OffSec's SOC-200 (and its associated OSDA certification) is the most realistic blue-team exam on the market. It throws you into a live SIEM with messy real-world telemetry and asks you to detect, triage, and document attacks against Windows, Linux, and Active Directory targets — across 24 hours. Here's the playbook our analysts use to pass on the first attempt.
What the OSDA actually tests
OSDA is fundamentally a detection-engineering exam wearing a SOC analyst costume. You will not be running scans against domain controllers — you will be hunting through pre-recorded telemetry to find what already happened. Every point comes from correctly identifying the technique, mapping it to MITRE ATT&CK, and writing a clear narrative explaining attacker intent.
- Endpoint telemetry: Sysmon Event IDs 1, 3, 7, 8, 10, 11, 13, 22 are the bread-and-butter
- Network telemetry: Zeek logs (conn, dns, http, ssl, files)
- Authentication: Windows Security Event IDs 4624, 4625, 4634, 4672, 4768, 4769
- Process artifacts: command lines, parent-child relationships, hashes
- Web logs and IIS / Apache access logs for initial access
Lab strategy that pays off
Most candidates rush the SOC-200 modules and never re-visit the labs. That is the single biggest reason for failure. The exam scenarios re-use the same atomic tradecraft from the labs — different chains, identical primitives. Treat the labs as flashcards.
- First pass: complete every module exercise without copy-pasting queries
- Second pass: write your own one-liner queries from scratch for each exercise
- Third pass: rebuild a personal cheat-book of 30-40 SPL / KQL / Lucene queries
- Fourth pass: time yourself — every detection should take under 20 minutes
The Splunk queries you must memorize
index=endpoint sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| search ParentImage="*\\WINWORD.EXE" OR ParentImage="*\\EXCEL.EXE" OR ParentImage="*\\OUTLOOK.EXE"
| search Image="*\\powershell.exe" OR Image="*\\cmd.exe" OR Image="*\\wscript.exe" OR Image="*\\rundll32.exe"
| stats count by ParentImage, Image, CommandLine, User, Computer
| sort - countindex=wineventlog EventCode=4769
| search Ticket_Encryption_Type="0x17"
| stats count dc(Service_Name) as services_requested by Account_Name, Client_Address
| where services_requested > 5
| sort - services_requestedindex=zeek sourcetype="zeek:conn"
| eval bucket=floor(_time/60)*60
| stats count dc(bucket) as buckets by id_orig_h, id_resp_h
| eval ratio=round(count/buckets, 2)
| where buckets > 30 AND ratio > 0.8
| sort - bucketsExam day workflow
| Hour | Activity | Output |
|---|---|---|
| 0-1 | Scope read, environment recon | Inventory of indices, fields, hosts |
| 1-6 | Initial access + execution hunts | 2-3 detections written up |
| 6-10 | Lateral movement + persistence | Attack chain timeline draft |
| 10-14 | Sleep / break | Brain-recovery |
| 14-20 | C2 + exfiltration analysis | Network and DNS findings |
| 20-24 | Cross-correlation, timeline polish | Final attack narrative |
Suggested 24-hour budget
MITRE ATT&CK mapping discipline
OSDA reports lose marks when ATT&CK techniques are mapped wrong. Always pick the most specific sub-technique. T1059 alone is generic — T1059.001 (PowerShell) is what graders expect.
| Observation | Tactic | Technique |
|---|---|---|
| powershell.exe -enc <base64> | Execution | T1059.001 |
| Service created via sc.exe | Persistence | T1543.003 |
| Schtasks creating new task | Persistence | T1053.005 |
| lsass.exe accessed by non-system process | Credential Access | T1003.001 |
| WMI used for remote execution | Lateral Movement | T1047 |
| Outbound traffic to non-corporate ASN | C2 | T1071.001 |
Top 5 reasons candidates fail
- Skipping the report polish — the report is graded harder than the detections
- Mapping techniques to top-level tactics instead of sub-techniques
- Missing one of the four mandatory attack chains in the exam network
- Spending too long chasing a single complex finding instead of moving on
- Forgetting timestamps in UTC throughout the report
Our SOC Analyst track is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.