Free SOC Analyst Training: SIEM, XDR & Firewall Labs<br>Skip to main contentSkip to main content
Open menu
SOCSimulator: SOC analyst training, under real pressure.<br>SOCSimulator is a Security Operations Center training platform where you practice alert triage, incident investigation, and threat analysis using realistic SIEM, XDR, and Firewall interfaces. Built for career-switchers, security teams, students, and bootcamps, it provides hands-on experience with production-modeled security tools and MITRE ATT&CK-mapped scenarios drawn from the current threat landscape. No prior security experience required, and there is a free tier with no credit card.<br>Investigate real intrusions inside production-style SIEM, XDR, and Firewall consoles, working from the same live data a SOC sees. Built for cybersecurity learners, security teams, and classrooms.<br>Start training nowContinue with Google
No credit card needed to start.
For teams and educators
Three ways to train on real, current attacks.<br>Everything here is built on the actual, current threat landscape: real attack patterns, real indicators of compromise, and real techniques.
OperationsInvestigations and walkthroughsTracksGuided learning pathsShift modeLive SOC shift
Akira Ransomware: Full Kill Chain IR
Trace a ransomware deployment from initial access through lateral movement to data exfiltration across SIEM, XDR, and Firewall.
1h·150<br>Start operation
MFA Fatigue: The Notification Flood<br>Easy · 30m · 50 pts
Edge Device Exploitation: VPN Zero-Day<br>Intermediate · 55m · 50 pts
Why it works<br>Every operation rebuilds a real breach from its published telemetry. You investigate the actual evidence in the consoles shown here, and every answer has to hold up against it.
Akira Ransomware: Full Kill Chain IR<br>Hard · 60m · 200 ptsOpen operation<br>XDRSIEMFirewallProcess tree<br>C:\Windows\system32\services.exe02:14:07<br>[820]svchost.exe(system)02:14:09<br>C:\Windows\system32\svchost.exe -k netsvcs -p
[3924]anydesk.exe(SYSTEM)02:19:33<br>C:\ProgramData\AnyDesk\anydesk.exe --service
[5188]powershell.exe(CORP\adm-backup)Suspicious02:31:02<br>Get-WmiObject Win32_ShadowCopy | ForEach { $_.Delete() }
[5410]akira.exe(CORP\adm-backup)Suspicious02:33:18<br>C:\Temp\akira.exe -p \\FS01\finance<br>SHA-256 9c2ab417f0d38c5e21b06f44a8d17e93c05b12aa34fe6d78b90c14e2d5a67f31
Scattered Spider: Identity-First Attack ChainBlack Basta: Email Bomb to EncryptionFake Zoom to Ransomware: The Social Engineering PipelineCloud Token Theft: Identity Under SiegeKerberoasting: Service Ticket to Domain AdminEvilginx AiTM: Session Cookie HijackCI/CD Pipeline Hijack: GitHub Actions CompromiseCobalt Strike: Beacon DetectionMFA Fatigue: The Notification FloodQR Code Phishing: Scan to CompromiseCredential Harvesting: The Lookalike Login
New operations drop every week, built on the current threat landscape.<br>Browse all operations
7h·590 XP
SOC Analyst Foundations<br>View track<br>Your first week on the job: phishing, credential theft, and social engineering basics. Learn to investigate the initial access vectors every SOC analyst sees on day one.<br>Beginner
5h·1465 XP
2026 Infostealers: The Stealer-Log Economy<br>View track<br>Work the infostealer families actually active in 2026 - Lumma, Vidar 2.0, StealC, and the macOS stealer AMOS - from the lure that drops them to the single stolen log that takes down an enterprise.<br>Intermediate
Malware Analysis Fundamentals<br>Coming soon
Identity & Cloud Attacks<br>Coming soon
Supply Chain & Software Threats<br>Coming soon
Ransomware Response<br>Coming soon
Two tracks are available today, with more releasing soon on 2026 threats.
Coming soonComing soon.Shift Mode is launching soon.<br>Operations and Tracks are available today.
Shift ConsoleLive queue<br>3 open<br>criticalSIEMImpossible travel: finance VP<br>3m<br>Same session token signed in from two continents 3 hours apart. MFA satisfied via replayed token, not a fresh prompt.<br>Indicators<br>src41.58.94.22userv.rao@corp.comdomaingraph.microsoft.com<br>Event details<br>location: Lagos, NG<br>sign_in_risk: high
+ Add note (optional)<br>ResolveFPEscalatePinInvestigate
highFirewallBeaconing to rare ASN<br>10.10.4.22 → 185.220.101.47
8m<br>highXDROAuth consent grant: Mail.Read.All<br>14m
Impossible travel: finance VP<br>critical · SLA 02:48
Same session token observed signing in from two continents 3 hours apart. MFA was satisfied, but with a replayed token, not a fresh prompt.<br>Correlated evidence<br>SIEMEntra sign-invrao@ · 41.58.* (Lagos, NG) · token reuse<br>XDRToken replaygraph.microsoft.com · scope Mail.Read.All<br>FirewallEgress185.220.101.47 (TOR exit) · 4.2 MB out
Your call<br>True positiveFalse positive<br>Graded against the feed's real verdict. Escalate the right calls, and don't burn the queue on false alarms.
Watch your competence become measurable.<br>Every triage decision you make is scored across eight analyst competencies, so your progress is something you can see, not guess at.<br>Triage speed and accuracy. How fast you respond and how often you classify true vs false positives...