Security & Governance 90 days 2-3 hours/day updated 2026-06-01
SecOps 90-Day Learning Path
Build SecOps skills in 90 days: SIEM, SOAR, threat intelligence, incident response playbooks, and threat hunting. Learn to operate a modern SOC and cut mean-time-to-respond.
What SecOps means
SecOps (Security Operations) focuses on the continuous monitoring, detection, and response to security threats in production environments. It bridges the gap between security engineering and operations, using automation and tooling to reduce analyst toil and accelerate response. A mature SecOps practice combines SIEM pipelines, SOAR playbooks, and threat-intelligence feeds to deliver 24/7 coverage.
Who should follow this path
- SOC analysts looking to level up to Tier 2/3
- IT operations engineers pivoting into security
- Security engineers who want operational depth
- DevOps engineers in security-sensitive organizations
- Incident response professionals
Prerequisites
- Networking fundamentals (TCP/IP, DNS, HTTP)
- Linux command-line proficiency
- Basic understanding of firewalls and IDS/IPS
- Familiarity with log formats (syslog, JSON events)
- Some scripting ability (Python or Bash)
The 90-day plan
Daily study recommendation: 2-3 hours/day, six days a week. Consistency beats intensity — block the time in your calendar like a meeting.
Days 1–15: Foundation
- SOC tiers and analyst workflows
- MITRE ATT&CK framework navigation
- Log sources: OS, network, application, cloud
- Cyber kill chain and diamond model
- Threat intelligence fundamentals (IOCs, TTPs)
Outcome: Navigate the MITRE ATT&CK framework and understand the structure of a modern SOC.
Days 16–30: Core concepts
- SIEM fundamentals with Splunk and Elastic SIEM
- Writing detection rules (SPL, KQL)
- Alert triage and false-positive reduction
- Log ingestion pipelines and normalization
- Dashboard creation for security visibility
Outcome: Build and tune SIEM detection rules and operate an alert triage workflow.
Days 31–45: Tools and workflows
- SOAR platforms: Palo Alto XSOAR and Shuffle
- Building automated response playbooks
- Integrating threat intel feeds (MISP, OTX)
- Case management with TheHive
- API-driven security automation with Python
Outcome: Automate repetitive SOC tasks with SOAR playbooks and threat-intel enrichment.
Days 46–60: Hands-on projects
- Incident response lifecycle (PICERL)
- Digital forensics basics (memory, disk, network)
- Malware analysis fundamentals
- Cloud security event investigation (AWS CloudTrail)
- Endpoint detection with CrowdStrike or SentinelOne
Outcome: Conduct an end-to-end incident investigation from detection through containment and eradication.
Days 61–75: Advanced practices
- Threat hunting methodologies
- Behavioral analytics and UEBA
- Red team vs blue team exercise structure
- Purple team collaboration techniques
- Adversary simulation with Atomic Red Team
Outcome: Proactively hunt for threats using behavioral analytics and adversary simulation techniques.
Days 76–90: Portfolio, interview & certification prep
- Portfolio: build a SIEM + SOAR lab environment
- SOC metrics: MTTD, MTTR, detection coverage
- Preparing for CompTIA CySA+ exam
- Interview prep for SOC analyst and SecOps engineer roles
- Writing post-incident reports and lessons-learned docs
Outcome: Present a documented SOC lab project and be ready for SecOps engineering interviews.
Weekly outcomes at a glance
| Phase | Outcome |
|---|---|
| Days 1–15 | Navigate the MITRE ATT&CK framework and understand the structure of a modern SOC. |
| Days 16–30 | Build and tune SIEM detection rules and operate an alert triage workflow. |
| Days 31–45 | Automate repetitive SOC tasks with SOAR playbooks and threat-intel enrichment. |
| Days 46–60 | Conduct an end-to-end incident investigation from detection through containment and eradication. |
| Days 61–75 | Proactively hunt for threats using behavioral analytics and adversary simulation techniques. |
| Days 76–90 | Present a documented SOC lab project and be ready for SecOps engineering interviews. |
Tools to learn
- Splunk
- Elastic SIEM
- Palo Alto XSOAR
- MISP
- TheHive
- CrowdStrike Falcon
- Suricata
- Zeek
- Shuffle SOAR
- Atomic Red Team
- Wireshark
- Velociraptor
Labs to practice
Mini projects
- Deploy an Elastic SIEM stack, ingest logs from three sources, and write 10 detection rules mapped to MITRE ATT&CK
- Build a SOAR playbook that auto-enriches phishing alerts with VirusTotal and Shodan lookups
- Conduct a threat hunt exercise using Atomic Red Team simulations and document findings
Interview questions to prepare
- Walk me through your process for triaging a high-priority SIEM alert.
- How do you reduce false positives in a SIEM without missing real threats?
- Explain the MITRE ATT&CK framework and how you use it for detection engineering.
- What is SOAR and how does it differ from a SIEM?
- How would you investigate a potential insider threat incident?
- What metrics would you track to measure SOC effectiveness?
- Describe a threat hunting hypothesis and how you would test it.
- How do you handle alert fatigue in a high-volume SOC environment?
Certification suggestions
- CompTIA CySA+ — CompTIA
- GIAC Security Operations Certified (GSOC) — GIAC
- Splunk Core Certified Power User — Splunk
- Certified Incident Handler (GCIH) — GIAC
Browse the full certification registry for exam details and official links.
Free resources
- MITRE ATT&CK Navigator
- TryHackMe SOC Level 1 Path (free tier)
- Elastic SIEM Documentation
- TheHive Project
- Atomic Red Team Library
Related roadmaps
Related tool categories
// instructor-led option
Prefer live, guided training with mentors and certification support? DevOpsSchool.com runs paid instructor-led programs that pair well with this free path.
Explore paid training on DevOpsSchool.com ↗