Cyberange

Training · SOC · Tier 1 → Tier 3

From your first alert to your first incident command.

A tier-laddered SOC training programme built on replayed engagement telemetry from real attacks. You triage, escalate, investigate, and coordinate — on the same SIEM, EDR, and ticketing stack you'll meet on the job. No simulated PCAPs. No toy alerts.

Browse tracks Cohort schedule

The training gap

The first time you should see a real alert isn't on your first shift.

Most SOC certifications are theory exams followed by a slide deck. The graduate sits down on their first shift, opens the SIEM, and freezes at the first real noise. Cyberange SOC training is the opposite: the curriculum is the alert queue, and the assessment is how cleanly you worked the queue.

01

Theory courses don't survive contact

Memorising the MITRE matrix is not the same as recognising T1059 in a process tree at 3 AM. The map is not the territory.

02

Synthetic labs teach synthetic skills

A toy SIEM with three rules and ten alerts teaches you how to use the UI. It does not teach you how to pick the alert that actually matters from a queue of two thousand.

03

No exposure to the human layer

Real SOC work is shift handovers, escalation calls, war-room comms, and IR-lead briefings. Solo lab work doesn't rehearse any of it.

The tier ladder

Three tiers. One curriculum spine. You climb at your pace.

Each tier is a standalone certification you can ship. They also stack — a Tier-3 graduate has explicitly demonstrated everything the Tier-1 and Tier-2 tracks measured. No-one skips levels; everyone who finishes can do the work below them in their sleep.

Three-tier SOC analyst progression: Tier 1 triage, Tier 2 investigation, Tier 3 incident command. Each tier shows the capabilities, the tooling, and the typical engagement. TIER 1TRIAGECAPABILITIES · alert classification · IOC enrichment · noise vs signal · L1 escalation playbooksTOOLINGSIEM · EDR (read) · ITSMTIER 2INVESTIGATECAPABILITIES · kill-chain reconstruction · host + memory triage · network forensics · L1↔L3 bridgeTOOLINGSIEM (advanced) · EDR (write) · NDR · sandboxTIER 3COMMANDCAPABILITIES · incident command · detection engineering · threat-hunt leadership · war-room commsTOOLINGfull SOC stack · SOAR · TIP · case mgmtSHIPPABLE CERTIFICATION AT EACH TIER · CUMULATIVE PORTFOLIO BY TIER 3TYPICAL CADENCE · 8 / 10 / 12 WEEKS

What you do on the programme

Less reading. More queueing.

Work a real alert queue

Every session opens with a fresh queue of alerts replayed from real engagements — including false positives, noisy detections, and the one alert that actually matters.

Pivot through a live SIEM

Splunk-style and Elastic-style query syntax. KQL for cloud-native workloads. You write the queries; the data is real.

Investigate from the EDR up

Process trees, parent-child anomalies, command-line parsing, memory captures. The tools you'll actually use; not screenshots of them.

Run handovers and escalations

Each shift ends with a written handover. Each escalation requires a verbal brief. The human protocol is graded, not just the technical work.

Build detections from findings

Tier 2 onward: every confirmed finding gets a new Sigma or EQL rule. You finish the programme with a portfolio of rules you authored.

Sit a 24-hour lab exam

Capstone for each tier. Live SIEM, live engagement telemetry, live escalation paths. You either work the queue, or you don't.

Sample week · Tier 2 · week 5 of 10

What a week on the programme actually looks like.

A representative Tier-2 week. Mornings are queue work and one investigation; afternoons are detection engineering, drills, or guest sessions. Friday is debrief and write-up.

  1. Monday

    Queue triage + chosen investigation

    Open the replayed queue from a weekend incident. Work it down. Pick one alert worth deeper investigation. Open a case. Write the initial timeline.

  2. Tuesday

    EDR + memory workshop

    Live walkthrough of process tree reconstruction. Parent-child anomalies, signed-binary masquerading, in-memory loaders. You analyse three captures, one in front of the cohort.

  3. Wednesday

    Detection-engineering studio

    Take Monday's finding. Author a Sigma rule that would have alerted earlier. Test it against ninety days of historical data for false-positive load. Tune. Ship.

  4. Thursday

    Incident drill

    Surprise scenario: a multi-host lateral-movement chain detonates across the lab tenant. You run as the on-shift Tier 2. Escalation calls are graded. The instructor plays Tier 1 and Tier 3.

  5. Friday morning

    Cross-shift handover

    Write a structured handover document covering open cases, watch-items, and the Thursday drill's residual gaps. Trade with another cohort member; defend each other's handovers.

  6. Friday afternoon

    Debrief + guest session

    Instructor debrief on the week's misses. Followed by a 45-minute guest session — a working SOC lead, a detection engineer, or an IR consultant taking questions on the discipline.

Tooling coverage

You learn the categories. You graduate fluent in the leaders of each.

SIEM

Both index-based and schema-on-read paradigms. Splunk-grade SPL, KQL, and Elastic query DSL — written, not just read.

EDR / XDR

Process-tree investigation, response-action issuing, behavioural-rule authoring, deception-trigger handling.

NDR

Zeek-style protocol analysis. PCAP triage. Beacon detection. Tunnel detection. East-west visibility.

TIP / TI workbench

IOC ingestion, scoring, pivoting. The TAW workbench (see Products) and equivalent open-source stacks.

SOAR

Playbook authoring, automation thresholds, human-in-the-loop checkpoints. When to automate, when not to.

Case management + ITSM

Audit-grade case writing. Handover discipline. Ticket-to-evidence linkage. The unglamorous skill that decides outcomes.

Identity telemetry

AD audit logs, Azure AD sign-ins, OAuth-application surface, service-account abuse patterns.

Sigma · YARA · KQL · SPL · EQL

Detection-engineering languages. Author, test, tune, ship — repeated on every finding.

What you walk away with

A portfolio. A network. A job you can do on day one.

Tier-specific certification

Each capstone passes earn a shippable, lab-verified credential — not just a multiple-choice card.

Authored detection library

Every Sigma / EQL / YARA rule you wrote, indexed and exportable. Show it at interview.

Cohort + alumni network

Tier-3 cohorts pull from across India and beyond. Your handover-partner this week is a peer for the rest of your career.

Placement support

Direct interview pipelines into BFSI, MSSPs, sovereign SOCs, sector-CSIRTs. Referral, not lottery.

Mapped to

  • MITRE ATT&CK
  • NIST SP 800-61
  • SANS PICERL
  • ENISA SOC framework
  • AICTE
  • NASSCOM FutureSkills Prime

Alumni

"The lab experience is better than the offensive-security certifications I had taken before. I am almost ashamed I didn't discover Cyberange sooner."
Cyberange alumnus · senior cyber-security practitionerCross-track endorsement of the Cyberange lab discipline.

Pick your tier. Pick your cohort. Begin.

Weekend cohorts for working professionals. Weekday cohorts for full-time career changers. Corporate cohorts on request. Most cohorts begin monthly.

See current cohorts Train a team