// defensive security operations

blue team operations
& SOC analysis

Over 83 live security alerts investigated, triaged, and documented — each one mapped to known attacker behaviour and written up with full methodology. 210+ completed lab scenarios covering network forensics, malware analysis, cloud intrusions, and incident response. Everything on this site is real work, publicly linked, and verifiable.

0
Total Labs
81
Investigations
CDSA
Certified
BTL1
Certified
SAL1
Certified
// live platform stats
HackTheBox Profile
// blue team labs online
inksec
Junior Defender
Points
Global
AU Rank
Labs
Challenges
blueteamlabs.online updated nightly ›
// portfolio at a glance
115
Labs
82
SOC Alerts
82.9%
TP Rate
10
CVEs
view full breakdown →
Auto-generated from 119 documented investigations — tools used, malware families, MITRE coverage, CVEs, attack patterns. The actual writeups, certs, and daily work are below.
// featured achievements
HTB CDSA Certificate
HTB Certification · Proctored Exam
Certified Defensive Security Analyst (CDSA)
Certification Exam · Credly Verified
SOC Fundamentals SIEM · Splunk & Elastic Threat Intelligence DFIR PCAP Analysis

HTB proctored certification exam covering SOC fundamentals, alert triage workflows, SIEM analysis with Splunk & Elastic, threat intelligence & IOC correlation, digital forensics, incident response, phishing analysis, malware detection, and network traffic analysis.

BTL1 Badge
Security Blue Team · Certification
Blue Team Level 1 (BTL1)
Certification Exam · Credly Verified · April 2026
Phishing Analysis Digital Forensics SIEM Threat Intelligence Incident Response

Hands-on certification covering five SOC domains — phishing analysis, digital forensics, threat intelligence, SIEM investigation, and incident response. Passed first attempt.

LetsDefend · Completed Pathway
SOC Analyst Learning Path
Completed February 2026 · 34 Investigations · 97% Success Rate
  • Real-world SIEM alert triage
  • Log analysis & correlation
  • Malware investigation & IOC identification
  • Incident documentation & reporting
  • Threat intelligence integration
view dashboard → certificate →
CyberDefenders · Completed Track
SOC Analyst Tier 1
Completed April 2026 · 30 Investigations · 227 Questions
  • SIEM alert triage & log correlation
  • Network forensics & PCAP analysis
  • Memory forensics & disk image analysis
  • Threat intelligence & IOC attribution
  • Incident response & malware investigation
verify achievement →
CyberDefenders · In Progress
SOC Analyst Tier 2
Active lab grind · Endpoint & Memory Forensics focus
  • Memory forensics & volatile data analysis
  • Disk image forensics & file recovery
  • Malware triage & static analysis
  • Threat actor attribution & TI correlation
  • Advanced incident response workflows
TryHackMe · Certification
Security Analyst Level 1 (SAL1)
Certified April 2026 · Credly Verified
  • Alert triage & log analysis across SOC scenarios
  • PCAP investigation & network forensics
  • Threat intelligence & IOC correlation
  • Incident response workflows
  • Defensive reasoning & escalation methodology
verify on credly →
// youtube · daily grind
Day X: becoming a SOC analyst

One real LetsDefend alert per day, triaged out loud on camera. Structured workflow, log correlation, containment decisions — real analyst thinking documented publicly.

Format
Real alert → triage → log analysis → IOC correlation → containment decision → escalation or close. Every step narrated, every tool explained.
Also on YouTube
TryHackMe SAL1 walkthroughs · BTL1 lab investigations · platform-agnostic SOC methodology.
LetsDefend SOC Investigations
LetsDefend SOC Investigations
40+ videos · ~4 hours
TryHackMe Blue Team
TryHackMe Blue Team Ops
12+ videos · ~3 hours
// daily soc practice · live investigation log
daily investigations

Every alert triaged, documented, and mapped to MITRE ATT&CK. Updated daily as part of the Day N of Becoming a SOC Analyst series.

Investigations
True Positives
MITRE Techniques
Critical
Latest:
view full investigation log →
// mitre att&ck enterprise · technique coverage
att&ck heatmap

Every technique observed across labs and investigations mapped to MITRE ATT&CK Enterprise. Generated live from documented writeups — no manual curation.

Observations
Unique Techniques
14
Tactics Covered
Most Observed
explore full att&ck matrix →
// selected investigations
featured writeups

Twelve investigations selected across core blue team disciplines. Hard-rated labs, real artefacts, documented methodology.

incident response
digital forensics & reverse engineering
soc operations & threat intelligence
cloud forensics & investigation
malware analysis & reverse engineering
// all completed labs
lab grid

All platforms, all labs. Filter by platform, difficulty, or category. Adding new labs weekly.

skill
diff
showing 0 labs
no labs match that filter.
// active labs
active labs

Writeups are complete but locked until these labs officially retire. Reach out if you need the password.

// challenges
challenge log

Shorter CTF-style challenges. Same platforms, less depth.

// home lab infrastructure
lab environments
📡
Splunk Enterprise SIEM
Production-style SIEM for alert detection, log analysis, and threat hunting.
Host:Ubuntu 24.04 · Splunk Enterprise
Agent:Windows 11 · Universal Forwarder
Telemetry:Sysmon event collection & parsing
Use Cases:Detection rules · SPL queries · dashboards
🦠
Malware Analysis Sandbox
Isolated environment for safe detonation, static analysis, and reverse engineering.
Platform:FlareVM · isolated virtual network
Tools:IDA · Ghidra · PE analysis · debuggers
Analysis:Static & dynamic examination
Use Cases:IOC extraction · behaviour analysis
🏠
Home Lab — Full Stack
pfSense + Security Onion + Splunk + Active Directory environment for realistic detection practice.
Network:SPAN mirroring · network segmentation
Detection:Zeek · Suricata · Splunk dashboards
AD Lab:Windows domain · attack simulation
Platform:CachyOS · virtualisation workstation
// investigation documentation
documentation & profiles
🗂️
Alert Triage Log
Every SOC investigation documented — dated, MITRE ATT&CK mapped, and publicly queryable. Updated daily.
  • investigations logged & counting
  • true positives · false positives
  • unique MITRE ATT&CK techniques observed
  • Latest:
view full log →
⌨️
Command Reference
Every command used across real lab investigations — searchable, filterable, and copyable. Built so future me doesn't have to google the same thing twice.
  • 26 commands and growing
  • Volatility · Splunk · Wireshark · Zeek
  • Linked back to source lab for context
  • Auto-extracted from investigation notes
view command reference →
🔗
Public Platform Profiles
Verified investigation work across multiple SOC training platforms — all publicly verifiable.
  • LetsDefend — 34 cases, 97% success
  • TryHackMe — 46 cases, 100% detection
  • GitHub — full writeup repository
  • Real-time metrics & platform rankings
✍️
Writing
Exam reviews, milestone reflections, and methodology notes — things that don't fit neatly elsewhere but are worth writing down.
  • BTL1 exam review — preparation & lessons
  • Day 100: reflections on daily alert triage
  • Not a blog. Just writing.
read →