SOC/30
splunk.es.academy
Open LMS →
v1.0 · 30 days · 30 hours

Become a SOC analyst in 30 days.

A complete Security Operations Center bootcamp built around Splunk Enterprise Security — every module deeply explained, every detection mapped to MITRE ATT&CK, with a live ES simulator that mimics the real console.

Start Free Try the Splunk Lab
$ ./soc-30 --start
splunk_es · incident_review
last 24 hours
N-2042criticalSuspicious PowerShell EncodedCommandT1059.001
N-2044criticalLateral Movement - PsExecT1021.002
N-2041highBrute Force - Failed LoginsT1110
N-2047mediumImpossible TravelT1078
4 events · awaiting triage
30
Hours
30
Modules
60+
SPL Queries
30
Hands-on Labs
240+
Slides
14
ATT&CK Tactics
// what's inside

Everything a SOC analyst needs — in one platform.

Deep-dive curriculum

30 modules, each unpacked across 8–12 detailed sub-topics, mapped 1:1 to a real SOC analyst's daily work.

Splunk ES simulator

A live, browser-based mimic of the Splunk Enterprise Security console — Incident Review, Posture, Search & Reporting.

60+ production SPL queries

Every query is paired with what it does, why it matters, and how to tune it against false positives.

30 hands-on labs

Each day ends in an exercise that reinforces the module against the simulator.

Slide deck per module

8–11 polished cyber-themed slides per day — present, study, or export for your team.

MITRE ATT&CK mapped

Every detection annotated to a tactic and technique. Build coverage as you learn.

// curriculum

Four weeks. From zero to SOC-ready.

W1

SOC Foundations

Mission, hierarchy, tools, security, networking, OS, frameworks

  • D01Introduction to the SOC
  • D02SOC Hierarchy & Roles
  • D03SOC Tools Landscape
  • D04Security Fundamentals
  • + 3 more
W2

Splunk Core

Architecture, ingest, SPL, knowledge objects, dashboards, alerts

  • D08Splunk Architecture & Components
  • D09Data Onboarding & Parsing
  • D10SPL — Search Processing Language (Beginner)
  • D11SPL — Advanced (eval · rex · lookup · tstats · transaction)
  • + 3 more
W3

Admin + Enterprise Security

Splunk admin, CIM, ES tour, Notables, Correlation, RBA, A&I

  • D15Splunk Admin Essentials
  • D16CIM — Common Information Model
  • D17Splunk Enterprise Security — Tour
  • D18Notable Events & Incident Review
  • + 3 more
W4

Detect & Respond

Use cases, malware, phishing, hunting, IR, SOAR, cloud, capstone

  • D22Use Case Engineering
  • D23Malware Investigation
  • D24Phishing Investigation
  • D25Threat Hunting
  • + 5 more
View full 30-day curriculum
// the lab

Train inside a real-feeling Splunk ES.

Most courses teach Splunk in slides. SOC/30 ships you a working browser simulator — same menus, same Notable Events workflow, same SPL editor. Triage realistic incidents, click through Adaptive Response actions, and run searches over simulated indexer data.

  • Incident Review with full notable-event drawer
  • Security Posture dashboard with ATT&CK breakdown
  • Search & Reporting with editable SPL
  • Realistic ransomware, phishing & lateral-movement scenarios
Launch the Lab
splunk · search & reporting
| tstats summariesonly=t count from datamodel=Authentication where Authentication.action=failure by Authentication.src, Authentication.user | where count > 20
8 results · 0.32s
jsmith
85
admin_svc
62
akumar
41
guest
33
// outcomes

What you walk away with.

Tier 1 ready in week 2

After 14 days you can triage Notable Events, write SPL, and contribute on shift.

Tier 2 capable by day 30

Investigate full kill chains, build correlation searches, run RBA pipelines.

Speak the SOC language

ATT&CK, kill chain, diamond model, CIM, RBA — all second nature.

Ship detections from day one

Every module ends with a productizable artifact for your real environment.

Ready to defend?

30 days. 30 hours. A full SOC analyst skill set, with the platform that mirrors the job.

Enter the LMS