June 13, 2026

Understanding Defensive Security: My First Step into the Blue Team World #002

When most people hear the word “cybersecurity,” they instantly picture a hacker in a dark hoodie furiously typing on a keyboard, breaking…

Mr. Rajak

4 min read

When most people hear the word "cybersecurity," they instantly picture a hacker in a dark hoodie furiously typing on a keyboard, breaking into systems, and exploiting flaws. This aggressive side of cybersecurity is known as Offensive Security (or the "Red Team"). But organizations don't just need people to break into things. They desperately need professionals who can build the walls, watch the security cameras, and respond when the alarms go off. This is Defensive Security (the "Blue Team"). Recently, I completed the TryHackMe Defensive Security Intro room. It is a fantastic, beginner-friendly introduction to how the good guys protect networks. Unlike highly technical rooms, this one focuses on the big picture: the roles, daily tasks, and processes that keep a company safe. If you are curious about starting a career on the Blue Team, here is a breakdown of what I learned.

What Is Defensive Security?

Defensive Security is the practice of protecting computer systems, networks, and private data from cyber attacks.

Think of it like securing a physical building. The primary goals are:

  1. Prevention: Locking the doors before a burglar arrives.
  2. Detection: Setting up motion sensors to know if someone breaks in.
  3. Response: Calling security the moment an alarm goes off.

While offensive hackers look for weak spots to exploit, defensive professionals work to fix those weak spots and reduce risk. Their daily tasks include training employees not to click bad links, updating software, managing firewalls, and monitoring logs for suspicious activity.

1. The Security Operations Center (SOC)

The Security Operations Center (SOC) is the command center of cybersecurity. Think of a SOC as a room full of security guards watching dozens of camera feeds, looking for anything out of the ordinary.

A SOC team is responsible for:

  • Watching security alerts as they happen.
  • Investigating weird or suspicious events.
  • Stopping active network break-ins.

The SOC deals with several common issues daily:

  1. Vulnerabilities: Weaknesses in software that need to be patched (updated) immediately.
  2. Policy Violations: Employees accidentally (or purposely) breaking security rules, like uploading secret company data to a public cloud folder.
  3. Network Intrusions: Hackers sneaking in through fake emails (phishing) or broken software.

2. Threat Intelligence: Knowing Your Enemy

Threat Intelligence is the process of studying the bad guys. It is like a police detective building a psychological profile on a criminal.

Defenders need to answer:

  • Who is trying to hack us?
  • Why do they want our data?
  • What tools do they usually use?

By gathering data from security reports, hidden web forums, and internal logs, organizations can predict attacks before they happen. If you know a specific hacker group always uses a certain fake email trick, you can block that exact trick in advance.

3. Digital Forensics: Cyber Crime Scene Investigation

When a hacker successfully breaks in, the security team needs to know exactly what happened. Digital Forensics is the science of collecting digital fingerprints and evidence left behind at the crime scene.

Investigators look closely at:

  1. File Systems: Did the hacker create, delete, or hide any files?
  2. System Memory (RAM): Some highly advanced viruses live only in the computer's temporary memory and never touch the hard drive.
  3. Logs: Every computer keeps a hidden diary (a log) of everything it does. Even if a hacker tries to erase their tracks, pieces of that diary usually survive.

4. Incident Response: The Emergency Action Plan

Finding out you've been hacked is only step one. What do you do next? Incident Response is the emergency step-by-step plan a company follows during a cyber attack.

It has four main phases:

  1. Preparation: Setting up the tools and training the team before disaster strikes.
  2. Detection & Analysis: Confirming that a real attack is happening and figuring out how bad it is.
  3. Containment, Eradication, & Recovery: Stopping the hacker from spreading (Containment), kicking them out of the system entirely (Eradication), and restoring the broken computers (Recovery).
  4. Post-Incident Activity: Reviewing what went wrong so it never happens again.

5. Malware Analysis: Dissecting the Threat

Malware is a mashup of the words "Malicious Software." It is any program designed to do harm. The TryHackMe room introduced three main types:

Type of MalwareSimple Definition

  1. VirusA bug that attaches itself to clean files and spreads from computer to computer, causing damage.
  2. Trojan HorseA fake program that looks perfectly safe (like a free game), but secretly installs a backdoor for hackers.
  3. RansomwareA brutal attack that locks up all your files and demands you pay a fine (ransom) to get them back.

To fight these, analysts use Static Analysis (looking at the code without turning the virus on) and Dynamic Analysis (turning the virus on inside a safe, locked digital box to see what it tries to do).

6. Hands-On: My First SIEM Investigation

The best part of this TryHackMe room was the hands-on simulation using a SIEM.

SIEM stands for Security Information and Event Management. Think of a SIEM as a giant funnel. It takes millions of log entries from every computer, firewall, and server in the company, filters them, and creates an organized dashboard of security alerts for the SOC team to read.

In the simulation, I played a SOC Analyst. I learned that:

  1. Not every flashing red alert is a real hacker. Sometimes, it's just a broken printer or an employee making a typo.
  2. Investigation is key. You have to check the reputation of the IP addresses (the digital home addresses of the computers connecting to yours) before sounding the alarm.
  3. Action is required. Once you confirm an IP address belongs to a hacker, you must manually block it to secure the network.

Final Thoughts & Key Takeaways

The TryHackMe Defensive Security Intro room is the perfect starting line for anyone curious about Blue Team cybersecurity. It doesn't overwhelm you with complicated code or heavy math. Instead, it builds a rock-solid foundation of how defenders operate.

My biggest takeaways:

  • The Blue Team is all about protecting, detecting, and responding.
  • A SOC analyst's main job is investigating alerts to separate real threats from false alarms.
  • Tools like SIEMs are the backbone of modern cybersecurity defense.

Whether you want to be a SOC Analyst tracking live alerts, a Forensic Investigator solving cyber crimes, or a Malware Analyst dissecting viruses, understanding these core concepts is your vital first step.

Let's Connect!