main-adversarial-ml-attack-categories"><strong>What Are the Four Main Adversarial ML Attack Categories?</strong></h2><h3 id="evasion-attacks"><strong>Evasion Attacks</strong></h3><p>Evasion attacks occur at inference time. The attacker crafts inputs designed to cause the model to produce incorrect outputs - without changing the underlying content in a way that a human would detect.</p><p>The canonical example is adversarial examples against image classifiers: imperceptible pixel-level perturbations that cause a correctly-classified image to be misclassified with high confidence. For cyber defenders, the more directly relevant application is malware evasion:<a href="https://github.com/mitre/advmlthreatmatrix?ref=blog.tryhackme.com"> attackers modify malware samples to evade ML-based detection while preserving full malicious functionality.</a> A sample that bypasses your ML detector does not need to exploit a code vulnerability in the detector. It just needs to fall outside the decision boundary the model learned during training.</p><p>For LLM-based systems, evasion includes guardrail bypass through encoding tricks, Unicode manipulation, and carefully constructed prompts that cause a model to produce outputs its safety controls were designed to prevent.</p><p><strong>MITRE ATLAS technique:</strong> AML.T0015 (Evade ML Model)</p><p><strong>Defender implication:</strong> ML-based detectors need adversarial robustness testing as part of their validation. A detector that performs well on clean samples but fails on adversarially perturbed ones provides a false sense of security.</p><hr><h3 id="poisoning-attacks"><strong>Poisoning Attacks</strong></h3><p>Poisoning attacks occur at training time.<a href="https://www.wiz.io/academy/ai-security/adversarial-machine-learning?ref=blog.tryhackme.com"> Adversaries inject inaccurate or malicious data into training datasets - sometimes controlling only a few dozen training samples - to influence the model&apos;s learned behaviour.</a> The attack can be designed to degrade overall model performance (availability attack) or to embed a backdoor: a specific trigger that causes the model to misclassify a particular input in a way the attacker controls (integrity attack).</p><p>For defenders operating threat intelligence systems or any model that learns from data sources partially outside your control, poisoning is a realistic threat. An attacker who can influence what goes into your training data can influence what your model learns to detect - and what it learns to ignore.</p><p><a href="https://www.getastra.com/blog/security-audit/mitre-atlas/?ref=blog.tryhackme.com">Data poisoning and backdoor attacks are among the fastest-growing documented attack categories in ATLAS.</a> The Spring 2025 ATLAS release added RAG Poisoning and False RAG Entry Injection as specific techniques, reflecting the rapid adoption of retrieval-augmented generation in enterprise AI deployments.</p><p><strong>MITRE ATLAS technique:</strong> AML.T0020 (Poison Training Data)</p><p><strong>Defender implication:</strong> Data provenance and integrity controls matter as much as model accuracy. Know where your training data comes from, who can modify it, and whether any data sources are accessible to external parties.</p><hr><h3 id="privacy-attacks"><strong>Privacy Attacks</strong></h3><p>Privacy attacks extract information that should not be accessible from a trained model. The two main categories are:</p><p><strong>Model inversion:</strong> An attacker queries the model with carefully crafted inputs to reconstruct information about the training data. In healthcare or financial contexts, this can mean recovering sensitive personal information from a model trained on private records.</p><p><strong>Membership inference:</strong> An attacker determines whether a specific data point was included in the model&apos;s training set. This can violate data protection requirements and confirm sensitive information about individuals.</p><p><strong>Model extraction:</strong> An attacker queries the model extensively to build a local copy (a shadow model) that approximates the original&apos;s behaviour. The shadow model can then be used for offline adversarial attack development without triggering rate limiting or monitoring on the original.</p><p><strong>MITRE ATLAS technique:</strong> AML.T0024 (Infer Training Data Membership), AML.T0025 (Model Inversion Attack)</p><p><strong>Defender implication:</strong> Rate limiting, query monitoring, and differential privacy techniques all apply. A model that can be queried without restriction or monitoring is significantly more vulnerable to all three privacy attack types.</p><hr><h3 id="abuse-attacks"><strong>Abuse Attacks</strong></h3><p>Abuse attacks use ML systems as intended - but for purposes their operators did not authorise. Prompt injection is the most operationally significant abuse attack for defenders in 2026: manipulating an LLM&apos;s behaviour through crafted input that overrides system instructions or causes the model to take unintended actions.</p><p><a href="https://repello.ai/blog/mitre-atlas-framework?ref=blog.tryhackme.com">The LiteLLM incident in March 2026 illustrated how supply chain compromise affecting ML infrastructure can produce a large blast radius across all dependent deployments.</a> Supply chain compromise targeting ML dependencies, training frameworks, and inference servers is a documented and growing attack vector.</p><p><strong>MITRE ATLAS technique:</strong> AML.T0051 (LLM Prompt Injection), AML.T0010 (ML Supply Chain Compromise)</p><p><strong>Defender implication:</strong> Input validation, output filtering, privilege separation, and supply chain security controls all apply to ML systems. Treat LLM applications as you would any other privileged software component.</p><hr><h2 id="the-adversarial-ml-attack-reference-table"><strong>The Adversarial ML Attack Reference Table</strong></h2><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;">
<thead>
<tr style="background-color:#1a1a2e; color:#a3ea2a;">
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Attack category</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">When it occurs</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">What it targets</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">SOC/defender impact</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">MITRE ATLAS</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Primary mitigation</th>
</tr>
</thead>
<tbody>
<tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Evasion</td>
<td style="padding:10px 12px; color:#1a1a2e;">Inference time</td>
<td style="padding:10px 12px; color:#1a1a2e;">Model decision boundary</td>
<td style="padding:10px 12px; color:#1a1a2e;">ML-based malware detectors, network anomaly detection systems evaded</td>
<td style="padding:10px 12px; color:#1a1a2e;">AML.T0015</td>
<td style="padding:10px 12px; color:#1a1a2e;">Adversarial robustness testing, ensemble detection, human-in-the-loop validation</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Poisoning</td>
<td style="padding:10px 12px; color:#1a1a2e;">Training time</td>
<td style="padding:10px 12px; color:#1a1a2e;">Training data and learned model behaviour</td>
<td style="padding:10px 12px; color:#1a1a2e;">Threat intelligence models learn to misclassify attacker-controlled samples as benign</td>
<td style="padding:10px 12px; color:#1a1a2e;">AML.T0020</td>
<td style="padding:10px 12px; color:#1a1a2e;">Data provenance controls, input validation on training data, anomaly detection on training sets</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Model inversion</td>
<td style="padding:10px 12px; color:#1a1a2e;">Inference time</td>
<td style="padding:10px 12px; color:#1a1a2e;">Training data privacy</td>
<td style="padding:10px 12px; color:#1a1a2e;">Sensitive data recoverable from models trained on private records</td>
<td style="padding:10px 12px; color:#1a1a2e;">AML.T0025</td>
<td style="padding:10px 12px; color:#1a1a2e;">Differential privacy, query rate limiting, output confidence score suppression</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Model extraction</td>
<td style="padding:10px 12px; color:#1a1a2e;">Inference time</td>
<td style="padding:10px 12px; color:#1a1a2e;">Model intellectual property and decision logic</td>
<td style="padding:10px 12px; color:#1a1a2e;">Shadow models used for offline adversarial attack development</td>
<td style="padding:10px 12px; color:#1a1a2e;">AML.T0016</td>
<td style="padding:10px 12px; color:#1a1a2e;">Query monitoring, rate limiting, watermarking model outputs</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Prompt injection</td>
<td style="padding:10px 12px; color:#1a1a2e;">Inference time</td>
<td style="padding:10px 12px; color:#1a1a2e;">LLM instruction following</td>
<td style="padding:10px 12px; color:#1a1a2e;">AI agents take unintended actions; safety controls bypassed; data exfiltrated</td>
<td style="padding:10px 12px; color:#1a1a2e;">AML.T0051</td>
<td style="padding:10px 12px; color:#1a1a2e;">Input validation, privilege separation, output filtering, least-privilege tool access for agents</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Supply chain compromise</td>
<td style="padding:10px 12px; color:#1a1a2e;">Pre-training / deployment</td>
<td style="padding:10px 12px; color:#1a1a2e;">ML dependencies and infrastructure</td>
<td style="padding:10px 12px; color:#1a1a2e;">Compromised ML libraries affect all dependent deployments simultaneously</td>
<td style="padding:10px 12px; color:#1a1a2e;">AML.T0010</td>
<td style="padding:10px 12px; color:#1a1a2e;">Software composition analysis, dependency integrity verification, internal approved library registry</td>
</tr>
</tbody>
</table>
</div><!--kg-card-end: html--><hr><h2 id="how-do-you-learn-adversarial-machine-learning-as-a-cyber-defender"><strong>How Do You Learn Adversarial Machine Learning as a Cyber Defender?</strong></h2><p>The challenge with most adversarial ML learning resources is that they are written for ML researchers, not security practitioners. They assume familiarity with neural network architecture, gradient descent, and loss functions before getting to the attack techniques that matter operationally.</p><p>TryHackMe&apos;s<a href="https://tryhackme.com/path/outline/aisecurity?ref=blog.tryhackme.com"> AI Security path</a> is built for security practitioners. It covers adversarial ML concepts through the defender&apos;s lens: not how to train a model from scratch, but how to understand where models break, how attackers exploit those breaks, and what controls apply. The 25 hands-on labs put you inside live AI systems working with the techniques that matter operationally.</p><p>Specific rooms directly relevant to adversarial ML defenders:</p><p><strong>AI Threat Modelling</strong> covers MITRE ATLAS-based assessment: mapping your AI systems&apos; attack surface against the ATLAS tactics and techniques matrix, prioritising the techniques most relevant to your deployment, and designing controls against them.</p><p><strong>LLM Security</strong> covers prompt injection and jailbreaking from both the attacker and defender perspective. You run the attacks against live LLM systems and then apply the defensive controls that reduce exposure.</p><p><strong>AI Supply Chain Security</strong> covers dependency integrity, supply chain attack vectors, and how to assess and secure the ML libraries and infrastructure your deployments depend on.</p><p><strong>AI Forensics</strong> covers what investigation looks like when an AI system has been attacked: what artefacts to collect, how to determine whether a model was poisoned, and how to reconstruct what happened.</p><p><a href="https://tryhackme.com/certification/ai-security?ref=blog.tryhackme.com">AI1</a>, TryHackMe&apos;s AI Security certification, validates this skill set across 13 hands-on scenarios covering both offensive and defensive AI security. It is the first practical AI security credential available on any platform. Premium subscribers receive a 15% discount.</p><p></p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/path/outline/aisecurity?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore the AI Security Path </button>  </a></div>
<!--kg-card-end: html--><p></p><hr><p></p><p></p><h2 id="faq"><strong>FAQ</strong></h2><p><strong>How is AI being used in cyber security attacks and defences?</strong> On the offensive side: AI-generated phishing that is indistinguishable from legitimate correspondence, adaptive malware that modifies its own code to evade signature-based detection, automated vulnerability discovery at a scale and speed that human researchers cannot match, and deepfake-based fraud that bypasses traditional social engineering awareness. On the defensive side: ML-based anomaly detection that identifies threats without requiring known signatures, AI-assisted alert triage that reduces the volume analysts need to review manually, automated threat intelligence enrichment, and LLM-powered investigation assistance that accelerates root cause analysis. Both sides are using the same underlying technology. The defenders who understand the offensive applications build better detection logic.</p><p><strong>How do you defend against AI-powered cyber attacks?</strong> Defending against AI-powered attacks requires controls at multiple layers. For AI-generated social engineering: procedural verification through a separate channel for any high-value request, regardless of how legitimate the initiating message appears. For adaptive malware evasion: behaviour-based detection that identifies what a process is doing rather than matching against known signatures, combined with heuristic analysis that catches novel variants. For adversarial ML attacks against your own AI systems: adversarial robustness testing as part of your model validation pipeline, data provenance controls for training data, and monitoring for anomalous query patterns that suggest model extraction or evasion attempts. For AI agents with tool access: least privilege on tool permissions, input validation, and output filtering before any agent action takes external effect.</p><p><strong>What is MITRE ATLAS and how does it relate to MITRE ATT&amp;CK?</strong> MITRE ATLAS is the AI-specific counterpart to MITRE ATT&amp;CK. ATT&amp;CK maps adversary tactics and techniques against traditional IT infrastructure. ATLAS maps them against AI and ML systems. As of February 2026, ATLAS v5.4.0 contains 16 tactics, 84 techniques, 56 sub-techniques, and 42 real-world case studies. If you already use ATT&amp;CK for threat modelling and detection engineering, ATLAS applies the same structured approach to your AI attack surface. Approximately 70% of ATLAS mitigations map to existing security controls, making integration with current SOC workflows practical rather than requiring entirely new defensive infrastructure.</p><hr><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/path/outline/aisecurity?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore the AI Security Path </button>  </a></div>
<!--kg-card-end: html-->]]></content:encoded></item><item><title><![CDATA[From Sales to SOC Analyst: How Eddie Used TryHackMe to Break Into Cyber security]]></title><description><![CDATA[Five years ago, Eddie Tumalle was working part-time as a phone technician / Sales. Today, he's a SOC analyst with three cyber security certifications earned in just three months]]></description><link>https://blog.tryhackme.com/from-sales-to-soc-analyst-how-eddie-used-tryhackme-to-break-into-cyber-security/</link><guid isPermaLink="false">6a4cb9009f011e00019961b9</guid><category><![CDATA[Blog]]></category><category><![CDATA[Success Story]]></category><dc:creator><![CDATA[Carah Els]]></dc:creator><pubDate>Tue, 07 Jul 2026 09:03:39 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/Eddie-Success-Story-Banner.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/Eddie-Success-Story-Banner.svg" alt="From Sales to SOC Analyst: How Eddie Used TryHackMe to Break Into Cyber security"><p>Five years ago, Eddie Tumalle was working part-time as a phone technician / Sales. Today, he&apos;s a SOC analyst with three cyber security certifications earned in just three months. His secret weapon? Consistent, hands-on practice and a TryHackMe license he made the absolute most of.</p><p>This is Eddie&apos;s story: how he pivoted from retail to IT to cyber security, and how TryHackMe helped him close the skills gap that theory alone couldn&apos;t.</p><h3 id="the-spark-a-mentor-and-a-plan">The Spark: A Mentor and a Plan</h3><p>Eddie&apos;s journey started with a conversation. While working as a phone technician, he met a colleague who managed a Security Operations Center at Boeing. That mentor gave him advice that shaped everything: build a strong IT foundation first, and pick up HR-friendly certifications along the way.</p><p>Eddie listened. He earned his A+ and IT support certifications, then made his first big move &#xA0;leaving retail behind for the IT department at T-Mobile.<br></p><h3 id="finding-the-gaps">Finding the Gaps</h3><p>IT gave Eddie real, transferable skills. Root cause analysis and documentation would later serve him well in the SOC. But when he set his sights on cyber security, he knew the learning curve would be steeper so he did something smart. He reached out to a former SOC team member and asked a simple question: <em><strong>what does the day-to-day actually look like, and where will I struggle?</strong></em></p><p>The answer was honest. Eddie had gaps in:</p><ul><li><strong>Reading raw logs</strong> and making sense of them under pressure</li><li><strong>Understanding network traffic</strong> at a deep level</li><li><strong>Navigating Splunk</strong>, the SIEM his company relied on</li><li><strong>The security side of Azure Active Directory</strong></li></ul><p>He didn&apos;t need more theory. He needed reps.</p><h3 id="enter-tryhackme"><br>Enter TryHackMe</h3><p>When T-Mobile sponsored TryHackMe licenses for its team, Eddie jumped in hard. He used the platform so heavily that he topped the company leaderboard for three months straight.</p><p>What made it click for him was the format. TryHackMe&apos;s structured learning paths gave him guidance instead of guesswork, and the hands-on labs meant he wasn&apos;t just reading about concepts he was doing them. The Security Analyst path in particular stood out, with the opening Security 101 section praised for building foundations the right way: Linux fundamentals, setting up a virtual machine, and the core concepts everything else stacks on.</p><p>Along the way, Eddie built exactly the skills he&apos;d been missing:</p><ul><li><strong>Raw log analysis</strong>: no longer intimidating, now second nature</li><li><strong>In-depth Splunk experience</strong>: directly relevant to his target SOC role</li><li><strong>The MITRE ATT&amp;CK framework</strong>: and how real investigations map to it</li><li><strong>The investigator&apos;s mindset</strong>: the SOC Simulator tied all the theory together in realistic scenarios</li></ul><p>Every one of those skills, in Eddie&apos;s words, transferred directly to the actual SOC environment.</p><h3 id="passing-sal1-two-days-after-getting-the-license">Passing SAL1: Two Days After Getting the License</h3><p>When Eddie heard about licenses to sit TryHackMe&apos;s <a href="https://tryhackme.com/certification/security-analyst-level-1?ref=blog.tryhackme.com">Security Analyst Level 1 (SAL1)</a> exam, he spoke to his managers, secured one, and took the exam two days later.</p><p><strong>He passed.</strong></p><p>His verdict? The <a href="https://tryhackme.com/certification/security-analyst-level-1?ref=blog.tryhackme.com">SAL1 </a>exam is a genuine representation of what starting in a SOC actually feels like. It forced him to navigate Splunk properly and proved he had the practical foundation the job demands.</p><p>It also changed his certification strategy entirely. Eddie found that TryHackMe&apos;s material covered more &#xA0;and went deeper than the traditional entry-level security certification he&apos;d originally planned to take. So he skipped it, made SAL1 his foundational credential instead, and used it as a springboard to a more advanced analyst certification. He passed both exams in the same week.</p><p>Three certifications. Three months. Nearly all of it fueled by intense, hands-on study.</p><h3 id="turning-learning-into-proof">Turning Learning Into Proof</h3><p>Eddie&apos;s advice to anyone chasing a SOC role is blunt: <strong>employers want proof, not promises.</strong> A project portfolio is no longer optional in a competitive market.</p><p>So he built one &#xA0;drawing directly from what he learned on TryHackMe:</p><ul><li><strong>Built his own firewall</strong> with pfSense, then took it further by adding IDS/IPS detection with Suricata, a tool referenced in TryHackMe&apos;s learning material</li><li><strong>Installed and configured Splunk</strong> on a Linux server, documenting the whole process &#xA0;directly relevant, since his company runs on Splunk</li><li><strong>Documented everything on GitHub</strong> &#xA0;steps, screenshots, diagrams &#xA0;creating a portfolio he could point to in interviews</li></ul><p>The documentation habit paid a hidden dividend: writing everything up forced him to review the material multiple times, which organized his thinking and gave him real confidence walking into interviews.</p><h3 id="the-payoff">The Payoff</h3><p>Eddie made it. He&apos;s now on the SOC team the goal he set five years ago as a phone technician.</p><p>He&apos;s clear about what got him there: without TryHackMe&apos;s structure, his journey would have been slower and far less streamlined. The learning paths gave him direction, the SOC Simulator gave him confidence, and the hands-on labs made sure nothing he learned slipped away.</p><p>And he&apos;s not done. Once he&apos;s settled into the SOC, Eddie plans to return to TryHackMe for the red team learning path and its certification because he believes reaching that higher technical level makes every other area of cybersecurity easier to master.</p><h3 id="eddies-advice-for-aspiring-soc-analysts">Eddie&apos;s Advice for Aspiring SOC Analysts</h3><ol><li><strong>Build your IT foundation first.</strong> The skills transfer more than you think.</li><li><strong>Talk to people in the role.</strong> Find your gaps before an interviewer does.</li><li><strong>Get hands-on.</strong> Theory alone won&apos;t survive contact with a real investigation. Platforms like TryHackMe exist so you can practice in real-world scenarios.</li><li><strong>Turn learning into projects.</strong> Firewalls, detection systems, SIEM setups, build them, document them, show them off.</li><li><strong>Ask about a company-sponsored license.</strong> Eddie&apos;s employer sponsored his TryHackMe access, complete with a leaderboard and monthly rewards. Yours might too.</li></ol><h3 id="three-words">Three Words</h3><p>When we asked Eddie to describe TryHackMe, he didn&apos;t hesitate:</p><p><strong>Practical. User-friendly. Relevant.</strong></p><p>We couldn&apos;t have said it better ourselves.</p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/hacktivities?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Start Training Hands-on with TryHackMe </button>  </a></div><!--kg-card-end: html--><p><br></p><p><br></p><p><br></p><p><br></p>]]></content:encoded></item><item><title><![CDATA[Cybersecurity certifications for teams: How to build a program around Security Analyst Level 1 and 2]]></title><description><![CDATA[The majority of widely recognized security certifications were designed for individual career development, and are detached from the needs of hiring organizations. This creates a specific problem for managers trying to build an actionable understanding of team readiness.]]></description><link>https://blog.tryhackme.com/cybersecurity-certifications-program-for-teams/</link><guid isPermaLink="false">6a44fafc91ff6400019c240c</guid><category><![CDATA[B2B Blog]]></category><category><![CDATA[Blog]]></category><category><![CDATA[Business]]></category><dc:creator><![CDATA[Joanna Duffy]]></dc:creator><pubDate>Wed, 01 Jul 2026 11:42:56 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/07/Certifications-program-for-teams.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/07/Certifications-program-for-teams.svg" alt="Cybersecurity certifications for teams: How to build a program around Security Analyst Level 1 and 2"><p>There are definite limitations when organizations approach cybersecurity certifications individually. There&#x2019;s a common sequence of events: an analyst decides they want a certification, their manager approves the budget, and the certification gets added to that analyst&#x2019;s CV. It&#x2019;s useful, but it&#x2019;s not a program. With nearly two-thirds of managers (59%) <a href="https://edge.sitecorecloud.io/internationf173-xmc4e73-prodbc0f-9660/media/Project/ISC2/Main/Media/insights/Features/2025/12/COMMS_2025_Cybersecurity_WFS_Report_Whitepaper.pdf?ref=blog.tryhackme.com">citing critical or significant skills needs this year</a>, a change in approach is crucial.</p><p>A certification program is something different:</p><ul><li>It gives every role in a cyber team a clear credentialing path.</li><li>It tells managers where each analyst actually stands against a verified standard.</li><li>It creates a shared baseline the whole team can be measured against.</li><li>And it produces the kind of objective, third-party evidence that leadership and auditors<br>can act on.</li></ul><p>Building that program requires the right certifications at the right levels, and a platform that makes them manageable at scale.</p><h2 id="why-most-security-certifications-fall-short-for-teams">Why most security certifications fall short for teams</h2><p>The majority of widely recognized security certifications were designed for individual career development, and are detached from the needs of hiring organizations. This creates a specific problem for managers trying to build an actionable understanding of team readiness.</p><p>Moreover, these certifications test what practitioners know: they rely on multiple-choice exams, theory-heavy content, and narrow domain coverage, but misses the validation of practical skills that demonstrates job-readiness. Passing proves that an analyst has studied a topic. It doesn&apos;t tell you whether they can execute under pressure in a real environment.</p><p>For managers of cyber teams, that gap matters at every stage of the employment lifecycle:</p><ul><li><strong>New hires</strong> arrive with certifications on their CV that tell you what they&apos;ve studied, not what they can do in your environment</li><li><strong>Existing analysts</strong> may hold certs that are years old, acquired before the threat landscape looked anything like it does today</li><li><strong>Promotions and role changes</strong> get made on tenure and gut feel rather than verified evidence of capability at the next level</li><li><strong>Leadership conversations</strong> about team readiness rely on anecdote rather than data</li></ul><p>Hands-on, job-aligned certifications close that gap. They put candidates inside realistic environments and ask them to perform, so managers get a verified signal they can actually use.</p><h2 id="what-a-team-certification-program-looks-like">What a team certification program looks like</h2><p>A well-structured certification program maps credentials to roles and seniority levels, creates clear progression paths, and gives managers a central view of where the team stands at any point.</p><p><a href="https://tryhackme.com/business/solutions/certifications?ref=blog.tryhackme.com">TryHackMe&apos;s certification portfolio</a> is built around this model. Every exam is hands-on, browser-based, and designed to reflect the actual demands of the role. There are no multiple-choice questions. Candidates work in live environments against real scenarios and are assessed on what they can do, not what they can recall.</p><p>The TryHackMe certification ladder spans six certifications, each designed for a specific role and career stage. Together they create clear progression pathways from onboarding a non-technical hire to validating a senior SOC analyst ready for L2 responsibilities.</p><h3 id="sec0-pre-security">SEC0 | Pre Security</h3><p><strong>Who it&apos;s for:</strong> Cyber-adjacent roles, early learners, career switchers, non-technical business staff, interns</p><p><strong>What it validates:</strong> Core cyber concepts and terminology: computer, OS, and network fundamentals, how the web works, attacks and defenses</p><p><strong>Why it matters:</strong> No IT or tech background required. SEC0 gives non-security staff the vocabulary to engage meaningfully with the team, and acts as the first step on the TryHackMe learning journey. [<a href="https://tryhackme.com/certification/pre-security?ref=blog.tryhackme.com">Learn more about the SEC0 certification</a>]</p><h3 id="sec1-cyber-security-101">SEC1 | Cyber Security 101</h3><p><strong>Who it&apos;s for:</strong> Career starters, students, interns, junior cyber team members (0&#x2013;2 years experience)</p><p><strong>What it validates:</strong> Foundational offensive, defensive, and investigative skills across 7 practical sections: OS and network fundamentals, Red Team, Blue Team, and scenario-based tasks. No MCQs.</p><p><strong>Why it matters:</strong> Browser-based and integrated with the TryHackMe learning path, so candidates can prepare and assess in the same environment. Targets the actual job skills needed for a first role. [<a href="https://tryhackme.com/certification/cyber-security-101?ref=blog.tryhackme.com">Learn more about the SEC1 certification</a>]</p><h3 id="sal1-security-analyst-level-1">SAL1 | Security Analyst Level 1</h3><p><strong>Who it&apos;s for:</strong> L1 SOC analysts, new hires, onboarding cohorts</p><p><strong>What it validates:</strong> Real-world SOC work in a simulated environment, built specifically for the L1 analyst role and developed in collaboration with Salesforce and Accenture</p><p><strong>Why it matters:</strong> The go-to onboarding benchmark. Spots capability gaps before new joiners touch live systems. Tells managers what they&apos;re actually working with. [<a href="https://tryhackme.com/certification/security-analyst-level-1?ref=blog.tryhackme.com">Learn more about the SEC2 certification</a>]</p><h3 id="sal2-security-analyst-level-2">SAL2 | Security Analyst Level 2</h3><p><strong>Who it&apos;s for:</strong> Mid-senior analysts ready to validate seniority, SOC managers making promotion and succession decisions</p><p><strong>What it validates:</strong> Technical depth, operational judgment, and stakeholder communication across 12 scenario-based investigations delivered in a 72-hour window &#x2014; including SIEM analysis (Splunk/Elastic), compromised machine access, PCAP and malware triage, detection engineering with Sigma, incident summary writing, customer-facing updates, SLA management, and threat classification</p><p><strong>Why it matters:</strong> The only certification at this level that tests communication and escalation alongside technical skills, because that is what separates senior analysts from junior ones. Provides an auditable, third-party benchmark for promotion decisions, budget cases, and regulated environments. [<a href="https://tryhackme.com/certification/security-analyst-level-2?ref=blog.tryhackme.com">Learn more about the SAL2 certification</a>]</p><h3 id="pt1-junior-penetration-tester">PT1 | Junior Penetration Tester</h3><p><strong>Who it&apos;s for:</strong> Entry-level offensive security practitioners and red team members</p><p><strong>What it validates:</strong> Offensive skills across web, network, and Active Directory, including a full-stack simulated penetration test</p><p><strong>Why it matters:</strong> Validates offensive capability before an analyst takes on offensive responsibilities. Built by industry experts and designed to mirror the reality of an engagement. [<a href="https://tryhackme.com/certification/junior-penetration-tester?ref=blog.tryhackme.com">Learn more about the PT1 certification</a>]</p><h3 id="ai1-ai-security-level-1">AI1 | AI Security Level 1</h3><p><strong>Who it&apos;s for:</strong> Security teams and AI-adjacent roles working with AI-enabled systems</p><p><strong>What it validates:</strong> End-to-end AI attack and defense skills on live systems &#x2014; live chatbots, RAG knowledge bases, and model artifact environments &#x2014; covering prompt injection, supply chain security, data poisoning, and remediation</p><p><strong>Why it matters:</strong> Aligned with OWASP LLM Top 10 and CompTIA SecAI+. As AI becomes embedded in more environments, AI1 gives teams an objective measure of whether they can actually defend against the threats that come with it. [<a href="https://tryhackme.com/certification/ai-security?ref=blog.tryhackme.com">Learn more about the AI1 certification</a>]</p><h2 id="building-the-program-sal1-and-sal2-as-the-backbone-of-a-soc-certification-journey"><strong>Building the program: SAL1 and SAL2 as the backbone of a SOC certification journey</strong></h2><p>For defensive cyber teams, Security Analyst Level 1 and Security Analyst Level 2 are the natural anchors of a team certification program. They are not just two standalone assessments, but present a connected growth path. SAL1 establishes a verified baseline for every analyst on the team. SAL2 defines what senior readiness actually looks like. Together, they give managers something most certification programs never offer: objective evidence of capability at both ends of the L1-to-L2 progression.</p><p><strong>Security Analyst Level 1: Establishing a Verified SOC Baseline</strong></p><p>Security Analyst Level 1 is built specifically for L1 SOC analysts. It was developed in direct collaboration with Salesforce and Accenture, grounded in what the role actually demands rather than what a syllabus committee agreed on.</p><p>Candidates work inside a simulated SOC environment, triaging alerts, investigating incidents, and writing case reports across scenarios that reflect the tooling and workflows analysts encounter day to day. There are no theory questions, the assessment is entirely task-based.</p><p>For managers, SAL1 solves a specific and persistent problem: onboarding without a verified baseline. When every new joiner is expected to achieve SAL1 before handling live systems, the team has a consistent, objective foundation. When existing analysts hold it, the manager has confidence that a shared standard exists across the team.</p><p>SAL1 also gives L1 analysts a concrete and credible target. They can see exactly what proficiency looks like, and work toward it with purpose rather than waiting for someone to tell them they&apos;re ready.</p><p><strong>Security Analyst Level 2: Validating the Step Up</strong></p><p>SAL2 picks up where SAL1 leaves off. It&#x2019;s built for analysts who have developed their foundational skills and are <a href="https://tryhackme.com/resources/blog/sal2-mid-senior-soc?ref=blog.tryhackme.com">ready to demonstrate they can operate at a senior level</a>: independently, under pressure, across the full scope of <a href="https://tryhackme.com/resources/blog/business-context-soc-analysts?ref=blog.tryhackme.com">what L2 SOC work actually involves</a>.</p><p>That scope is broader than most certifications acknowledge. Across 12 scenario-based investigations in a 72-hour window, SAL2 candidates handle real incidents using Splunk or Elastic, access compromised machines, conduct PCAP and malware analysis, and work through detection engineering with Sigma. They are also assessed on stakeholder communication like incident summary writing, customer-facing updates, SLA management, and threat classification, because that is what separates L2 analysts from L1 analysts in practice.</p><p>For managers, SAL2 turns a subjective promotion decision into an evidence-based one. For the analysts themselves, it is a meaningful milestone that reflects genuine achievement, not accumulated tenure. And for the business, it is an auditable signal of operational readiness that holds up in regulated environments and leadership conversations alike.</p><p>The SAL1-to-SAL2 path is the clearest growth journey in defensive security certification. It tells a consistent story: this is what entry-level readiness looks like, and this is what senior readiness looks like, with objective evidence at both points.</p><h2 id="where-certifications-fit-in-the-wider-capability-picture">Where certifications fit in the wider capability picture</h2><p>Certifications validate what analysts can do at a point in time. They answer a specific management question: is this person ready for this level of responsibility? But they work best when they sit inside a broader capability management approach.</p><p><strong>At onboarding</strong>, certifications replace assumption with evidence. A new joiner with Security Analyst Level 1 has a verified baseline. One without it gets a structured path to achieve it before handling live systems.</p><p><strong>At progression points</strong>, certifications like Security Analyst Level 2 make promotion and succession decisions objective. Rather than relying on tenure or the opinion of a senior colleague, managers have verified evidence of performance at the next level of complexity, including the operational judgment and stakeholder communication skills that actually separate L1 from L2.</p><p><strong>During role transitions</strong>, certifications flag readiness before responsibilities change. An analyst moving from a defensive to a more offensive role can work toward Junior Penetration Tester to validate the skills the new position requires, rather than discovering gaps in production.</p><p><strong>For cyber-adjacent teams</strong>, certifications like Pre Security and AI Security Level 1 give non-technical roles the foundation to understand what the security team is dealing with, and give IT, legal, and compliance functions the grounding to participate meaningfully in security programs and incident response. <strong>AI Security Level 1 makes existing security skills current for all skill levels, by adding the crucial context of a new attack surface.</strong></p><p><strong>For ongoing readiness</strong>, certifications catch capability drift before it becomes operational risk. Skills that aren&apos;t practiced against current material decay quietly. A structured recertification cadence keeps the team&apos;s verified baseline current.</p><p>The Manager Dashboard in TryHackMe gives teams a central view of certification status across the whole cyber team: completions, retakes, upcoming expiry, and where gaps exist by role. The program stays visible and manageable rather than drifting on autopilot.</p><h2 id="what-leadership-needs-from-a-certification-program">What leadership needs from a certification program</h2><p>The business case for a structured certification program is straightforward. Leadership needs to know the cyber team is capable of handling the threats the organization faces. Regulatory frameworks increasingly require demonstrable evidence of security workforce readiness. Auditors ask for it, boards are starting to ask for it.</p><p>Job titles and tenure are proxies, while certifications from a hands-on platform that assesses real performance in realistic environments are evidence.</p><p>Organizations need to treat certifications as a capability management tool, not an individual career benefit. To map credentials to roles, track status centrally and build progression paths that show analysts where they&apos;re going and give managers the data to support investment decisions with something more than instinct.</p><p><a href="https://tryhackme.com/business/solutions/certifications?ref=blog.tryhackme.com">[Explore TryHackMe&apos;s certification program for cyber teams.]</a><br><br>Want to turn theoretical cyber security training into proven capability? <a href="https://tryhackme.com/business?ref=blog.tryhackme.com">Explore TryHackMe for Business</a></p><h2 id="frequently-asked-questions">Frequently Asked Questions</h2><p><strong>What is the TryHackMe Security Analyst Level 1 (SAL1) certification?</strong> Security Analyst Level 1 is a hands-on SOC analyst certification from TryHackMe, built specifically for L1 analysts and developed in collaboration with Salesforce and Accenture. Candidates work inside a simulated SOC environment: triaging alerts, investigating incidents, and writing case reports, with no multiple-choice questions. It is designed to validate what analysts can actually do in a real environment, not what they can recall from a textbook.</p><p><strong>What is the TryHackMe Junior Penetration Tester (PT1) certification?</strong> Junior Penetration Tester is an entry-level offensive security certification from TryHackMe. It validates practical skills across web application testing, network penetration, and Active Directory attacks, and includes a full-stack simulated penetration test. It is designed for red team practitioners and analysts who work across offensive and defensive responsibilities.</p><p><strong>What is the difference between TryHackMe Security Analyst Level 1 and Security Analyst Level 2?</strong> Security Analyst Level 1 is designed for L1 SOC analysts and establishes a verified baseline of core defensive skills in a simulated SOC environment. Security Analyst Level 2 is designed for mid-senior analysts and goes further, assessing not just technical depth across endpoints, networks, cloud logs, and SIEM platforms, but also operational judgment, incident communication, and stakeholder reporting across 12 scenario-based investigations in a 72-hour assessment window.</p><p><strong>Are TryHackMe certifications recognized by employers?</strong> TryHackMe certifications are hands-on and job-aligned, developed with input from practitioners and industry partners including Salesforce and Accenture. They are designed to validate real operational capability rather than theoretical knowledge, which makes them meaningful to hiring managers and security leaders who need evidence of what candidates can actually do.</p><p><strong>How long does it take to complete TryHackMe&apos;s Security Analyst Level 1 certification?</strong> Security Analyst Level 1 is a flexible, on-demand assessment. TryHackMe provides an integrated learning path to help candidates prepare, and the exam itself is non-proctored with one free retake included. Preparation time varies depending on existing experience, but the SOC L1 learning path is designed to be worked through consistently alongside operational responsibilities.</p><p><strong>Can managers track certification progress across their cyber team?</strong> Yes. TryHackMe&apos;s Manager Dashboard gives team leaders a central view of certification status across the whole team &#x2014; including completions, retakes, and upcoming expiry dates. It sits alongside broader team performance and skill gap data, so certification progress is visible in the context of overall capability management rather than as a separate tracking exercise.</p><p><strong>What TryHackMe certifications are suitable for non-technical or cyber-adjacent roles?</strong> TryHackMe&apos;s Pre Security certification (SEC0) is designed for learners without a technical background, covering core cyber concepts and terminology across seven modules. It is well suited to IT, legal, compliance, and business roles that need to understand the security landscape and participate meaningfully in security programs and incident response. AI Security Level 1 (AI1) is also relevant for AI-adjacent roles across the organization, covering end-to-end AI attack and defense skills on real AI systems.</p>]]></content:encoded></item><item><title><![CDATA[Blue team training for SOC teams: How to move from individual skills to team readiness]]></title><description><![CDATA[A team of individually strong analysts who have never practiced responding together is not a ready team. It's a collection of capable individuals who haven't become an operational unit.]]></description><link>https://blog.tryhackme.com/blue-team-training-for-soc-teams-readiness/</link><guid isPermaLink="false">6a427ada91ff6400019c23b1</guid><category><![CDATA[B2B Blog]]></category><category><![CDATA[Blog]]></category><category><![CDATA[Business]]></category><dc:creator><![CDATA[Joanna Duffy]]></dc:creator><pubDate>Mon, 29 Jun 2026 14:07:24 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/06/blueteam.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/06/blueteam.svg" alt="Blue team training for SOC teams: How to move from individual skills to team readiness"><p>All SOC managers have a rough sense of where their team stands, regardless of the tools they&#x2019;re working with. They know who the strong analysts are, have a feel for which threat categories the team handles well and which ones make them nervous, and they&#x2019;ve seen the training completion rates in their company&#x2019;s LMS.</p><p>What they rarely have is any of that in a form they can act on, report upward, or build a strategy from. Why would they, if their platform doesn&#x2019;t offer them the intelligence?</p><p>Most cyber security training platforms on the market were built to develop individual skills, but fail to give a manager the insights or collaborative environments needed to develop team capability as a strategic, always-on function.</p><p>The result is a common and costly gap: training activity that&#x2019;s disconnected from business risk, invisible to leadership, and fails to evidence actual readiness.</p><h2 id="individual-cyber-training-is-the-foundation-not-the-finish-line">Individual cyber training is the foundation, not the finish line</h2><p>Individual skill development is, of course, an irreplaceable part of capability development for modern SOC teams. Thanks to AI, threat actors are more efficient and sophisticated than ever before. Hands-on, job-aligned learning paths, certifications mapped to role and seniority, as well as regular practice against current threat material are all non-negotiable. A team cannot be ready if its analysts aren&apos;t capable.</p><p>But individual capability is just that: a part. A team of individually strong analysts who have never practiced responding <em>together,</em> and never stress-tested their escalation paths or made real decisions under shared pressure, is not a ready team. It&apos;s a collection of capable individuals who haven&apos;t become an operational unit.</p><p>It&#x2019;s the interplay between individual development and the cultivation of a team that works in alignment that most cyber security training platforms miss. They optimize for the individual and stop there, preventing managers and leadership from getting the layer of evidence that really gauges how the SOC will perform during a real incident.</p><!--kg-card-begin: html--><table style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><thead><tr><th>Individual training gives you</th><th>Team readiness requires</th></tr></thead><tbody><tr><td>Analyst skill development</td><td>Collective coverage across roles and threat areas</td></tr><tr><td>Personal  completions</td><td>Verified capability you can map to business risk</td></tr><tr><td>Individual performance data</td><td>Evidence of how the team performs under shared pressure</td></tr></tbody></table><!--kg-card-end: html--><h2 id="what-does-a-platform-for-individual-and-team-soc-training-look-like">What does a platform for individual and team SOC training look like?</h2><p>Individual development and team readiness aren&apos;t competing priorities, they&apos;re more like complementary layers. Each one makes the other more valuable. Here&apos;s how they work together:</p><!--kg-card-begin: html--><table style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><thead><tr><th>Layer</th><th>TryHackMe tools</th></tr></thead><tbody><tr><td>Individual development</td><td>Learning paths, certifications, SOC L1/L2 paths, AI Security path</td></tr><tr><td>Individual benchmarking</td><td>CTF Events [can also create a team competitive format]</td></tr><tr><td>Team performance visibility</td><td>Management Dashboard</td></tr><tr><td>Collaborative practice</td><td>Tabletops, Threat Hunting Simulator, SOC Simulator</td></tr><tr><td>Organizational validation</td><td>Live Breach Exercises, capability reviews</td></tr></tbody></table><!--kg-card-end: html--><h3 id="individual-development-the-foundation">Individual development: the foundation</h3><p>Individual skill development is where readiness starts. TryHackMe&apos;s learning paths and certifications are hands-on, job-aligned and mapped to role and seniority. Analysts are building skills relevant to what they&apos;ll actually face, rather than generic coursework.</p><h3 id="individual-benchmarking-pressure-testing-whats-been-built">Individual benchmarking: pressure-testing what&apos;s been built</h3><p>CTF Events surface how individual skills [or team dynamics] hold up under real competitive pressure. Run them to identify your strongest performers, or as a full-team event to benchmark the whole group. Either way, the results feed directly into your picture of where individual capability actually stands vis-a-vis the team.</p><h3 id="team-and-individual-performance-visibility-connecting-individuals-to-collective-coverage">Team and individual performance visibility: connecting individuals to collective coverage</h3><p>The Management Dashboard shows how individual progress maps to team-wide coverage. At a glance, managers can see:</p><ul><li>Skill gaps by role and threat area</li><li>Engagement trends and long-term capability improvement</li><li>Where the team is strong and where it&apos;s exposed</li><li>Whether investment is moving the needle, with export-ready data to show leadership</li></ul><h3 id="hands-on-practice-where-individual-skills-indicate-team-capability">Hands-on practice: where individual skills indicate team capability</h3><p>This is the layer most platforms don&apos;t have. Three tools, each testing something different:</p><p><strong><a href="https://tryhackme.com/soc-sim/?ref=blog.tryhackme.com">SOC Simulator</a></strong> &#x2014; analysts work through the same live alert scenario independently, then debrief together on where decisions diverged. Surfaces coordination gaps and MTTR variance without waiting for a real incident to expose them.</p><p><strong><a href="https://tryhackme.com/threat-hunting-sim/?ref=blog.tryhackme.com">Threat Hunting Simulator</a></strong>&#x2014; hypothesis-driven investigations in realistic environments, from foundational hunts to APT-level scenarios. Analysts train on real attacker behavior, building the instinct to look for threats before they trigger an alert. Gives team leads meaningful data on how analysts investigate under pressure, and relevant for development decisions at every seniority level.</p><h3 id="organizational-validation-demonstrated-readiness">Organizational validation: demonstrated readiness</h3><p><strong><a href="https://tryhackme.com/business/solutions/tabletop-exercises?ref=blog.tryhackme.com">Tabletop Exercises</a></strong> &#x2014; AI-generated from your context and documentation. Tests whether escalation paths hold under pressure, whether ownership is clear, and whether the team communicates effectively when it matters. Built in minutes, for regular implementation. Every session ends with specific actions and owners.</p><p><strong><a href="https://tryhackme.com/business/solutions/live-breach-exercises?ref=blog.tryhackme.com">Live Breach Exercises</a></strong> &#x2014; where assumed readiness becomes something you can evidence. TryHackMe delivers a simulation environment aligned to your context. The scenario evolves with ambiguity and shifting facts, covering each stage from an alert: detection, triage, and escalation, before moving into identification and scoping by higher-tier analysts and IR teams to verify and characterize the incident, then containment and isolation, eradication, recovery, and lessons learned. The output is a defensible record of organizational readiness that stands up to boards, auditors, and regulators.</p><h2 id="how-do-management-insights-bridge-individual-and-team-soc-training">How do management insights bridge individual and team SOC training?</h2><p>For individual or team training to have strategic impact, there needs to be visibility. The <a href="https://tryhackme.com/business/solutions/management-dashboard?ref=blog.tryhackme.com">TryHackMe Management Dashboard</a> is the spine that connects every layer.</p><p>It surfaces individual and team-wide progress in a single view: skill gaps by role and category, engagement trends, long-term capability improvement over time. Learning paths can be aligned frameworks or job descriptions, so assignments connect to what the organization is actually measured against. Deadline tracking, seat usage, and active user data mean the program runs operationally. Export-ready reporting means leadership can actually engage with the team&#x2019;s progress in context.</p><h2 id="how-does-training-activity-become-a-cyber-capability-strategy">How does training activity become a cyber capability strategy?</h2><p>The execution gap, the distance between what your team has been trained on and what they can execute under pressure, doesn&apos;t just close by adding more individual training. It closes when individual development is treated as <a href="https://tryhackme.com/business/resources/reports/SOC-Maturity-Model?ref=blog.tryhackme.com">the foundation of a broader capability strategy</a> built to get teams to work in lock-step, whatever their mix of skills and seniority. This requires a platform that&#x2019;s been built to manage, measure, and evidence from the individual analyst through to the entire SOC, with insights actually relevant to the board.<br><br>Want to turn theoretical cyber security training into proven capability? <a href="https://tryhackme.com/business?ref=blog.tryhackme.com">Explore TryHackMe for Business</a></p>]]></content:encoded></item><item><title><![CDATA[Introducing TryHackMe MAX]]></title><description><![CDATA[MAX is our most powerful plan to date. It brings together the content that working practitioners have been asking for most: advanced learning paths that map to mid-career security roles, including AWS and Azure cloud security labs, a permanent AttackBox, recent threats content, and more.]]></description><link>https://blog.tryhackme.com/introducing-tryhackme-max/</link><guid isPermaLink="false">6a3d21a791ff6400019c2216</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Mon, 29 Jun 2026 12:42:00 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/06/THM-MAX-Blog-Banner.gif" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/06/THM-MAX-Blog-Banner.gif" alt="Introducing TryHackMe MAX"><p>MAX is our most powerful plan to date. It brings together the content that working practitioners have been asking for most: advanced learning paths that map to mid-career security roles, including AWS and Azure cloud security labs, a persistent AttackBox, recent threats content, and more. Built for practitioners who need to stay ahead, and for anyone who wants access to everything TryHackMe has to offer.</p><p>TryHackMe has been used by over 8 million people to learn and develop Cyber Security skills. A significant number of those people are working practitioners: SOC analysts, security engineers, penetration testers, incident responders. They came to TryHackMe to learn, and they stayed because it works.</p><p>That&apos;s why today (29 June 2026) we are launching MAX: a new plan built specifically for that audience.</p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/pricing?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Upgrade to MAX </button>  </a></div>
<!--kg-card-end: html--><h2 id="what-is-max-and-how-does-it-compare-to-premium">What is MAX and how does it compare to Premium?</h2><p>MAX sits above Premium, which continues to cover the broad range of learning paths and hands-on content that practitioners at every stage use. MAX adds the most advanced specialist paths, cloud labs, and current threat content on top.</p><p>Some of the paths currently in Premium are moving to MAX for new subscribers from 29 June 2026. If you subscribed to Premium on or before 29 June 2026, you keep access to those paths until July 2027. See the table below for the full picture.</p><figure class="kg-card kg-image-card"><img src="https://blog.tryhackme.com/content/images/2026/07/Legacy-premium-vs-New-premium-vs-Max--3-.png" class="kg-image" alt="Introducing TryHackMe MAX" loading="lazy" width="2000" height="2843" srcset="https://blog.tryhackme.com/content/images/size/w600/2026/07/Legacy-premium-vs-New-premium-vs-Max--3-.png 600w, https://blog.tryhackme.com/content/images/size/w1000/2026/07/Legacy-premium-vs-New-premium-vs-Max--3-.png 1000w, https://blog.tryhackme.com/content/images/size/w1600/2026/07/Legacy-premium-vs-New-premium-vs-Max--3-.png 1600w, https://blog.tryhackme.com/content/images/size/w2400/2026/07/Legacy-premium-vs-New-premium-vs-Max--3-.png 2400w" sizes="(min-width: 720px) 720px"></figure><p>&#x26A0;&#xFE0F; <em>Web Application Red Teaming, Advanced Endpoint Investigations, Red Teaming and SOC Level 2 are moving exclusively to MAX for anyone signing up after 29 June. If you are an existing Premium subscriber, see below for how this affects your access.</em></p><p>&#x26A0;&#xFE0F; <em>Attacking and Defending AWS &amp; Defending Azure were previously only available on Business plans. MAX is the first time individuals can access them.</em></p><hr><h2 id="whats-new-in-max">What&apos;s new in MAX</h2><h3 id="advanced-paths">Advanced paths</h3><p>The four paths at the top of a lot of practitioners&apos; lists are now in MAX: Red Teaming, SOC Level 2, Web Application Red Teaming, and Advanced Endpoint Investigation. These are the paths that map directly to mid-career security roles: the work you are actually doing. Not the work you are preparing to do.</p><h3 id="cloud-security-paths">Cloud security paths</h3><p>Until now, AWS and Azure labs on TryHackMe have only been available to organisations on Business plans. MAX changes that. AWS 101 (Attacking and Defending AWS) and Azure 101 (Azure Security) are now open to individual subscribers. The AWS 101 path will also be significantly updated, so if you have been through it before it is worth starting again.</p><h3 id="recent-threats">Recent Threats</h3><p>CVEs do not wait for course catalogues to catch up. Recent Threats is a continuously updated module with hands-on labs for the latest vulnerabilities. All new recent threats released from today now require MAX, with new labs added as threats emerge.</p><h3 id="persistent-attackbox">Persistent AttackBox</h3><p>The Persistent AttackBox is exactly what it sounds like: a machine that stays alive between sessions. No more losing your work when a session ends. Files persist, installed tools persist, and spin-up is faster. If you spend serious time in the AttackBox, this is the feature you have been waiting for.</p><p>One thing to be clear about: if you downgrade from MAX, your AttackBox storage is permanently deleted and cannot be recovered. If you come back to MAX later, you start fresh.</p><blockquote>&#x26A0;&#xFE0F; <strong>Important:</strong> Downgrading from MAX permanently deletes your AttackBox storage. This cannot be recovered. If you resubscribe to MAX later, you will start with a clean machine.</blockquote><h3 id="certification-discount">Certification discount</h3><p>MAX annual plan subscribers get 40% off one TryHackMe certification per year. This applies to annual subscribers only, not monthly.</p><hr><h2 id="pricing-and-how-to-upgrade">Pricing and how to upgrade</h2><p>MAX is available on monthly and annual billing. If you are on an annual plan, you also get 40% off one TryHackMe certification per year. Visit the <a href="https://tryhackme.com/pricing?ref=blog.tryhackme.com">pricing page</a> to get started.</p><p>&#x1F30D; <strong>On a legacy currency plan?</strong></p><p><em>If you are currently billed in AUD, PLN, MXN, SAR, EGP, or another legacy currency, you will see a notification to contact our support team to upgrade to MAX.</em></p><hr><h2 id="what-does-this-mean-for-you">What does this mean for you?</h2><p>The launch of MAX involves some changes to how paths are distributed across plans, particularly for existing Premium subscribers. We have tried to make this as clear as possible. Below we cover the following scenarios, please skip to the situation that applies to you.</p><ul><li>Existing Premium subscribers (on or before 29 June 2026)</li><li>New Premium subscribers after 29 June 2026</li><li>Free TryHackMe users</li></ul><p></p><p><em>The grace period applies to Premium subscribers who subscribed on or before 29 June 2026.</em></p><p><em>Note: if you cancel your Premium subscription at any point, your grace period access ends immediately and permanently, even if you resubscribe.</em></p><hr><h3 id="existing-premium-subscribers-subscribed-on-or-before-29-june-2026">Existing Premium subscribers (subscribed on or before 29 June 2026)</h3><p>If you are an existing Premium subscriber, you are not losing anything straight away. The four paths that are moving to MAX (SOC L2, Web Application Red Teaming, Red Teaming, and Advanced Endpoint Investigation) remain available on your Premium plan until July 30, 2027, provided your subscription stays active and uninterrupted.</p><figure class="kg-card kg-image-card"><img src="https://blog.tryhackme.com/content/images/2026/06/image--18-.png" class="kg-image" alt="Introducing TryHackMe MAX" loading="lazy" width="1496" height="1051" srcset="https://blog.tryhackme.com/content/images/size/w600/2026/06/image--18-.png 600w, https://blog.tryhackme.com/content/images/size/w1000/2026/06/image--18-.png 1000w, https://blog.tryhackme.com/content/images/2026/06/image--18-.png 1496w" sizes="(min-width: 720px) 720px"></figure><blockquote>&#x26A0;&#xFE0F; <strong>Important:</strong> If you cancel your Premium subscription, you will permanently lose access to the four paths included under the grace period. This applies even if you resubscribe to Premium later. The grace period does not reinstate once broken.</blockquote><p><strong>This grace period applies only if your Premium subscription was active on or before 29 June 2026.</strong></p><p><strong>Example, Case 1:</strong> You subscribed to Premium Annual in January 2026. You renew in January 2027. You keep the four paths until July 2027. After that, they move to MAX only.</p><p><strong>Example, Case 2:</strong> You subscribed in January 2026, cancel or let your subscription lapse in January 2027, and resubscribe in February 2027. The grace period does not apply to the renewed subscription. The four paths will not be included in your Premium from February 2027.</p><blockquote>&#x26A0;&#xFE0F; During cancellation, we will show a notice confirming you will lose access to these paths on Premium if you cancel.</blockquote><hr><h3 id="new-premium-users-signing-up-after-29-june-2026">New Premium users signing up after 29 June 2026</h3><p>If you are creating your TryHackMe Premium account after 29 June 2026, the new plan definitions apply to you from day one.</p><hr><h3 id="free-tryhackme-users">Free TryHackMe Users</h3><p>If you are on a free TryHackMe account, the four paths moving to MAX: Red Teaming, SOC Level 2, Web Application Red Teaming, and Advanced Endpoint Investigation - will no longer be accessible from 29 June.</p><p>If you want to keep going with any of those paths, MAX is the plan to be on.</p><hr><p></p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/pricing?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Upgrade to Max </button>  </a></div>
<!--kg-card-end: html--><h2 id="faq">FAQ</h2><p><strong>Q: Can I stay on Premium?</strong></p><p>Yes. Premium is not going anywhere. However some paths (outlined in the table above) will be moving to MAX. Please check the section &quot;What does this mean for you?&quot; to find out more about when this will affect you. MAX adds the advanced practitioner content on top of Premium for those who need it.</p><p><strong>Q: What happens to my AttackBox files if I downgrade from MAX?</strong></p><p>Your AttackBox storage will be permanently deleted when you downgrade. This cannot be recovered. If you return to MAX later, you will start with a clean machine.</p><p><strong>Q: I&apos;m billed in AUD / PLN / MXN / SAR / EGP. How do I upgrade to MAX?</strong></p><p>You will see a notification in your account prompting you to contact support. Our team will handle the upgrade for you. Please be aware that once upgraded, you will not be able to return to your previous legacy currency pricing.</p><p><strong>Q: Will more content be added to MAX in the future?</strong></p><p>Yes. New paths are planned throughout 2026 and 2027. See the roadmap table above.</p><p><strong>Q: Does the 40% certification discount apply to monthly subscribers?</strong></p><p>No. The certification discount is available to MAX annual plan subscribers only, and redeemable once per year.</p><p><strong>Q: What happens to my grace period path access if I cancel my Premium subscription?</strong></p><p>If you cancel, you permanently lose access to the four paths included under the grace period, even if you resubscribe to Premium afterwards. The grace period does not reinstate.</p><p><strong>Q: When do the plan changes take effect?</strong></p><p>For new sign-ups, the new plan definitions apply from 29 June. Existing Premium subscribers who subscribed on or before 29 June 2026 keep access to the four paths until 30 July 2027, provided their subscription stays active and uninterrupted.</p><hr><p>Ready to level up?</p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/pricing?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Upgrade to MAX </button>  </a></div>
<!--kg-card-end: html--><p></p><figure class="kg-card kg-image-card"><img src="https://blog.tryhackme.com/content/images/2026/06/THM-MAX-Blog-Banner-1.gif" class="kg-image" alt="Introducing TryHackMe MAX" loading="lazy" width="1728" height="360" srcset="https://blog.tryhackme.com/content/images/size/w600/2026/06/THM-MAX-Blog-Banner-1.gif 600w, https://blog.tryhackme.com/content/images/size/w1000/2026/06/THM-MAX-Blog-Banner-1.gif 1000w, https://blog.tryhackme.com/content/images/size/w1600/2026/06/THM-MAX-Blog-Banner-1.gif 1600w, https://blog.tryhackme.com/content/images/2026/06/THM-MAX-Blog-Banner-1.gif 1728w" sizes="(min-width: 720px) 720px"></figure>]]></content:encoded></item><item><title><![CDATA[TryHackMe Certification Guide]]></title><description><![CDATA[Every exam in the TryHackMe certification programme puts you inside a live environment with real tooling. No multiple choice. No theory questions. You investigate real alerts, run real attacks, and submit graded professional reports.]]></description><link>https://blog.tryhackme.com/tryhackme-certification-guide/</link><guid isPermaLink="false">6a3e98f291ff6400019c2388</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Sat, 27 Jun 2026 09:16:19 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-5.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-5.svg" alt="TryHackMe Certification Guide"><p>Most cyber security certifications test what you have memorised. TryHackMe certifications test what you can actually do.</p><p>Every exam in the TryHackMe certification programme puts you inside a live environment with real tooling. No multiple choice. No theory questions. You investigate real alerts, run real attacks, and submit graded professional reports. The credential you earn is proof of practical ability, not exam technique.</p><p>Here is every TryHackMe certification, who it is for, and how to get there.</p><hr><h2 id="the-tryhackme-certification-ladder"><strong>The TryHackMe Certification Ladder</strong></h2><p>Six certifications. A clear progression from complete beginner to advanced practitioner. Every one of them practical.</p><hr><h3 id="sec0-pre-security-certificate"><strong>SEC0: Pre-Security Certificate</strong></h3><p><strong>Who it is for:</strong> Complete beginners. Anyone who has never studied cyber security, networking, or operating systems before. People who want a formal first credential that confirms their foundational knowledge is solid before specialising.</p><p><strong>What it proves:</strong> That you understand how computers, networks, and the internet actually work. Not security concepts yet. The layer below them: TCP/IP, how websites are served, how operating systems manage files and processes. The knowledge that makes every subsequent security concept meaningful rather than abstract.</p><p><strong>The exam:</strong> Practical, scenario-based tasks. You apply knowledge to analyse situations rather than recall information from memory.</p><p><strong>Preparation path:</strong><a href="https://tryhackme.com/path/outline/presecurity?ref=blog.tryhackme.com"> Pre Security path</a></p><p><strong>Bundle:</strong> SEC0 and SEC1 together at 20% off. If you are starting from zero, the bundle is the most cost-effective route through both foundational credentials in one purchase.</p><p><a href="https://tryhackme.com/certification/pre-security?ref=blog.tryhackme.com">Explore SEC0</a></p><hr><h3 id="sec1-security-101-certificate"><strong>SEC1: Security 101 Certificate</strong></h3><p><strong>Who it is for:</strong> People who have completed SEC0 or already have IT foundations. Anyone who wants a formal entry-level credential before committing to a blue or red team direction. IT support, helpdesk, or networking professionals making the security pivot.</p><p><strong>What it proves:</strong> Beginner-level cyber security knowledge across both offensive and defensive domains. This is the first credential that signals to an employer you understand the field, not just the infrastructure it runs on.</p><p><strong>The exam:</strong> Structured practical assessment. You find answers through hands-on tasks rather than multiple choice.</p><p><strong>Preparation path:</strong><a href="https://tryhackme.com/path/outline/cybersecurity101?ref=blog.tryhackme.com"> Cyber Security 101 path</a></p><p><strong>Bundle:</strong> SEC0 + SEC1 available at 20% off each. Premium subscribers receive a further 15% discount.</p><p><a href="https://tryhackme.com/certification/cyber-security-101?ref=blog.tryhackme.com">Explore SEC1</a></p><hr><h3 id="sal1-security-analyst-level-1"><strong>SAL1: Security Analyst Level 1</strong></h3><p><strong>Who it is for:</strong> Anyone targeting a SOC analyst, blue team analyst, or security operations role at Tier 1 level. The most important credential for anyone whose career destination is defensive security.</p><p><strong>What it proves:</strong> That you can investigate a real alert. Not in theory. The exam puts you inside a live SOC simulator with a real alert queue, real tooling, and graded incident reports. You triage alerts, investigate incidents, correlate log data across sources, and document your findings in professional format.</p><p>Backed by Accenture and Salesforce. When these organisations endorse a credential, it means their hiring teams recognise it. That is the practical signal that matters.</p><p><strong>The exam:</strong> Live SOC simulator. Real alerts. Real tooling. Graded incident reports as part of the assessment.</p><p><strong>Preparation path:</strong><a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com"> SOC Level 1 path</a></p><p><strong>Discount:</strong> Premium subscribers receive 15% off.</p><p><a href="https://tryhackme.com/certification/security-analyst-level-1?ref=blog.tryhackme.com">Explore SAL1</a></p><hr><h3 id="sal2-security-analyst-level-2"><strong>SAL2: Security Analyst Level 2</strong></h3><p><strong>Who it is for:</strong> SOC analysts with Tier 1 experience who are ready to move into deeper investigation, threat hunting, and DFIR responsibilities. The credential for practitioners who want to lead investigations independently rather than triage from a playbook.</p><p><strong>What it proves:</strong> Tier 2 investigation capability. Advanced multi-stage scenarios covering threat hunting, memory forensics, network traffic analysis, and the independent analytical depth that senior SOC roles require.</p><p>Pablo Menendez Cores, SOC Analyst at NCC Group, described SAL2 as &quot;a strong and practical certification... it reflects quite well what we actually do in an MSSP environment.&quot; That is a practitioner at one of the most respected managed security services providers in the world validating what the exam tests.</p><p><strong>The exam:</strong> Advanced multi-stage SOC investigation scenarios. Harder, longer, and more ambiguous than SAL1 by design.</p><p><strong>Preparation path:</strong><a href="https://tryhackme.com/path/outline/soclevel2?ref=blog.tryhackme.com"> SOC Level 2 path</a></p><p><strong>Discount:</strong> Premium subscribers receive 15% off.</p><p><a href="https://tryhackme.com/certification/security-analyst-level-2?ref=blog.tryhackme.com">Explore SAL2</a></p><hr><h3 id="pt1-junior-penetration-tester"><strong>PT1: Junior Penetration Tester</strong></h3><p><strong>Who it is for:</strong> Anyone targeting a junior penetration tester, red team analyst, or offensive security role. The right first practical certification before OSCP.</p><p><strong>What it proves:</strong> That you can run a structured offensive security engagement and communicate findings professionally. A 48-hour practical exam across web application, network, and Active Directory targets. You attack live systems, document your findings, and submit a graded professional report. No shortcuts. No theory questions.</p><p><strong>The exam:</strong> 48-hour practical engagement. Graded professional report. Live targets across web, network, and Active Directory.</p><p><strong>Preparation path:</strong><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com"> Jr Penetration Tester path</a>, rebuilt for 2026 with 89 rooms across 17 modules, a full nine-room Active Directory module, and three capstone challenges that mirror the exam format.</p><p><strong>Discount:</strong> Premium subscribers receive 15% off.</p><p><a href="https://tryhackme.com/certification/junior-penetration-tester?ref=blog.tryhackme.com">Explore PT1</a></p><hr><h3 id="ai1-ai-security-certificate"><strong>AI1: AI Security Certificate</strong></h3><p><strong>Who it is for:</strong> Security practitioners who want to be ahead of where the industry is heading. Penetration testers who need to assess AI systems. Defenders who need to detect and respond to AI-powered attacks. The forward-looking specialism that most practitioners have not yet invested in.</p><p><strong>What it proves:</strong> The ability to both attack and defend real AI systems across 13 hands-on scenarios. Prompt injection. LLM vulnerability exploitation. AI threat modelling. AI forensics. AI supply chain security. This is the first practical AI security certification available on any platform.</p><p><strong>The exam:</strong> 13 hands-on scenarios. Offensive and defensive AI security across real AI systems.</p><p><strong>Preparation path:</strong><a href="https://tryhackme.com/path/outline/aisecurity?ref=blog.tryhackme.com"> AI Security path</a>, 25 rooms covering the full offensive and defensive AI security landscape.</p><p><strong>Discount:</strong> Premium subscribers receive 15% off.</p><p><a href="https://tryhackme.com/certification/ai-security?ref=blog.tryhackme.com">Explore AI1</a></p><hr><h2 id="which-certification-path-is-right-for-you"><strong>Which Certification Path Is Right for You?</strong></h2><h3 id="if-you-are-a-complete-beginner"><strong>If you are a complete beginner</strong></h3><p>Start with SEC0. Complete it, then move to SEC1. The bundle saves you money and takes you through both foundational credentials in the most cost-effective way. After SEC1, you will know which direction appeals to you: blue team or red team. Then choose SAL1 or PT1 accordingly.</p><p><strong>Your path:</strong> SEC0 &#x2192; SEC1 &#x2192; SAL1 or PT1</p><h3 id="if-you-want-a-soc-analyst-or-blue-team-career"><strong>If you want a SOC analyst or blue team career</strong></h3><p>Start with SEC1 if you do not have IT foundations. Go straight to SAL1 preparation if you do. The<a href="https://tryhackme.com/path/outline/soclevel2?ref=blog.tryhackme.com"> SOC Level 2 path</a> is your preparation route for SAL2. Once you are in a Tier 1 role, SAL2 is the natural progression to Tier 2.</p><p><strong>Your path:</strong> SEC1 &#x2192; SAL1 &#x2192; SAL2</p><h3 id="if-you-want-a-penetration-testing-or-red-team-career"><strong>If you want a penetration testing or red team career</strong></h3><p>Start with SEC1 to validate your foundational knowledge. Then work through the Jr Penetration Tester path and sit PT1. This is the right first step before OSCP. After PT1 and some professional experience, AI1 extends your offensive capability into the fastest-growing attack surface in the field.</p><p><strong>Your path:</strong> SEC1 &#x2192; PT1 &#x2192; AI1</p><hr><h2 id="the-full-certification-reference-table"><strong>The Full Certification Reference Table</strong></h2><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;">
<thead>
<tr style="background-color:#1a1a2e; color:#a3ea2a;">
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Certification</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Level</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Direction</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Exam format</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Preparation path</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Premium discount</th>
</tr>
</thead>
<tbody>
<tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;"><a href="https://tryhackme.com/certification/pre-security?ref=blog.tryhackme.com" style="color:#2a7a00;">SEC0</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">Foundation</td>
<td style="padding:10px 12px; color:#1a1a2e;">Beginner</td>
<td style="padding:10px 12px; color:#1a1a2e;">Hands-on practical tasks</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/presecurity?ref=blog.tryhackme.com" style="color:#2a7a00;">Pre Security path</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">15% off. 20% bundle with SEC1</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;"><a href="https://tryhackme.com/certification/cyber-security-101?ref=blog.tryhackme.com" style="color:#2a7a00;">SEC1</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">Foundation</td>
<td style="padding:10px 12px; color:#1a1a2e;">Beginner</td>
<td style="padding:10px 12px; color:#1a1a2e;">Structured practical assessment</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/cybersecurity101?ref=blog.tryhackme.com" style="color:#2a7a00;">Cyber Security 101 path</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">15% off. 20% bundle with SEC0</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;"><a href="https://tryhackme.com/certification/security-analyst-level-1?ref=blog.tryhackme.com" style="color:#2a7a00;">SAL1</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">Entry level</td>
<td style="padding:10px 12px; color:#1a1a2e;">&#x1F535; Blue Team</td>
<td style="padding:10px 12px; color:#1a1a2e;">Live SOC simulator, graded incident reports</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com" style="color:#2a7a00;">SOC Level 1 path</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">15% off</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;"><a href="https://tryhackme.com/certification/security-analyst-level-2?ref=blog.tryhackme.com" style="color:#2a7a00;">SAL2</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">Mid level</td>
<td style="padding:10px 12px; color:#1a1a2e;">&#x1F535; Blue Team</td>
<td style="padding:10px 12px; color:#1a1a2e;">Advanced multi-stage investigation scenarios</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/soclevel2?ref=blog.tryhackme.com" style="color:#2a7a00;">SOC Level 2 path</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">15% off</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;"><a href="https://tryhackme.com/certification/junior-penetration-tester?ref=blog.tryhackme.com" style="color:#2a7a00;">PT1</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">Entry level</td>
<td style="padding:10px 12px; color:#1a1a2e;">&#x1F534; Red Team</td>
<td style="padding:10px 12px; color:#1a1a2e;">48-hour practical engagement, graded report</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#2a7a00;">Jr Penetration Tester path</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">15% off</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;"><a href="https://tryhackme.com/certification/ai-security?ref=blog.tryhackme.com" style="color:#2a7a00;">AI1</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">Specialist</td>
<td style="padding:10px 12px; color:#1a1a2e;">&#x1F7E3; Both</td>
<td style="padding:10px 12px; color:#1a1a2e;">13 hands-on scenarios across offensive and defensive AI security</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/aisecurity?ref=blog.tryhackme.com" style="color:#2a7a00;">AI Security path</a></td>
<td style="padding:10px 12px; color:#1a1a2e;">15% off</td>
</tr>
</tbody>
</table>
</div><!--kg-card-end: html--><hr><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/certifications?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore TryHackMe Certifications </button>  </a></div>
<!--kg-card-end: html--><h2 id="faq"><strong>FAQ</strong></h2><p><strong>Which cyber security certification has the best practical labs?</strong> SAL1 and PT1 are the most practically validated entry-level credentials available. SAL1 puts you inside a live SOC simulator for the exam: real alerts, real tooling, graded incident reports. PT1 is a 48-hour live engagement across web, network, and Active Directory targets with a graded professional report. Both test whether you can actually do the work, not whether you can describe it.</p><p><strong>What cyber skills are most in demand for 2026?</strong> SOC analysis and threat detection, penetration testing across web and Active Directory environments, cloud security, AI security, and incident response. TryHackMe&apos;s certification ladder maps directly to these: SAL1 and SAL2 for detection and response, PT1 for penetration testing, AI1 for AI security. The demand is not for people who have studied these areas. It is for people who can demonstrate they can execute them.</p><p><strong>Are TryHackMe certifications worth it?</strong> They are worth it for a specific reason: they are practical exams that produce evidence of ability rather than knowledge. SAL1 is backed by Accenture and Salesforce. SAL2 is endorsed by NCC Group. PT1 is recognised as a direct preparation credential for OSCP. These are not paper qualifications. They are proof that you can operate under exam conditions in a live environment. For hiring managers who can evaluate technical ability, that is worth considerably more than a multiple choice pass.</p><p><strong>Is a cyber security degree worth it in 2026?</strong> A degree provides structured academic grounding and may be required for certain government and regulated sector roles. But most cyber security employers in 2026 weight certifications and demonstrated practical ability over formal degrees. The practitioners who get hired fastest are those with a combination of practical credentials, a visible public profile showing consistent lab work, and the ability to talk specifically in a technical interview about what they have done. A degree without those things is less valuable than most people expect. Those things without a degree are increasingly sufficient.</p><p><strong>What cyber security career path should I choose?</strong> It depends on whether you want to detect attacks or run them. Blue team work, which covers SOC analyst, incident response, threat hunting, and DFIR, is the most accessible entry point with the largest hiring pipeline. Red team work, which covers penetration testing and offensive security, has a higher technical bar at entry but strong demand and excellent compensation. Both are valid. The right answer is which one you will sustain the motivation to practise consistently over twelve to eighteen months. Start with TryHackMe&apos;s free account and see which type of room you keep returning to.</p><p><strong>What cyber security salary can I expect at entry level in 2026?</strong> SOC Tier 1 analyst roles typically start at $55,000 to $75,000 in the US. Junior penetration tester roles start at $65,000 to $95,000. Both increase significantly with experience and practical credentials. SAL1 and PT1 signal readiness in a way that accelerates hiring decisions and starting salary negotiations because they provide evidence a hiring manager can evaluate, rather than a certificate they have to take on faith.</p><hr><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/certifications?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">    Explore TryHackMe Certifications </button>  </a></div>
<!--kg-card-end: html-->]]></content:encoded></item><item><title><![CDATA[How to Practise Active Directory Attacks: A Lab Guide for Red Teamers]]></title><description><![CDATA[Knowing what Kerberoasting is and being able to execute it fluently under engagement pressure are two different things. The gap between them is closed by one thing: lab repetition.]]></description><link>https://blog.tryhackme.com/how-to-practise-active-directory-attacks-a-lab-guide-for-red-teamers/</link><guid isPermaLink="false">6a3e855591ff6400019c2367</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Fri, 26 Jun 2026 15:13:56 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-4.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-4.svg" alt="How to Practise Active Directory Attacks: A Lab Guide for Red Teamers"><p>Knowing what Kerberoasting is and being able to execute it fluently under engagement pressure are two different things. The gap between them is closed by one thing: lab repetition.</p><p>Active Directory is the attack surface that defines senior offensive security work.<a href="https://coursejoiner.com/free-udemy/attacking-and-defending-active-directory-ad-pentesting-free-course/?ref=blog.tryhackme.com"> It is the backbone of 90% of enterprise networks worldwide.</a> Compromise it and you own the organisation&apos;s entire identity infrastructure. That is why AD techniques dominate OSCP and CRTO exams, appear in almost every red team engagement, and are the area where most junior penetration testers are weakest when they walk into their first interview.</p><p>This guide is not about what the attacks are. It is about how to practise them in a structured, progressive way that builds the automatic execution that real engagements require.</p><hr><h2 id="why-do-most-practitioners-underinvest-in-ad-lab-practice"><strong>Why Do Most Practitioners Underinvest in AD Lab Practice?</strong></h2><p>Because AD lab setup is genuinely hard. A realistic Active Directory environment requires at minimum a domain controller, one or more victim machines, and network configuration that allows the attacks to run as they would in a real environment. On local hardware, that means Windows Server licences, significant RAM, and hours of configuration before you can start practising.</p><p>TryHackMe solves this completely. The<a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com"> Jr Penetration Tester path</a> includes a dedicated nine-room Active Directory module with a fully configured, multi-host AD lab environment in the browser. No Windows Server licence. No VM configuration. No network setup. Open a room and you are inside a live domain with real attack tooling pre-installed. The module covers the full foundational attack chain: AD basics and authentication, enumeration, breaching, credential harvesting, and lateral movement between hosts.</p><p>For practitioners who want a persistent local environment after building foundations on TryHackMe, the section on local lab setup is at the end of this guide. Start with TryHackMe.</p><hr><h2 id="how-should-you-structure-your-ad-lab-practice"><strong>How Should You Structure Your AD Lab Practice?</strong></h2><p><a href="https://www.redfoxsec.com/blog/windows-red-teaming-course-hands-on-active-directory-attack-labs?ref=blog.tryhackme.com">The difference between knowing AD attack techniques and being proficient with them under real engagement pressure comes down entirely to lab time.</a> The most effective structure is four progressive stages, each with a clear competency target before moving on.</p><h3 id="stage-1-enumeration-only"><strong>Stage 1: Enumeration Only</strong></h3><p>Before you run any attacks, practise enumeration until it is automatic. The goal of this stage is to be able to fully map an AD environment using BloodHound and native tooling without thinking about the commands.</p><p><a href="https://cybersources.hashnode.dev/bloodhound-the-ultimate-red-team-tool-for-active-directory-enumeration?ref=blog.tryhackme.com">BloodHound uses graph theory to visualise relationships within AD: users, computers, groups, permissions, and the attack paths between them.</a> Run SharpHound to collect the data, import it, and work through the pre-built queries: Shortest Paths to Domain Admins, Kerberoastable Users, AS-REP Roastable Users, Dangerous Rights for Domain Users.<a href="https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains?ref=blog.tryhackme.com"> This single &quot;Shortest Path to Domain Admins&quot; query has ended countless engagements in under an hour for experienced operators.</a></p><p>Do this on every new lab environment before doing anything else. Make enumeration the habit, not an afterthought.</p><p><strong>Competency target:</strong> Given a domain user and a live AD environment, identify all Kerberoastable accounts, AS-REP Roastable accounts, and at least one attack path to domain admin within fifteen minutes without referring to notes.</p><h3 id="stage-2-credential-attacks"><strong>Stage 2: Credential Attacks</strong></h3><p>With a BloodHound map of the environment, practise credential harvesting against the targets it identifies.</p><p><strong>Kerberoasting:</strong> Request TGS tickets for all accounts with SPNs. Crack offline with Hashcat. Prioritise accounts where BloodHound shows a path to higher privilege.</p><p>bash</p><p># Request all available TGS tickets</p><p>.\Rubeus.exe kerberoast /outfile:hashes.txt<br></p><p># Crack with Hashcat</p><p>hashcat -m 13100 hashes.txt rockyou.txt</p><p><strong>AS-REP Roasting:</strong> Identify accounts with preauthentication disabled. Extract and crack their AS-REP responses.</p><p>bash</p><p>python3 GetNPUsers.py target.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt</p><p><strong>Competency target:</strong> Given a BloodHound output identifying Kerberoastable and AS-REP Roastable accounts, extract and crack at least one hash to a plaintext credential within thirty minutes.</p><h3 id="stage-3-lateral-movement"><strong>Stage 3: Lateral Movement</strong></h3><p>With credentials or hashes in hand, practise moving from your current foothold to other machines in the network.</p><p><strong>Pass-the-Hash:</strong> Use NTLM hashes to authenticate without knowing the plaintext password.</p><p>bash</p><p>python3 psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@10.10.10.5</p><p><strong>Spray-and-check with NetExec:</strong> Identify which hosts your current credentials work on.</p><p>bash</p><p>nxc smb 10.10.10.0/24 -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c</p><p><strong>Competency target:</strong> Given a cracked hash from Stage 2, identify at least two hosts where it provides access and establish a session on both.</p><h3 id="stage-4-full-kill-chain-no-hints"><strong>Stage 4: Full Kill Chain (No Hints)</strong></h3><p>Run the entire attack chain from domain user to domain admin without guidance. Enumerate the environment, identify attack paths, harvest credentials, move laterally, escalate privileges, execute DCSync.</p><p>This is the stage most practitioners skip too early.<a href="https://medium.com/@gokul965/conquering-crtp-my-red-teaming-journey-into-active-directory-attacks-345ac292325a?ref=blog.tryhackme.com"> CRTP candidates who succeed report 3 to 4 weeks of focused lab time where they documented every attack path like a battle plan and repeated the chain until mind-mapping and repetition made the concepts automatic.</a> That repetition is what produces automatic execution under exam and engagement pressure.</p><p><strong>Competency target:</strong> Enumerate a live AD environment, identify a viable attack chain, and reach domain admin without hints, in under two hours.</p><hr><h2 id="the-progressive-practice-reference-table"><strong>The Progressive Practice Reference Table</strong></h2><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;">
<thead>
<tr style="background-color:#1a1a2e; color:#a3ea2a;">
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Stage</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Techniques to drill</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Primary tools</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Competency target</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">TryHackMe</th>
</tr>
</thead>
<tbody>
<tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">1. Enumeration</td>
<td style="padding:10px 12px; color:#1a1a2e;">BloodHound graph analysis, user/group/SPN enumeration, attack path identification</td>
<td style="padding:10px 12px; color:#1a1a2e;">BloodHound, SharpHound, PowerView</td>
<td style="padding:10px 12px; color:#1a1a2e;">Full environment map in 15 minutes, attack path to DA identified</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#c0392b;">Jr Penetration Tester path</a></td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">2. Credential attacks</td>
<td style="padding:10px 12px; color:#1a1a2e;">Kerberoasting, AS-REP Roasting, offline hash cracking</td>
<td style="padding:10px 12px; color:#1a1a2e;">Rubeus, Impacket, Hashcat</td>
<td style="padding:10px 12px; color:#1a1a2e;">Extract and crack at least one hash to plaintext in 30 minutes</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#c0392b;">Jr Penetration Tester path</a></td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">3. Lateral movement</td>
<td style="padding:10px 12px; color:#1a1a2e;">Pass-the-Hash, Pass-the-Ticket, SMB/WMI lateral movement, spray-and-check</td>
<td style="padding:10px 12px; color:#1a1a2e;">Impacket, NetExec, Mimikatz</td>
<td style="padding:10px 12px; color:#1a1a2e;">Establish sessions on multiple hosts from a single credential</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#c0392b;">Jr Penetration Tester path</a></td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">4. Full kill chain</td>
<td style="padding:10px 12px; color:#1a1a2e;">End-to-end: enumeration, credential access, lateral movement, DCSync, domain compromise</td>
<td style="padding:10px 12px; color:#1a1a2e;">Full toolset, no hints</td>
<td style="padding:10px 12px; color:#1a1a2e;">Domain admin in under 2 hours from domain user, unguided</td>
<td style="padding:10px 12px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/redteaming?ref=blog.tryhackme.com" style="color:#c0392b;">Red Teaming path</a></td>
</tr>
</tbody>
</table>
</div><!--kg-card-end: html--><hr><h2 id="do-you-need-a-local-lab"><strong>Do You Need a Local Lab?</strong></h2><p>Not to start. TryHackMe&apos;s browser-based AD module covers Stages 1 through 3 thoroughly. The capstone challenges in the Jr Penetration Tester path provide Stage 4 practice in unguided format.</p><p>A local lab becomes valuable when you want persistent, custom environments you control completely: additional machines, specific misconfigurations, or the ability to practise with C2 frameworks at Stage 4 and above.<a href="https://www.macksofytrainings.com/active-directory-pentest-guide-india-2026/?ref=blog.tryhackme.com"> Game of Active Directory (GOAD) is the community standard for local multi-domain lab setup</a> and deploys a realistic multi-machine environment using Vagrant and VirtualBox. It is a meaningful time investment. Do it after you have completed Stages 1 through 3 in TryHackMe&apos;s guided environment.</p><hr><h2 id="faq"><strong>FAQ</strong></h2><p><strong>What is a red team vs blue team exercise?</strong> A red team exercise is a simulated attack conducted against an organisation&apos;s real systems with explicit permission, designed to test whether defences hold against a realistic adversary. The blue team is the organisation&apos;s defenders who monitor for and respond to those attacks. In a combined exercise, both teams operate in parallel - the red team attacks while the blue team tries to detect and contain the activity. The findings from both sides inform security improvements that neither could produce independently.</p><p><strong>How do I start learning red teaming from scratch?</strong> Build penetration testing foundations first. Red teaming is an advanced discipline that sits on top of solid offensive fundamentals across web application exploitation, network penetration, and Active Directory attacks. TryHackMe&apos;s<a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com"> Jr Penetration Tester path</a> builds those foundations systematically across 89 rooms and 17 modules. Complete it, sit PT1, and then move into the<a href="https://tryhackme.com/path/outline/redteaming?ref=blog.tryhackme.com"> Red Teaming path</a> for tradecraft: C2 frameworks, OPSEC, evasion, and advanced AD techniques.</p><p><strong>How do I learn exploit development for beginners?</strong> Exploit development starts with understanding how memory works: stack structure, buffer overflows, instruction pointer control, and shellcode execution. The prerequisite skills are C programming and a basic understanding of x86 assembly. TryHackMe&apos;s Jr Penetration Tester path covers buffer overflow fundamentals that establish the mental model before moving into more advanced exploitation. From there, the Seeley series of resources and practice on intentionally vulnerable binaries builds the deeper skills.</p><p><strong>What are the best Windows security courses for Active Directory attacks?</strong> TryHackMe&apos;s Jr Penetration Tester path is the most structured browser-based option, covering the full AD attack chain across a dedicated nine-room module rebuilt for 2026. For mid-level practitioners targeting certification, CRTO from Zero-Point Security is the most practically oriented credential for enterprise AD tradecraft and C2 operation. CRTP from Altered Security covers AD attack paths in depth and is a strong stepping stone between junior-level foundations and CRTO. All three work in sequence.</p><hr><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore the Jr Pentester Path </button>  </a></div>
<!--kg-card-end: html-->]]></content:encoded></item><item><title><![CDATA[How to Hunt Threats With Splunk and Wazuh: A Practical SOC Analyst Guide]]></title><description><![CDATA[61% of organisations cite staffing as their top threat-hunting barrier. The analysts who close that gap fastest are the ones who practise with real tools on real data before they walk into a SOC environment for the first time.]]></description><link>https://blog.tryhackme.com/how-to-hunt-threats-with-splunk-and-wazuh-a-practical-soc-analyst-guide/</link><guid isPermaLink="false">6a35421491ff6400019c2179</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Fri, 26 Jun 2026 11:35:14 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-3.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-3.svg" alt="How to Hunt Threats With Splunk and Wazuh: A Practical SOC Analyst Guide"><p>Threat hunting is not a single tool. It is a workflow that draws on multiple data sources, query languages, and investigative techniques simultaneously. Splunk and Wazuh are the two most commonly deployed open-source and enterprise SIEM platforms in SOC environments, and understanding how to use both is the practical skill set that separates entry-level analysts from Tier 2 investigators.</p><p><a href="https://simbian.ai/blog/automated-threat-hunting-guide?ref=blog.tryhackme.com">61% of organisations cite staffing as their top threat-hunting barrier.</a> The analysts who close that gap fastest are the ones who practise with real tools on real data before they walk into a SOC environment for the first time. This guide covers what threat hunting with Splunk and Wazuh actually looks like, with the specific queries and techniques you need to build.</p><hr><h2 id="what-is-the-difference-between-splunk-and-wazuh"><strong>What Is the Difference Between Splunk and Wazuh?</strong></h2><p>Both are SIEM platforms. They serve different contexts and complement each other rather than compete.</p><p><strong>Splunk</strong> is the enterprise standard. It ingests log data from across an entire organisation, indexes it, and makes it searchable through SPL (Search Processing Language). Splunk Enterprise Security adds correlation searches, risk-based alerting, and threat intelligence integration on top. It is the SIEM you will encounter most frequently in large enterprise and MSSP environments.<a href="https://www.decryptiondigest.com/blog/splunk-spl-queries-cheat-sheet?ref=blog.tryhackme.com"> Splunk&apos;s dominance in enterprise security operations is built on SPL: every investigation, detection, and dashboard in Splunk Enterprise Security is ultimately a search written in SPL.</a></p><p><strong>Wazuh</strong> is the open-source alternative. It combines SIEM, XDR, and endpoint detection capability in a single deployable platform: a manager that receives logs, a set of built-in detection rules, file integrity monitoring, active response capability, and a dashboard built on the Elastic Stack. It is what you encounter in smaller organisations, home labs, and SOC training environments - and it is increasingly deployed alongside Splunk for endpoint-specific detection that Splunk&apos;s log ingestion does not cover natively.</p><p>In a combined deployment, Wazuh agents collect and pre-process endpoint data, and Wazuh alerts are forwarded to Splunk for correlation with other log sources. Understanding both is how you cover the full detection surface.</p><hr><h2 id="how-do-you-hunt-threats-in-splunk"><strong>How Do You Hunt Threats in Splunk?</strong></h2><p>Threat hunting in Splunk is hypothesis-driven SPL. You form a hypothesis about attacker behaviour, translate it into a query that tests for evidence of that behaviour, and investigate what comes back.</p><p><a href="https://www.decryptiondigest.com/blog/splunk-spl-queries-cheat-sheet?ref=blog.tryhackme.com">The six SPL commands that cover the majority of SOC investigation and detection work are: stats (aggregate and count events by field values), eval (compute new fields and boolean expressions), rex (extract fields from unstructured text), transaction (group related events into sessions), lookup (enrich events with external data), and where (filter using eval-style boolean expressions).</a> Mastering these six before learning the full SPL command set gives you the tools to handle 90% of real investigation scenarios.</p><p>Here are the hunt queries that matter most.</p><p><strong>Hunting brute force authentication:</strong></p><p>spl</p><p>index=auth sourcetype=*ssh* OR sourcetype=*windows* action=failure</p><p>| bucket _time span=5m</p><p>| stats count by src_ip, _time</p><p>| where count &gt; 10</p><p>| sort -count</p><p>Buckets failed authentication events into 5-minute windows. More than 10 failures from the same source IP in 5 minutes is a brute force indicator.</p><p><strong>Hunting lateral movement via Windows event logs:</strong></p><p>spl</p><p>index=wineventlog EventCode=4624 Logon_Type=3</p><p>| stats count by src_ip, dest, user</p><p>| where count &gt; 5</p><p>| sort -count</p><p>Event ID 4624 with Logon Type 3 is a network authentication. Multiple network logons from one source to multiple destinations in a short window indicates lateral movement.</p><p><strong>Hunting suspicious PowerShell execution:</strong></p><p>spl</p><p>index=wineventlog EventCode=4688 CommandLine=&quot;*-EncodedCommand*&quot; OR CommandLine=&quot;*-NonInteractive*&quot; OR CommandLine=&quot;*-WindowStyle Hidden*&quot;</p><p>| table _time, host, user, CommandLine</p><p>| sort -_time</p><p>These PowerShell flags are consistently associated with malicious execution: encoded commands hide payload content, non-interactive and hidden window flags suppress any visible output.</p><p><strong>Hunting C2 beaconing via DNS:</strong></p><p>spl</p><p>index=dns</p><p>| bucket _time span=1h</p><p>| stats count by src_ip, query, _time</p><p>| where count &gt; 50</p><p>| sort -count</p><p>High-frequency DNS queries to the same domain from the same source host are a classic C2 beaconing indicator. Fifty queries per hour is a conservative threshold - tune based on your environment&apos;s baseline.</p><p><a href="https://infosecwriteups.com/splunk-exploring-spl-a-practical-soc-analyst-walkthrough-for-search-detection-and-threat-hunting-ff138c4c7d51?ref=blog.tryhackme.com">As one practitioner noted: instead of reviewing the entire dataset, refine it step by step. Proper time scoping often makes the difference between efficient investigation and chaos.</a> Always specify an explicit time range before expanding scope.</p><hr><h2 id="how-do-you-hunt-threats-in-wazuh"><strong>How Do You Hunt Threats in Wazuh?</strong></h2><p>Wazuh detection is rule-based. Each rule maps to a specific log pattern and fires an alert when that pattern appears in monitored data. Threat hunting in Wazuh means two things: reading and tuning existing rules, and writing new rules for behaviours the defaults do not cover.</p><p><strong>Reading Wazuh alerts.</strong> Every Wazuh alert has a rule ID, a severity level (0 to 15), a description, and the raw log that triggered it. Severity 7 and above is where SOC attention should start. The Wazuh dashboard lets you filter by rule ID, agent (the source host), and time range.</p><p><strong>Key rule categories for threat hunting:</strong></p><ul><li><strong>Rule group authentication_failures:</strong> Covers failed logins across SSH, Windows, and web applications. High volumes from the same source signal brute force.</li><li><strong>Rule group syscheck:</strong> File integrity monitoring. Any unexpected modification to system binaries, configuration files, or startup locations is a persistence indicator.</li><li><strong>Rule group rootcheck:</strong> Checks for known rootkit signatures and suspicious process behaviour.</li><li><strong>Rule group windows:</strong> Windows Security event detection covering logon events, process creation, privilege use, and service installation.</li></ul><p><strong>Writing a custom Wazuh rule</strong> for suspicious PowerShell parent-child relationships:</p><p>xml</p><p>&lt;rule id=&quot;100200&quot; level=&quot;12&quot;&gt;</p><p>&lt;if_sid&gt;61603&lt;/if_sid&gt;</p><p>&lt;field name=&quot;win.eventdata.parentImage&quot; type=&quot;pcre2&quot;&gt;(?i)\\(winword|excel|outlook)\.exe&lt;/field&gt;</p><p>&lt;field name=&quot;win.eventdata.image&quot; type=&quot;pcre2&quot;&gt;(?i)\\powershell\.exe&lt;/field&gt;</p><p>&lt;description&gt;Office application spawning PowerShell - possible macro execution&lt;/description&gt;</p><p>&lt;mitre&gt;</p><p>&lt;id&gt;T1566.001&lt;/id&gt;</p><p>&lt;/mitre&gt;</p><p>&lt;/rule&gt;</p><p>This fires when PowerShell is spawned by an Office application, a common macro-based malware execution pattern.</p><p><a href="https://artempolynko.com/blog/10-soc-analyst-resume-projects/?ref=blog.tryhackme.com">SOC analyst projects that create or tune Wazuh rules for suspicious parent-child process relationships, odd PowerShell command lines, or unusual persistence mechanisms, combined with dashboards that visualise events and drill into alerts, closely align with what enterprise EDR platforms like CrowdStrike, Microsoft Defender, and SentinelOne surface.</a> Building this in a lab environment builds directly transferable skills.</p><hr><h2 id="how-does-wireshark-fit-into-threat-hunting"><strong>How Does Wireshark Fit Into Threat Hunting?</strong></h2><p>Splunk and Wazuh operate on log data. Wireshark operates on packet data. They answer different questions.</p><p>SIEM logs tell you what happened at the operating system and application layer: which processes ran, which accounts authenticated, which files changed. Wireshark tells you what happened at the network layer: exactly what bytes were transmitted, how connections were established, and whether the traffic matches the protocol it claims to be.</p><p>Wireshark becomes essential in threat hunting when:</p><ul><li>A Splunk or Wazuh alert surfaces a suspicious outbound connection. The SIEM tells you a connection occurred. Wireshark tells you what was in it.</li><li>DNS logs suggest C2 beaconing. Wireshark confirms whether the query volume, payload size, and interval are consistent with automated beaconing versus legitimate traffic.</li><li>An alert suggests data exfiltration. Wireshark shows the exact bytes transferred, the destination, and whether the traffic is encrypted in a way that is consistent with the destination.</li></ul><p>The practical workflow: Splunk identifies the suspicious host and time window. You pull a PCAP from that window (via network tap, Zeek, or Security Onion) and open it in Wireshark with the source IP filter applied. The SIEM and Wireshark together give you the full picture that neither provides alone.</p><hr><h2 id="the-core-hunt-techniques-reference-table"><strong>The Core Hunt Techniques Reference Table</strong></h2><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:14px; line-height:1.5;">
<thead>
<tr style="background-color:#1a1a2e; color:#a3ea2a;">
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Hunt technique</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">MITRE ATT&amp;CK</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Primary data source</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Tool</th>
<th style="padding:10px 12px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Key indicator</th>
</tr>
</thead>
<tbody>
<tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Brute force detection</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1110</td>
<td style="padding:10px 12px; color:#1a1a2e;">Auth logs, Windows Event 4625</td>
<td style="padding:10px 12px; color:#1a1a2e;">Splunk SPL / Wazuh rule group authentication_failures</td>
<td style="padding:10px 12px; color:#1a1a2e;">10+ failures from same IP in 5-minute window</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Lateral movement</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1021.002</td>
<td style="padding:10px 12px; color:#1a1a2e;">Windows Event 4624 (Logon Type 3)</td>
<td style="padding:10px 12px; color:#1a1a2e;">Splunk SPL</td>
<td style="padding:10px 12px; color:#1a1a2e;">Multiple network logons from one source to many destinations</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Suspicious PowerShell</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1059.001</td>
<td style="padding:10px 12px; color:#1a1a2e;">Windows Event 4688, Sysmon Event 1</td>
<td style="padding:10px 12px; color:#1a1a2e;">Splunk SPL / Wazuh custom rule</td>
<td style="padding:10px 12px; color:#1a1a2e;">-EncodedCommand, -NonInteractive, -WindowStyle Hidden flags</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">C2 beaconing via DNS</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1071.004</td>
<td style="padding:10px 12px; color:#1a1a2e;">DNS logs, Zeek dns.log</td>
<td style="padding:10px 12px; color:#1a1a2e;">Splunk SPL / Wireshark</td>
<td style="padding:10px 12px; color:#1a1a2e;">50+ queries/hour to same domain, consistent intervals</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Malicious macro execution</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1566.001</td>
<td style="padding:10px 12px; color:#1a1a2e;">Sysmon process creation logs</td>
<td style="padding:10px 12px; color:#1a1a2e;">Wazuh custom rule</td>
<td style="padding:10px 12px; color:#1a1a2e;">Office application spawning PowerShell or cmd.exe</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Persistence via file modification</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1547</td>
<td style="padding:10px 12px; color:#1a1a2e;">File integrity monitoring</td>
<td style="padding:10px 12px; color:#1a1a2e;">Wazuh syscheck rule group</td>
<td style="padding:10px 12px; color:#1a1a2e;">Unexpected modification to startup locations, system binaries</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:10px 12px; font-weight:600; color:#1a1a2e;">Data exfiltration</td>
<td style="padding:10px 12px; color:#1a1a2e;">T1048</td>
<td style="padding:10px 12px; color:#1a1a2e;">Network traffic, Zeek conn.log</td>
<td style="padding:10px 12px; color:#1a1a2e;">Splunk SPL / Wireshark</td>
<td style="padding:10px 12px; color:#1a1a2e;">Large outbound transfers outside business hours to unusual destinations</td>
</tr>
</tbody>
</table>
</div><!--kg-card-end: html--><hr><h2 id="how-do-you-practise-these-skills-without-a-live-soc-environment"><strong>How Do You Practise These Skills Without a Live SOC Environment?</strong></h2><p>TryHackMe&apos;s<a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com"> SOC Level 1 path</a> covers Splunk, Wazuh, and Wireshark in guided, hands-on lab rooms with real log data and pre-configured environments. You are not reading about SPL. You are writing queries against actual Windows event logs, actual network captures, and actual Wazuh alerts in a live environment that runs in your browser.</p><p>The<a href="https://tryhackme.com/module/threat-hunting?ref=blog.tryhackme.com"> Threat Hunting module</a> extends this into hypothesis-driven investigation: forming a hunt hypothesis, selecting the right data sources, writing the queries, and documenting findings in professional format. Every room in both puts you inside the workflow described in this guide.</p><p>The most effective way to build speed with SPL specifically: practise with a specific query pattern until it is muscle memory, then move to the next.<a href="https://www.decryptiondigest.com/blog/splunk-spl-queries-cheat-sheet?ref=blog.tryhackme.com"> The analysts who are most effective in Splunk are not the ones who know the most SPL commands but the ones who have a library of proven patterns they can adapt quickly to new investigation scenarios.</a> Build the library. The speed follows.</p><hr><p></p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/module/threat-hunting?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore The Threat Hunting Module </button>  </a></div>
<!--kg-card-end: html--><h2 id="faq"><strong>FAQ</strong></h2><p><strong>What does a blue team do in cyber security?</strong> The blue team is the defensive side of a security operations function. Blue team analysts monitor networks and endpoints for threats, investigate alerts from SIEM platforms like Splunk and Wazuh, respond to confirmed incidents, and tune detection rules to improve coverage over time. The work spans alert triage at Tier 1 through deep forensic investigation at Tier 2 and above, threat hunting at senior levels, and detection engineering for the most experienced practitioners.</p><p><strong>How do I practise log analysis for cyber security?</strong> Start with a SIEM platform and real log data. TryHackMe&apos;s SOC Level 1 path provides both: guided rooms with pre-loaded Windows event logs, network captures, and Splunk search environments. The specific skills to practise are: identifying which log sources contain evidence for a given hypothesis, writing queries that filter those logs down to the events you need, and reading event fields accurately enough to determine whether an alert is a true or false positive.</p><p><strong>How do I use Wireshark for network analysis?</strong> Wireshark captures and dissects network traffic at packet level. The most important skill is filtering: use the display filter bar to narrow from millions of packets to the specific traffic you are investigating. Common useful filters: ip.addr == 10.10.10.5 to isolate a specific host, dns to view only DNS traffic, http.request to view only HTTP requests, tcp.flags.syn == 1 &amp;&amp; tcp.flags.ack == 0 to see connection initiations. Follow a TCP stream (right-click any packet, select Follow &gt; TCP Stream) to reconstruct the full conversation between two hosts. Use Statistics &gt; Conversations to quickly identify the highest-volume connections in a capture.</p><p><strong>What is the best way to practise network traffic analysis best practices?</strong> The most effective method is investigating real PCAP files from known attack scenarios. Pair Wireshark analysis with Zeek log review: Zeek transforms raw traffic into structured connection, DNS, HTTP, and SSL logs that are faster to query than reading individual packets. TryHackMe&apos;s network security monitoring content in the SOC Level 1 path provides guided practice across both tools against real attack traffic.</p><hr><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/module/threat-hunting?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Explore The Threat Hunting Module </button>  </a></div>
<!--kg-card-end: html-->]]></content:encoded></item><item><title><![CDATA[How to Start a Career in Cloud Security: What You Need to Know in 2026]]></title><description><![CDATA[Cloud security is one of the fastest-growing and best-paid specialisations in cyber security right now. Cloud security spending is projected to grow 18% annually, driven by increasing cyber threats and multi-cloud adoption.]]></description><link>https://blog.tryhackme.com/how-to-start-a-career-in-cloud-security-what-you-need-to-know-in-2026/</link><guid isPermaLink="false">6a3e545391ff6400019c22f9</guid><category><![CDATA[Blog]]></category><dc:creator><![CDATA[Nick O'Grady]]></dc:creator><pubDate>Fri, 26 Jun 2026 10:42:40 GMT</pubDate><media:content url="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-2.svg" medium="image"/><content:encoded><![CDATA[<img src="https://blog.tryhackme.com/content/images/2026/06/W26---Banner-2.svg" alt="How to Start a Career in Cloud Security: What You Need to Know in 2026"><p>Cloud security is one of the fastest-growing and best-paid specialisations in cyber security right now.<a href="https://www.refontelearning.com/salary-guide/cloud-security-engineer-salary-guide-2026?ref=blog.tryhackme.com"> Cloud security spending is projected to grow 18% annually, driven by increasing cyber threats and multi-cloud adoption.</a><a href="https://thinkcloudly.com/blog/cloud-job-insights/?ref=blog.tryhackme.com"> Over 90% of organisations face IT skills shortages, and cloud security professionals are among the hardest roles to fill.</a> That gap between demand and supply is your opportunity.</p><p>The question is not whether cloud security is worth pursuing. It clearly is. The question is how to get there from where you are starting right now.</p><hr><h2 id="what-does-a-cloud-security-career-actually-look-like"><strong>What Does a Cloud Security Career Actually Look Like?</strong></h2><p>Cloud security is not a single job. It is a collection of roles that sit at the intersection of cloud infrastructure and security operations. The work differs significantly depending on which role you are in.</p><p><strong>Cloud Security Engineer</strong> is the most common destination role. You design, implement, and maintain security controls across cloud environments: IAM policies, network segmentation, encryption, logging and monitoring, and incident response capability. You are the person who makes sure the cloud infrastructure is configured securely and stays that way.<a href="https://practicetestgeeks.com/aws/job-market?ref=blog.tryhackme.com"> Entry-level cloud security engineers earn $85,000 to $110,000 in the US, with senior engineers clearing $200,000 or more at major tech firms.</a></p><p><strong>Cloud Security Analyst</strong> sits closer to SOC operations. You monitor cloud environments for threats, investigate alerts from cloud-native security services like AWS GuardDuty, Azure Defender, and GCP Security Command Center, and respond to incidents in cloud infrastructure. The detection and response skills you build in SOC work transfer directly here.</p><p><strong>DevSecOps Engineer</strong> embeds security into the software delivery pipeline. Infrastructure as code scanning, container image security, CI/CD pipeline security controls, and shift-left practices that catch misconfigurations before they reach production.<a href="https://www.refontelearning.com/salary-guide/cloud-security-engineer-salary-guide-2026?ref=blog.tryhackme.com"> Roles that integrate DevSecOps practices are among the most in-demand cloud security positions in 2026, with top salaries reaching $225,000 annually.</a></p><p><strong>Cloud Penetration Tester</strong> assesses cloud environments offensively: testing IAM misconfigurations, storage access controls, network exposure, container escape paths, and attack paths through cloud-native services. Cloud penetration testing is increasingly expected as a core skill in enterprise security assessments, not just a specialist engagement type.</p><hr><h2 id="what-cyber-skills-are-most-in-demand-for-cloud-security-in-2026"><strong>What Cyber Skills Are Most in Demand for Cloud Security in 2026?</strong></h2><p>The skills that appear most consistently in cloud security job postings are specific. Here is what employers are actually looking for.</p><p><strong>Identity and Access Management (IAM).</strong> IAM misconfigurations are the most common cloud vulnerability and the most common initial access vector in cloud breaches. Understanding how to write least-privilege IAM policies, audit existing permissions, manage service accounts and non-human identities, and detect over-permissioned roles is the foundational cloud security skill. This applies across AWS (IAM policies, roles, permission boundaries), Azure (RBAC, Entra ID, service principals), and GCP (IAM bindings, service accounts).</p><p><strong>Misconfiguration detection and remediation.</strong> Public S3 buckets, exposed storage containers, overly permissive security groups, publicly accessible databases: cloud misconfigurations are responsible for a significant proportion of cloud breaches and they are detectable with the right tooling and methodology. Cloud Security Posture Management (CSPM) tools automate detection at scale. Understanding what they find and how to fix it is the operational skill.</p><p><strong>Container and Kubernetes security.</strong> Container adoption has made Kubernetes security a core requirement in most cloud security roles. Pod security contexts, network policies, RBAC for Kubernetes, container image scanning, and runtime threat detection are all expected knowledge.<a href="https://www.refontelearning.com/blog/cloud-security-engineering-in-2026-best-practices-and-career-outlook?ref=blog.tryhackme.com"> Cloud security engineers must protect ephemeral workloads and container images, with runtime scanning and image signing becoming essential skills in 2026.</a></p><p><strong>Infrastructure as Code (IaC) security.</strong> Terraform and CloudFormation are how cloud infrastructure is built in most enterprise environments. Scanning IaC templates for misconfigurations before deployment, using tools like Checkov or tfsec, is the shift-left security practice that DevSecOps roles require.</p><p><strong>Cloud-native threat detection.</strong> AWS CloudTrail, Azure Monitor, GCP Cloud Logging, and the native security services built on top of them (GuardDuty, Defender for Cloud, Security Command Center) are the primary detection tools in cloud environments. Knowing how to configure them, what they capture, and how to investigate their alerts is essential for cloud security analyst and engineer roles.</p><hr><h2 id="what-qualifications-do-you-need-for-cloud-security"><strong>What Qualifications Do You Need for Cloud Security?</strong></h2><p>The honest answer: foundational cloud knowledge first, security layer second.</p><p>You cannot secure a cloud environment you do not understand. Before specialising in cloud security, spend time with at least one major cloud platform at the foundational level. AWS Cloud Practitioner, Azure Fundamentals (AZ-900), or GCP Cloud Digital Leader all cover the architectural concepts that make cloud security controls meaningful rather than abstract.</p><p>Once the foundation is in place, the security-specific credentials matter.<a href="https://thinkcloudly.com/blog/cloud-job-insights/?ref=blog.tryhackme.com"> AWS Certified Security Specialty saw demand surge 73% in 2025 and commands a significant salary premium for cloud security roles.</a> Microsoft SC-200 (Security Operations Analyst) and AZ-500 (Azure Security Engineer) are the equivalent Azure credentials.<a href="https://flashgenius.net/blog-article/aws-vs-azure-vs-gcp-certifications-the-ultimate-2026-guide-to-choosing-your-cloud-career-path?ref=blog.tryhackme.com"> GCP Professional Cloud Security Engineer sits at $159,135 average salary, with GCP Cloud Network Engineer at $163,198 - reflecting the scarcity of GCP security specialists.</a></p><p><a href="https://www.isc2.org/Insights/2026/04/your-cloud-security-certification-roadmap-for-career-success?ref=blog.tryhackme.com">ISC2 recommends building a layered credential roadmap: foundational security (CompTIA Security+ or ISC2 CC), then operational cloud security skills, then CCSP (Certified Cloud Security Professional) as the vendor-neutral cloud security milestone that validates multi-cloud readiness.</a> Pair CCSP with one platform-specific credential for the strongest hiring signal.</p><p>For hands-on preparation, TryHackMe&apos;s cloud security rooms cover the practical skills that certifications test in a browser-based lab environment. No cloud account setup required. The<a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com"> SOC Level 1 path</a> builds the detection and investigation foundation. TryHackMe&apos;s cloud security rooms extend this into cloud-specific monitoring, IAM, and misconfiguration identification.</p><hr><h2 id="cloud-security-career-paths-roles-skills-and-salaries"><strong>Cloud Security Career Paths: Roles, Skills and Salaries</strong></h2><!--kg-card-begin: html--><div style="overflow-x:auto; margin: 2em 0; font-family: inherit;">
<table style="width:100%; border-collapse:collapse; font-size:15px; line-height:1.5;">
<thead>
<tr style="background-color:#1a1a2e; color:#a3ea2a;">
<th style="padding:12px 14px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Role</th>
<th style="padding:12px 14px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Core skills</th>
<th style="padding:12px 14px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">US salary range</th>
<th style="padding:12px 14px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">Key certifications</th>
<th style="padding:12px 14px; text-align:left; font-weight:700; border-bottom:2px solid #a3ea2a;">TryHackMe starting point</th>
</tr>
</thead>
<tbody>
<tr style="background-color:#e8fcd4; border-bottom:1px solid #d0d0d0;">
<td style="padding:12px 14px; font-weight:600; color:#1a1a2e;">Cloud Security Analyst</td>
<td style="padding:12px 14px; color:#1a1a2e;">SIEM, cloud-native detection tools, log analysis, incident response in cloud environments</td>
<td style="padding:12px 14px; color:#1a1a2e;">$75,000 to $110,000</td>
<td style="padding:12px 14px; color:#1a1a2e;">SC-200, AWS Security Specialty, CompTIA Security+</td>
<td style="padding:12px 14px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com" style="color:#2a7a00;">SOC Level 1 path</a></td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:12px 14px; font-weight:600; color:#1a1a2e;">Cloud Security Engineer</td>
<td style="padding:12px 14px; color:#1a1a2e;">IAM, CSPM, network security groups, encryption, IaC security, container security</td>
<td style="padding:12px 14px; color:#1a1a2e;">$110,000 to $160,000</td>
<td style="padding:12px 14px; color:#1a1a2e;">AWS Security Specialty, AZ-500, CCSP</td>
<td style="padding:12px 14px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/soclevel1?ref=blog.tryhackme.com" style="color:#2a7a00;">SOC Level 1 path</a> + cloud security rooms</td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:12px 14px; font-weight:600; color:#1a1a2e;">DevSecOps Engineer</td>
<td style="padding:12px 14px; color:#1a1a2e;">CI/CD security, Terraform, container scanning, shift-left practices, Python/Bash scripting</td>
<td style="padding:12px 14px; color:#1a1a2e;">$120,000 to $175,000</td>
<td style="padding:12px 14px; color:#1a1a2e;">CKS, AWS DevOps Professional, HashiCorp Terraform Associate</td>
<td style="padding:12px 14px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#2a7a00;">Jr Penetration Tester path</a> + cloud rooms</td>
</tr>
<tr style="background-color:#f7f7f7; border-bottom:1px solid #d0d0d0;">
<td style="padding:12px 14px; font-weight:600; color:#1a1a2e;">Cloud Penetration Tester</td>
<td style="padding:12px 14px; color:#1a1a2e;">IAM privilege escalation, storage misconfiguration testing, container escape, cloud attack paths</td>
<td style="padding:12px 14px; color:#1a1a2e;">$110,000 to $165,000</td>
<td style="padding:12px 14px; color:#1a1a2e;">PT1, OSCP, AWS Security Specialty</td>
<td style="padding:12px 14px; color:#1a1a2e;"><a href="https://tryhackme.com/path/outline/jrpenetrationtester?ref=blog.tryhackme.com" style="color:#2a7a00;">Jr Penetration Tester path</a></td>
</tr>
<tr style="background-color:#ffffff; border-bottom:1px solid #d0d0d0;">
<td style="padding:12px 14px; font-weight:600; color:#1a1a2e;">Cloud Security Architect</td>
<td style="padding:12px 14px; color:#1a1a2e;">Multi-cloud security design, Zero Trust architecture, security governance, stakeholder communication</td>
<td style="padding:12px 14px; color:#1a1a2e;">$160,000 to $225,000+</td>
<td style="padding:12px 14px; color:#1a1a2e;">CISSP, CCSP, AWS Solutions Architect Professional</td>
<td style="padding:12px 14px; color:#1a1a2e;">Target after 5+ years in cloud security roles</td>
</tr>
</tbody>
</table>
<p style="font-size:13px; color:#888; margin-top:8px;">Salary data from Refonte Learning, Practice Test Geeks, and FlashGenius (2026). Ranges vary by location, employer type, and experience level.</p>
</div><!--kg-card-end: html--><hr><h2 id="which-cloud-platform-should-you-focus-on-first"><strong>Which Cloud Platform Should You Focus on First?</strong></h2><p><a href="https://practicetestgeeks.com/aws/job-market?ref=blog.tryhackme.com">AWS still dominates with 30 to 32% of global cloud infrastructure market share, making it the broadest global job market for most roles.</a><a href="https://thinkcloudly.com/blog/cloud-job-insights/?ref=blog.tryhackme.com"> Azure is closing the gap fast, particularly in enterprise environments, finance, healthcare, and government - and is the stronger choice if you are targeting large enterprises or operating in Europe.</a> GCP holds 10 to 12% of market share but the roles that require it tend to pay more, reflecting genuine scarcity of GCP security specialists.</p><p>The practical advice: pick one platform, go deep, then expand.<a href="https://codelabsacademy.com/en/blog/cloud-skills-in-2026-aws-azure-gcp-roles?ref=blog.tryhackme.com"> AWS usually offers the broadest global job market; Azure is strong with large enterprises using Microsoft tools; GCP is popular for data and ML roles.</a> The core concepts - IAM, network security, logging, encryption - transfer across all three platforms. Start with the one most common in your target job market.</p><hr><h2 id="faq"><strong>FAQ</strong></h2><p><strong>What cyber skills are most in demand for cloud security in 2026?</strong> IAM configuration and auditing, cloud misconfiguration detection, container and Kubernetes security, Infrastructure as Code scanning, and cloud-native threat detection using platform tools like AWS GuardDuty, Azure Defender, and GCP Security Command Center. These appear most consistently across cloud security job postings in 2026 and represent the skill gaps organisations are most actively trying to fill.</p><p><strong>What are the salary expectations for entry-level cloud security roles in 2026?</strong> Entry-level cloud security analyst roles typically range from $75,000 to $110,000 in the US. Cloud security engineers at entry level earn $85,000 to $110,000.<a href="https://practicetestgeeks.com/aws/job-market?ref=blog.tryhackme.com"> AWS certifications add $10,000 to $25,000 to compensation on average.</a> Salary varies significantly by location, with San Francisco, Seattle, New York, and Northern Virginia commanding premiums above national averages.</p><p><strong>What cyber security career path should I choose if I am interested in cloud?</strong> If you want to work defensively, target Cloud Security Analyst first. The SOC skills you build - SIEM, log analysis, incident response - transfer directly into cloud security operations. If you have a development or infrastructure background, DevSecOps or Cloud Security Engineer is the natural path. If you want to work offensively, Cloud Penetration Tester is the destination, but build standard penetration testing foundations through the Jr Penetration Tester path first before specialising in cloud attack techniques.</p><p><strong>Do you need a computer science degree to get into cloud security?</strong> No.<a href="https://thinkcloudly.com/blog/cloud-job-insights/?ref=blog.tryhackme.com"> Many successful cloud engineers come from IT support, networking, software development, or even unrelated fields. Employers care far more about what you can demonstrate than where you went to school.</a> A combination of platform certifications, security credentials, and documented hands-on lab work is what gets you hired in cloud security, not a degree.</p><p><strong>How long does it take to start a career in cloud security?</strong> With consistent effort, most people build enough foundational cloud and security knowledge to target entry-level cloud security analyst roles within 12 to 18 months. The path: cloud fundamentals (two to three months), security foundations (two to three months), cloud security specialisation including one vendor-specific credential (four to six months), plus consistent hands-on practice throughout. The hands-on element is what separates candidates who get interviews from those who do not.</p><hr><p></p><!--kg-card-begin: html--><div style="text-align: center;">  <a href="https://tryhackme.com/room/introductiontocloudsecurityc6?ref=blog.tryhackme.com">    <button style="background-color: #222C42; color: white; padding: 15px 20px; border-radius: 10px; font-size: 25px;">     Start Building Cloud Security Skills On TryHackMe </button>  </a></div>
<!--kg-card-end: html-->]]></content:encoded></item></channel></rss>