The fastest SOC analysts hired in 2026 built labs, broke things, and documented findings before day one. This 90-day roadmap gives you that same progression: concrete weekly milestones, hands-on tools, and a home lab that mirrors real SOC environments.
Days 1-30: Get to Packet-Level Fluency
Your first 30 days have one goal: understand what normal traffic looks like. Open a Wireshark capture of an HTTP session and explain every field in the TCP handshake by week two.
Set up your home lab in parallel. A single machine running Proxmox with a pfSense firewall VM and two internal subnets is enough. Install Sysmon on a Windows VM, generate activity, then ship those logs to a free Elastic or Wazuh instance. Learn to correlate Event ID 4688 (process creation) with Event ID 3 (network connection). That correlation is the foundation of 80% of Windows intrusion detection. The full build is in our cybersecurity home lab guide.
Days 31-60: Run Real Attack Simulations
By day 31 logs are flowing. Pick one MITRE ATT&CK tactic per week. Start with T1059 (Command and Scripting Interpreter) because encoded PowerShell appears in roughly 40% of real-world Windows intrusions. Use Atomic Red Team to run the attack, then write a SIEM rule that catches it. Our Elastic vs Wazuh comparison covers which platform fits a home lab versus production.
Week six: run a GoPhish campaign against your lab mail server and trace every artifact from the tracking pixel GET to the credential POST. That kill-chain fluency is what L1 triage requires.
By day 60 your lab should generate 20 meaningful alerts daily. Close each one with written triage notes. That habit is what gets analysts promoted.
Days 61-90: Build Speed and a Portfolio
The final phase is about process under pressure. Target a mean triage time below 8 minutes per alert.
Write a one-page runbook for every alert type you encounter: what to check, what tools to query, what makes a true positive, and the escalation path. That runbook is a differentiator in interviews.
Use this phase to practice threat hunting beyond reactive alerting. Hunt for lateral movement artifacts (unusual SMB, pass-the-hash, abnormal service account behaviour) to show you understand attacker behaviour, not just signatures.
By day 90 you need a GitHub repository with your detection rules, lab documentation, playbooks, and three documented incident simulations. That is your portfolio. The UK cybersecurity career path guide maps which certifications move the needle at each level. Sit CompTIA Security+ before day 45 to clear the HR filter at roughly 70% of UK entry-level postings.
Frequently Asked Questions
How long does it take to get a SOC analyst job with no experience?
Most candidates following a structured lab approach land their first L1 role within 4 to 7 months. The 90-day roadmap gets you to interview-ready; the hiring cycle accounts for the rest.
Do I need a degree to become a SOC analyst?
No. UK SOC teams hire on demonstrated skills: certifications, lab work, and platforms like TryHackMe or Blue Team Labs Online. A portfolio of detection rules outweighs a non-technical degree in most hiring decisions.
What SIEM should I learn first?
Elastic (ELK Stack) is the best starting point. It is free, widely deployed in UK enterprises, and forces you to understand the underlying data model. Wazuh is a strong second for its OSSEC integration and built-in compliance rules.
Is a home lab actually necessary?
Yes. Alert triage instincts come from watching normal traffic for hours, not from reading about it. A home lab is the only safe way to build that pattern recognition before employment.
