top of page
cyber hacker beagle thinking.jpg
Search

Getting Done With PSAA by TCM Security

Blogger: Hammaz Ahmed LinkedIn Website


Hey Everyone. Hammaz here. I had the opportunity to appear for my PSAA (Practical SOC Analyst Associate) exam by TCM Security. This is my own personal review of the exam.


And happy to announce that I passed my exam!

Verift it here!

We will talk about

  1. The SOC-101 Course

  2. Structure of the Exam (without breaking NDA lol)

  3. Exam Tips

  4. Extra Resources

  5. How is it compared to BTL1, and CDSA.


SOC-101 Course

  1. According to TCM this course is all you need to appear for and clear the exam. I highly agree. The course is fantastic. Use the below link to get an overview of the course. https://academy.tcm-sec.com/p/security-operations-soc-101

  2. From what I understood, the Phishing Analysis and Endpoint Security Section is really good. Extremely detailed, and you get the understand how windows system processes actually work, which in turn helps you differentiate the malicious ones.

  3. The course has multiple sections, including, lab setup, Phishing Analysis, Endpoint and Network Security, SIEM, Threat Intelligence, DFIR, and lastly, Incident Response.

  4. The Incident Response Section has detailed videos on Incident Response frameworks, which gathers everything you have learned throughout the course and makes sense of it.

  5. The SIEM section helps you understand how Splunk is setup, how you can ingest logs by yourself, make meaningful queries. The course instructor also has a great explanation on how we can threat hunt


Structure of the Exam

  1. To appear for the exam, all you need is a laptop, a web browser, and a VPN connection file provided by TCM Security. No extra lab setups or tool downloads required. Pretty cool stuff ;)

  2. 2 days for analysis and evidence gathering, 2 for report writing.

  3. You will be allotted 4 different tickets, utilizing different tools you have learned throughout the course.

  4. You need to make report on each ticket, but ultimately only 1 pdf containing all 4 reports should be submitted.

  5. Once you start your exam, a pdf will be provided which has detailed step by step instruction on how to do literally everything before you start you analysis.

  6. Best part about the exam is there are no flags to capture. Hence you have to make educated, evidence based analysis. What that means? For instance, you shorlisted 3 answers, A, B, and C. You can’t just put each of those answers in a box and see if its right or wrong. I feel this makes the exam like a real world scenario.

  7. You get the freedom to choose any of the 4 tickets and work on them first.


Exam Tips

  1. While you’re going through the course, make sure you take detailed notes. Especially in the endpoint security, SIEM, and Phishing Analysis section.

  2. Keep notes of the commands utilized. I use an app called Obsidian, which is Fantastic to take notes.

  3. The exam lasts for 4 days, 2 for analysis, 2 for report. My suggestion is If you’re done with 2 incidents in the first 8 hours like me, make your report at that very moment. Since you wont get access to labs after the first two days.

  4. But if you’re finding the exam to be difficult, take detailed notes, with Screenshots, and write and structure your report in the last two days.

  5. Once you start a scenario or ticket, try not to jump to a different one if you cant solve some questions. This kind of takes you off the mindset and buildup of that incident.

  6. Since you’re never sure if your analysis and answers are correct, make sure you try to double check it with more evidence. You can put both of them in your report to make it more credible.

  7. Practice SIEM. Use BOTS.

  8. For instance, you search for an IP on virus total, try cross verifying it on Cisco Talos as well.

  9. My report was 57 pages.

  10. My strategy for any practical exam is, 3 hours Analysis, 1 hour break.

  11. I was able to do solve 3 tickets in the first 24 hours. (With a 102 degree fever lol)

  12. Drink plenty of water. It’s just an exam. You got this!



Extra Resources

  1. According to TCM Sec, SOC-101 course is all you need to prepare for the exam, and I agree with that. But a bit of extra practice never haunts. Actually at the end of the SOC-101 course there are around 8–9 extra (paid) resources provided from BTLO, and THM.

Free Resources

  1. CCD Resources (Network Security):

    - Web Investigation Lab

    - Web Strike Lab

    - Poisoned Credentials

    - PsExec Hunt Lab

    - BlueSky Ransomware

  2. CCD Resources (Phishing Analysis)

    - PhishStrike Lab

    - Phishy Lab

    - GrabThePhisher

  3. CCD Resources (Endpoint Forensics)

    - Reveal

    - Insider

  4. CCD Resources (Threat Intel)

    - Red Stealer

    - 3CX Supply Chain

    - MSIXPhish

    - Yellow Rat

  5. BTLO (Network Forensics)

    - Piggy

  6. BTLO (Endpoint Security)

    - DeepBlue CLI

    - CountDown

  7. BTLO (Threat Intelligence)

    - FOXY

  8. BOTS Splunk

    - Website Defacement

    - Ransomware


    Both of these BOTS investigation has really well detailed explanation in the SOC-101 course.

Unfortunately there’s not many free resources on BTLO, but the ones i mentioned above are way more than what should be needed.



PJSA compared to BTL1 and CDSA

This is probably the most asked DM i get on LinkedIn.

I wont bash any of the three, PJSA, BTL1, or CDSA, since these 3 are GOLD in knowledge and practicality (But I lean towards CDSA). But I’ll rate them on different scale.

Difficulty and Comparison:

  1. CDSA wins this by a huge huge margin. Followed by PJSA, and lastly BTL1. You can read my detailed CDSA review here. In terms of difficulty CDSA is surely number 1. Plus the 7 day timeframe for the exam seem less as well. You need to be proficient in Splunk and Elastic. PJSA only has Splunk, and you dont need very advanced queries. BTL1 has splunk and you can basically clear the exam by just using simple quoted searches. Volatility usage is heavy on CDSA, unlike BTL1 and PJSA.

  2. BTL1 and PJSA has phishing Analysis section. CDSA lacks that. PJSA comes on top here with its detailed analysis on Phishing emails, BTL1 is quite good too.

  3. Content wise I prefer more video tutorials. So, PJSA takes the lead here. The course has over 30 hours of content so there’s that.

All together, CDSA is the most difficult among the three. PJSA is more beginner friendly. But BTL1 is more recognized since its been in the industry for longer. Confused right? Same here!

Take price into consideration as well, CDSA is $220 with sub, BTL1 $500, and PJSA $200.

Thats all from my side. I can go on about which certification you should take, but it all depends on your motivation and the amount of money you wanna spend!

If you want to discuss more drop me a text on LinkedIn.


Hopefully I haven’t breached any NDA ;)

 
 
 

Comments

bottom of page