Introduction
Hello everyone!
After publishing my previous article on TryHackMe's SOC Level 1 learning path β which was very well received by readers interested in blue-team and SOC roles β I decided to write a follow-up focused on the Security Analyst Level 1 (SAL1) certification itself.
Surprisingly, there are still very few in-depth articles covering SAL1, despite the fact that it's becoming increasingly relevant and recognized in the cybersecurity job market, especially for SOC and blue-team roles.
After taking and passing the exam, I wanted to share my first-hand experience, along with practical study tips and expectations for anyone considering it or wondering how to prepare effectively.
Table of Contents
- Introduction
- What Is TryHackMe's SAL1?
- How Are Candidates Evaluated?
- How to Learn the Theory in SOC L1
- What to Expect in the Theory Exam
- How to Learn the Practical Skills in SOC L1
- What to Expect in the Practical Exam
- How to Prepare for the Practical Exam
- Conclusion
β οΈ This article is intentionally detailed. Feel free to jump directly to the sections that interest you most. Key takeaways are highlighted in bold for easy skimming.
What Is TryHackMe's SAL1?
The Security Analyst Level 1 (SAL1) is a certification issued by TryHackMe that validates a candidate's ability to operate as a junior SOC / security analyst in a real-world environment.
Unlike many purely theory-based certifications, SAL1 places strong emphasis on:
- Alert triage
- Log analysis
- Incident investigation
- Decision-making and reporting
In short, it evaluates how you think and act as an analyst, not just what you memorize.
How Are Candidates Evaluated?
The certification is earned by completing a structured exam that lasts a total of 5 hours, broken into three parts:
- 1 hour β Theory exam Multiple-choice questions focused on SOC concepts and security fundamentals.
- 2 hours β Practical exam (SOC scenario #1)
- Another 2 hours β Practical exam (SOC scenario #2)
Each practical exam simulates a real SOC investigation workflow.
Important logistics to know
- You have 24 hours total from the moment you start the exam to complete all three parts.
- The sections must be taken in order, but you can take breaks between them.
- Practical scenarios are randomized, meaning:
- Each candidate gets a different combination of investigations
- Sharing specifics is both impractical and against policy
This flexible structure allows you to manage fatigue, which is crucial β especially during the investigation phases.
How to Learn the Theory in SOC L1
Follow the official SOC Level 1 learning path
If you're preparing for SAL1, I strongly recommend completing the TryHackMe SOC Level 1 learning path, which is the official and most aligned preparation material for the certification.
This path has been recently revamped and is now far more focused on:
- Real SOC workflows
- Analyst responsibilities
- Decision-making under realistic constraints
The exam does not only test tool usage β it evaluates whether you understand why you're doing something, just like in a real job.
Don't skip the "prerequisites" sections
Before starting each room, check the suggested prerequisite rooms. Even if some titles sound basic, they often include:
- Subtle but important details
- Real-world context missing from higher-level rooms
If you're completely new to cybersecurity, starting with the Pre-Security learning path is a smart move β it builds a solid foundation for everything that follows.
Take notes (yes, it helps)
Writing short notes β especially for:
- Detection logic
- Attack phases
- Log patterns
β¦can significantly reinforce your understanding and help during revision.
What to Expect in the Theory Exam
For context, before taking SAL1 I had already passed: CompTIA Security+ and Blue Team Level 1 (BTL1).
Because of that, the theory exam felt familiar in structure and difficulty. If you already hold certifications like Security+, CySA+, or BTL1, you'll notice known concepts and this part may be easier for you.
However, SAL1 still includes:
- SOC-specific workflows
- TryHackMe-specific topics
- Modern detection and response concepts
Also, keep in mind:
Even though the exam is multiple-choice, some questions include very similar answers. You'll need real understanding β not guessing β to choose the most accurate one.
Key takeaway
All theory covered in the exam comes directly from the SOC Level 1 path. If you complete it thoroughly and understand the content, you are already well prepared.
A good final step before the exam is to revisit rooms you feel less confident about.
How to Learn the Practical Skills in SOC L1
One common mistake among TryHackMe learners is getting overwhelmed by the number of tools to learn. My advice:
Slow down. Understand what you're doing and why. Be patient.
While learning, keep in mind to master the main tools here, essential to your career and more often used in real-world jobs, namely:
- Splunk
- Elastic
- Wireshark
- Brim
Among them, Splunk deserves special attention, as it is the primary investigation tool during the exam.
Lesser-known tools still matter
Some tools may not appear directly in the exam, but they help you develop intuition and investigative thinking.
Understand the intent of each and what you are trying to achieve with them. Then pick up your favorites as your complementary professional tools.
For example, I really enjoyed using NetworkMinner, so even this one won't appear in the exam, I may remember it for my future practical investigations. Its practice room also helped me by itself to broad my understanding of network investigations.
What to Expect in the Practical Exam
The practical exam uses TryHackMe's SOC environment, which is one of the platform's strongest features. It does an excellent job simulating a real SOC workflow.
You can expect to:
1. Work with a ticketing system
You'll be required to:
- Take ownership of unassigned alerts
- Assess alert severity and relevance
- Perform investigations
- Decide whether the alert is a true or false positive
- Determine if escalation is required
- Write a clear and complete incident report
2. Use Splunk as your primary SIEM
Most investigations revolve around:
- Searching logs
- Correlating events
- Identifying malicious patterns
3. Use TryTestMe for enrichment
TryTestMe is available in a VM and works similarly to VirusTotal, allowing you to:
- Check IP addresses
- Analyze domains
- Investigate file hashes
This helps validate findings during investigations.
How to Prepare for the Practical Exam
To be fully ready:
Complete the SOC Level 1 path thoroughly
- Focus on rooms related to: - SIEM usage - Alert triage - Incident escalation - Reporting
- Master Splunk, complete related rooms: - Splunk Basics - Incident Handling with Splunk - Investigating with Splunk - Exploring SPL
- Recommended for practicing Splunk with realistic scenarios: - Benign - PS Eclipse - Conti
Complete the two free SOC investigation rooms
- Read and understand TryHackMe's investigation rooms documentation
- Practice writing clear, concise reports
β±οΈ Time is tight during the exam β use it wisely.
Conclusion
I hope this article gives you a clear and realistic idea of what the SAL1 exam looks like and how to prepare for it effectively.
Key Takeaways:
- SAL1 is practical, not just theory
- Splunk and investigation/reporting skills are critical
- The official SOC L1 path aligns closely with exam content
Please remember to respect TryHackMe's non-disclosure policies if you decide to share your own experience. As you've seen, it's absolutely possible to help others without revealing exam content.
- Have you already taken the SAL1 certification?
- Do you think I missed something important?
- Did this guide help you?
β¨Let me know in the comments β and good luck to everyone preparing!