SOC Analyst (Tier 1) | Splunk · SIEM · MITRE ATT&CK | 28 hands-on labs | SA-based, UK/Gulf timezone overlap | Open to remote roles
Joined March 2020
- Tweets 21,200
- Following 990
- Followers 891
- Likes 21,529
511 Photos and videos
Pinned Tweet
🛡️ SOC Analyst (Tier 1) | Building in Public
What 28 days of real blue-team work looks like:
🔍 Splunk · SIEM · Log Analysis
🧠 MITRE ATT&CK · Threat Detection
💻 Kali · Ubuntu · Windows lab
📜 ISC2 Certified in Cybersecurity
8
14
192
4,623
I am going back to basics.
Relearning networking fundamentals from the ground up.
But I refused to put my hands-on work on hold while I do it.
So I am doing both at the same time. Here is what that looks like 🧵
1
4
27
483
The first project is a 4-day SOC detection lab.
Built around the OWASP Top 10 for LLM Applications 2025.
Targeting the threats SOC analysts will actually face in 2026.
NHI abuse. Prompt injection. MCP server attacks. Full Splunk detection rules.
Not textbook threats. Real ones
1
45
Day 0 is done.
Splunk running. Python ready. GitHub repo structured. Reference docs downloaded.
4 days of building start tomorrow.
Networking in the morning. Projects in the afternoon.
That is the plan.
1
1
39
Day 8: NAT & PAT.
The reason your whole house shares one public IP.
And the reason tracing a device from outside is harder than it looks 👇
1
2
77
4/5
Why a defender cares:
NAT breaks the line between a public IP and a real machine.
External log shows your org's IP? That's not one device it's potentially the whole office behind it.
1
16
5/5
To attribute activity to a real host, you need the NAT/PAT table from that moment.
Without it, "the attack came from your IP" stops at the router.
The outside sees a crowd. Only the table tells you who.
Can your team map an external IP back to the host?
14
Few days ago I was stuck on a level 26 most people quit.
Today I finished the entire wargame.
All of OverTheWire Bandit. Every level.
Here's what it actually taught me:
3
3
15
472
4/5
I stopped assuming the puzzle was the wall.
I started questioning my environment.
It was a tooling problem, not a knowledge problem.
One variable isolated. The "correct" answer finally landed.
1
31
5/5
Separate the problem from the tooling.
Isolate your variables.
Know when to change the environment, not the approach.
Stay with it.
That loop is the exact one a SOC analyst runs when an alert fires and the answer isn't obvious.
31
Level 26 of OverTheWire Bandit.
A few days ago I posted that I was stuck.
The breakthrough wasn't a magic command.
🧵
1
1
15
269
4/5
The skill that got me through wasn't knowing the answer.
It was refusing to close the terminal.
Sitting in the discomfort of not knowing. Trying the next thing, and the next, when every obvious path had already failed.
1
32
5/5
That's the exact muscle a SOC analyst uses when an alert fires and the answer isn't in front of you.
Plenty of people quit at this level. I stayed until it broke.
Stuck right now? That's not the signal to stop. That's the rep that builds something.
38