Blue Team, Detection & Response Study Plan
This page is updated based on jassics/security-study-plan/blue-team-detection-response-study-plan. The more topics you cover, the better candidate you are for Blue Team, SOC, Detection Engineering, and Incident Response roles.
Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
It covers what you need to monitor, detect, and respond to attacks across endpoints, networks, applications, and cloud.
How this connects: Start with Common Skills and Network Security, then pair this plan with the cloud study plans (AWS, Azure, GCP) and Web Security Testing / Application Security so you can detect the attacks you already know how to perform. Combine it with Threat Modeling to turn identified threats into concrete detections and playbooks.
In Short
- Blue Team is not just "watching a SIEM" - it's about detecting and responding to real attacks.
- You must understand how logs, telemetry, and alerts are generated and correlated.
- Know the incident response lifecycle and how to build playbooks.
- Be comfortable mapping activity to frameworks like MITRE ATT&CK.
- Understand the basics of cloud, endpoint, and network telemetry.
ToC
- Blue Team & SOC Fundamentals - 2 weeks
- Logging, Telemetry & SIEM - 2-3 weeks
- Detection Engineering & Threat Hunting - 3-4 weeks
- Incident Response (IR) Fundamentals - 3-4 weeks
- Digital Forensics Basics - 2-3 weeks
- Cloud & Modern Environments - 2-3 weeks
- Books, Videos, Courses, Certifications
- Interview Questions
Blue Team & SOC Fundamentals
Duration: 2 weeks
Goal: understand what the Blue Team does and how SOCs operate.
Week 1-2: Core Concepts
- Roles & Functions - Tier 1-3 analysts, incident handlers, detection engineers, IR lead
- SOC Operating Models - in-house, MSSP, hybrid
- Core Activities - triage, investigation, containment, eradication, recovery, reporting
- Frameworks - NIST CSF (Identify-Protect-Detect-Respond-Recover), basic exposure to MITRE ATT&CK
Logging, Telemetry & SIEM
Duration: 2-3 weeks
Goal: understand what to log, how, and where it lands.
Week 3-5: Data & Platforms
- Log Types - OS logs (Windows Event Logs, Linux syslog), network logs (firewall, proxies, IDS/IPS), application/API logs, cloud logs (CloudTrail, Azure Activity, GCP Audit)
- Log Quality - timestamps, normalization, context, correlation IDs
- SIEM Concepts - ingestion, parsing, normalization, correlation, dashboards, alerts
- Hands-on - use a lab with ELK, Splunk, or any SIEM-like tool to ingest and search logs
Detection Engineering & Threat Hunting
Duration: 3-4 weeks
Goal: learn how to create high-quality detections and proactively hunt.
Week 6-9: Detections & Hunts
- Detection Engineering Basics - use cases, hypotheses, detection rules, balancing false positives/negatives
- MITRE ATT&CK Mapping - tactics vs techniques, mapping detections to techniques
- Query Languages - SIEM query basics (KQL-like or SPL-like)
- Threat Hunting - hypothesis-driven hunts, baselines/anomaly detection, documented hunting notebooks
Incident Response (IR) Fundamentals
Duration: 3-4 weeks
Goal: understand how to handle incidents end-to-end.
Week 10-13: IR Lifecycle
- IR Phases - Preparation, Detection & Analysis, Containment, Eradication, Recovery, Lessons Learned
- Playbooks & Runbooks - phishing incident, ransomware/malware outbreak, cloud credential compromise
- Communication - internal stakeholders, leadership, legal, PR; when to involve regulators/law enforcement
- Tabletop Exercises - running simulated incidents to test readiness
Digital Forensics Basics
Duration: 2-3 weeks
Goal: learn fundamentals of collecting and analyzing evidence safely.
Week 14-16: Forensics Overview
- Evidence Handling - chain of custody, integrity, imaging vs live response
- Endpoint Forensics - Windows (registry artifacts, event logs), Linux (logs, processes, file timelines)
- Memory & Disk Analysis (high level) - what's possible and when it's needed
- Cloud Forensics Basics - using cloud logs and snapshots to reconstruct events
Cloud & Modern Environments
Duration: 2-3 weeks
Goal: understand detection & response in cloud, SaaS, and modern stacks.
Week 17-19: Modern Blue Teaming
- Cloud Telemetry - AWS, Azure, GCP basic security logs and where they're configured
- Containers & Kubernetes - high-level understanding of pod/node logs and common attack traces
- SaaS & IdP Logs - identity provider logs (SSO, MFA), email security logs, EDR logs
- Integration - sending these logs into SIEM/XDR and writing detections around them
Books, Videos, Courses, Certifications
- Strong Blue Team/SOC operations books; books on incident response and digital forensics; case studies of real intrusions
- Conference talks on detection engineering, Blue Teaming, SOC operations, and DFIR case studies
- Blue Team/SOC analyst fundamentals courses; IR/DFIR-focused training with hands-on labs; threat hunting courses using common SIEM/XDR tools
- Entry-level SOC/Blue Team certs; IR/DFIR-oriented certifications if you want to specialize; Security+ for foundational knowledge
Interview Questions
Reuse questions from Network Security, Cloud Security, and GRC, but focus on detection & response:
- How would you design logging for a new web application or API?
- How do you triage an alert that might be a false positive?
- How would you investigate a suspected account compromise in a cloud environment?
- How do you measure the effectiveness of your detections and IR process?
More SOC-focused questions live in the SOC interview questions page.
Practice next: SOC interview questions, and jassics/security-study-plan for the latest updates to this plan.