My Journey to TryHackMe’s Security Analyst Level 1 (SAL1) Certification

From Creepy Teaser to Certified SAL1:

On February 20, 2025, TryHackMe posted the below image on their “announcements” channel on Discord.

When I saw it, I thought it was creepy because Halloween was almost four months over. The silhouette looked like a tombstone. I thought it was probably a new event, like the King of the Hill kind of thing.

Five days later, the announcement finally came that it is TryHackMe’s first industry certification, Security Analyst Level 1, in collaboration with Accenture and SalesForce.

The reaction from the cyber security community was mixed regarding the release of THM’s first certification. I respect everyone’s opinions, which makes us unique, having different perceptions of things. As for me, I celebrated this new certification. I am happy because this provides a variety of ways for someone to gain more knowledge. The cyber security field changes so fast that we need to be constantly learning. In the words of Peter Drucker, “We now accept the fact that learning is a lifelong process of keeping abreast of change. And the most pressing task is to teach people how to learn.” Even if only one person comes out of the SAL1 and works in cyber security, that is a win for this community. I was happy when SAL1 was announced, but that doesn’t mean I would spend $349 to take it. I know I will learn something new from it, and the experience of taking the exam would be incredible, but I don’t think it was worth the expense to my wallet.

Until March 3, 2025, TryHackMe offered free certification for anyone who holds either the Blue Team Level 1 (BTL1) from Security Blue Team or CySA+ from CompTIA.

Now, I don’t have an excuse for not wanting to spend an extra $349 on the certification exam. I jumped at the opportunity to experience it and possibly earn the new certification. I emailed TryHackMe on March 3, 2025, and got a response from them the day after.

I had a busy week at work, so I could not take the exam during the workweek. I took the exam on the evening of March 7, 2025, and completed it just past midnight.

Exam Day:

March 7, 2025, was a Friday. Work was not as busy, and I was itching to take the certification exam. Though we are given 24 hours to complete the exam, there is a 5-hour limit. You don’t have to use the entire 5 hours; you can wrap it up depending on your speed. Below is how I did mine:

2:30 PM – 3:30 PM: Multiple Choice

3:30 PM – 5:00 PM: Did some more work

5:00 PM – 6:00 PM: Prepared and ate dinner

6:00 PM – 7:45 PM: First SOC Simulator

7:45 PM – 8:57 PM: Rewatched the Solo Leveling S2 E21 anime before the new episode comes out tomorrow.

8:57 PM – 9:42 PM: 45-min run on the treadmill

10:07 PM – 12:07 AM: Second/Final SOC Simulator

After one question feedback to answer, you will get the result of the exam right away:

The Exam Experience:

Once you click the “Start Exam” button, you must go through ID Verification, read the Exam Guidelines, and watch the Exam introduction video before starting the exam.

You must have a webcam to take a real-time photo of yourself through Onfido. Then, you will be prompted to scan a QR code using your phone, redirecting you to Onfido to scan the front and back of your government-issued identification card.

I think the first part, the multiple-choice questions, is on a beginner-level basis. I’ve seen some feedback on LinkedIn saying that the multiple-choice questions should be more challenging. I disagree; this is a beginner-level certification exam. The people who have provided feedback through the free exam attempt are already holders of BTL1 or CySA+ certificates, so it makes sense that they feel the questions were too easy. This is a beginner, level 1-targeted certification. People who took it might have worked in this field for years. So, please dial it down with your chest-pounding call of “too easy.” Imagine someone who does not have any cybersecurity experience wanting to break into this field and expecting to complete 80 questions in an hour; that is a lot of pressure. I thought the questions were fair in difficulty.

The two SOC simulators were incredible! I enjoyed the experience a lot. To be transparent, I have been working in security for just over five years and have no experience working in an SOC environment. Seeing the alert queue building up while I was analyzing and writing a report for an alert was overwhelming. I was starting to panic. Shoutout to all SOC staff, especially Level 1s, for all you do with the initial assessment of the alerts. I have to be in game-face mode to keep up with all the alerts and the time constraint to finish all alerts within two 2 hours. The alerts and scenarios were too realistic. Even though I have no experience working in an SOC environment, I get to see the alerts that were escalated to my team from our Managed SOC Service, and I kid you not, some of the alerts were almost identical to what I’ve seen. So kudos to TryHackMe, this exam’s “realistic” experience is on point. For those wanting to break in and work in a SOC, the Dashboard and Alert Queue in both of the SOC Simulator parts of the exam are “real-life” experiences you can have without being in a real job. This will give you an advantage when you are interviewed for that SOC L1 job, especially when competing with other applicants without work experience. Another advantage you will get from this exam is the use of Splunk. You will get your hands dirty with the industry-leading SIEM tool. I am sorry, LetsDefend; I am not throwing you under the bus. But before TryHackMe came up with the SOC Simulator, I was a strong endorser of LetsDefend when it came to getting as realistic as possible of a real-life alert investigation. Whenever someone asks me how to analyze alerts and detections better, LetsDefend is the first thing that comes out of my mouth. But my gosh, having the chance to do log analysis using Splunk is way better than a “pretend” SIEM tool.

TryHackMe’s SIEM:

LetsDefend’s SIEM:

You tell me who you think will appear more confident in interviews when asked if they have experience using a SIEM tool. Again, I have nothing against LetsDefend. I am still on their platform and on a 295-day streak on LetsDefend. This is probably more of a wake-up call for LetsDefend to up their game.

The overall exam experience was smooth. There were no issues with Splunk, Analyst VM, or the TryHackMe site, and no freezing or slowness.

Feedback:

I wish information like the “Best Practice Reports,” “Alert Reporting,” “Alert Escalation,” “Alert Classification,” and “Alert Triage Playbook” were presented before the timer on the SOC Simulator part starts. Skimming through all that information would probably take around 10 minutes off the 2 hours, and those are critical for the test takers. TryHackMe’s True Positive and False Positive classifications might slightly differ from other platforms’ classifications. Some platforms have different classifications, like True Positive, Benign.

Please make the Simulator part at the end of the exam, like the multiple-choice questions, where the exam taker can review previous cases before closing the SOC Simulator attempt. When I took the first SOC simulator, I tried to go through the alerts as fast as possible with the plan to review them at the end of my attempt if time permitted. I was happy to see that I had 23 minutes in my timer, but as soon as I submitted the case I was working on, I didn’t know that it was the last one, and it automatically closed my first SOC simulator. Part of it was my fault; I should have read the instructions better, but I still would have loved to have the opportunity to review my answers.

I don’t think it is fair to compare this certification against Security Blue Team’s BTL1, CyberDefender’s CCD, or even CySA+. You cannot compare full-on DFIR certifications to a SOC Analyst level of certification. BTL1 and CCD require more knowledge and skills than expected SOC skills. SAL1 does not cover disk forensics, memory forensics, network forensics, and perimeter defense, which are all included in the BTL1 and CCD exams. However, I would say that the SAL1 prepares a person better to work in an SOC than a CySA+ certified person, just based on my experience. SAL1’s multiple choice exam meets what is offered by CySA+, and SAL1’s SOC experience tramples CySA+ because CySA+ does not provide a SOC simulator experience. SAL1 is unique. You cannot compare it side by side with most Blue Team certifications, but I think it stands on top of SOC-targeted certifications.

Advice to those who are thinking of taking the SAL1:

I didn’t go through the recommended learning for the SAL1 just because I was confident that I already had the knowledge and skills to take the certification exam, so I cannot speak on the value or importance of the recommended learning path.

The SOC simulator’s free scenarios helped me. I recommend doing the two free scenarios. This will at least give you hands-on experience instead of struggling to find your way within the SOC Simulator during the exam. Each SOC platform is different, and I was glad I did the free scenarios. I dove into the exam without any surprises; I felt comfortable navigating the platform during the exam.

Enjoy the exam experience, and make sure to take breaks. Good luck to you all!