How to Train Your SOC Team as a Manager?

Omer Gunal
November 10, 2022
How to Train Your SOC Team as a Manager?

Everyone agrees that there are difficulties in finding qualified people for the SOC environment. As a result of our research, there are some reports published on this subject, and according to these reports, the important causes of the problem are burnout, overwork, and a stressful working environment. When the remote working model, which has become a part of our lives during the pandemic period, cannot be managed correctly, it becomes more and more difficult to recruit high-skilled people, considering that there is a lot of overtime for SOC analysts and Incident Responders.

During the incident response preparation process, you must ensure that your SOC team has sufficient technical knowledge and you must provide training to close any gaps. In general, when you want to prepare or choose a training program for your SOC team, you should consider the following factors.

Set a Goal

You need to clearly define what you expect your team to achieve after training. Your goal may be that the team can easily resolve different alerts, decrease SLAs (average response time to threats), increase malware analysis skills, etc. After determining your goal(s), the flow of the training program you will choose/create will be more clear.

It is also important to pay attention to which team you are creating the training for. While offensive-oriented training will be suitable for the red team, it will be better for your blue team to focus on specific areas of the blue team. It would be better if separate teams are involved in different training programs if there are no major budget problems.

Establish a Baseline

You need a baseline to accurately measure the output of your training. For example, you want to reduce the team's response time to threats, but if you do not know the average time for today, you cannot understand whether the training is working or not. With an accurate assessment, you need to measure your team's skills and the level they are at now.


A SOC training program must definitely include simulated cyber attacks. Thus, the trained analyst detects and analyzes various threats by considering himself in the company's SOC environment. Thanks to the simulation environment, mistakes to be made do not affect real people and institutions.

Thanks to this method, you can understand which attack vectors your team is weak against and you can create a roadmap to work more on these issues.

Up to Date and Realistic Education

Make sure that the concept and content of the training are relevant to the real-life situations that the team will encounter (alert investigation, log analysis, malware analysis, etc). At the same time, make sure that it is a program that conceptually handles current vulnerabilities such as Exchange RCE, Log4j, Spring4Shell, etc. Otherwise, the training you will purchase/install will not attract the attention of the SOC team and will create different excuses for not completing it.


A SOC member's job, however technical, can be effective to some extent that he or she can document the incidents well. The created documents will help the SOC team to be on the same page, helping to determine the consistency of the analyzes made as well as the progress of the team. For these reasons, programs that support soft skills, as well as technical skills, should be preferred. For example, you can consider the following courses:

If you are in the process of evaluating a training program, you can make an easier decision by looking for answers to the questions below.

  • Will this training give my SOC team the confidence to handle different types of threats?
  • Does it cover new threats (Log4j, Dog-Walk, Spring4Shell, Proxy4Shell, etc.)?
  • Will they learn to use the right tools and processes at the right time?
  • Does the training add value to the daily work routine of a SOC member?
  • Does it offer SOC simulation for effective learning?

Now, if you are looking a blue team training for your security team don't forget to check the LetsDefend Enterprise edition.

letsdefend description card

You might also be interested in ...

Start learning cybersecurity today