SoC Simulator – Browser SoC training grounded in real Intel, free

iruhernandez1 pts0 comments

Free SOC Analyst Training: SIEM, XDR & Firewall Labs<br>Skip to main contentSkip to main content

Open menu

SOCSimulator: SOC analyst training, under real pressure.<br>SOCSimulator is a Security Operations Center training platform where you practice alert triage, incident investigation, and threat analysis using realistic SIEM, XDR, and Firewall interfaces. Built for career-switchers, security teams, students, and bootcamps, it provides hands-on experience with production-modeled security tools and MITRE ATT&CK-mapped scenarios drawn from the current threat landscape. No prior security experience required, and there is a free tier with no credit card.<br>Investigate real intrusions inside production-style SIEM, XDR, and Firewall consoles, working from the same live data a SOC sees. Built for cybersecurity learners, security teams, and classrooms.<br>Start training nowContinue with Google

No credit card needed to start.

For teams and educators

Three ways to train on real, current attacks.<br>Everything here is built on the actual, current threat landscape: real attack patterns, real indicators of compromise, and real techniques.

OperationsInvestigations and walkthroughsTracksGuided learning pathsShift modeLive SOC shift

Akira Ransomware: Full Kill Chain IR

Trace a ransomware deployment from initial access through lateral movement to data exfiltration across SIEM, XDR, and Firewall.

1h·150<br>Start operation

MFA Fatigue: The Notification Flood<br>Easy · 30m · 50 pts

Edge Device Exploitation: VPN Zero-Day<br>Intermediate · 55m · 50 pts

Why it works<br>Every operation rebuilds a real breach from its published telemetry. You investigate the actual evidence in the consoles shown here, and every answer has to hold up against it.

Akira Ransomware: Full Kill Chain IR<br>Hard · 60m · 200 ptsOpen operation<br>XDRSIEMFirewallProcess tree<br>C:\Windows\system32\services.exe02:14:07<br>[820]svchost.exe(system)02:14:09<br>C:\Windows\system32\svchost.exe -k netsvcs -p

[3924]anydesk.exe(SYSTEM)02:19:33<br>C:\ProgramData\AnyDesk\anydesk.exe --service

[5188]powershell.exe(CORP\adm-backup)Suspicious02:31:02<br>Get-WmiObject Win32_ShadowCopy | ForEach { $_.Delete() }

[5410]akira.exe(CORP\adm-backup)Suspicious02:33:18<br>C:\Temp\akira.exe -p \\FS01\finance<br>SHA-256 9c2ab417f0d38c5e21b06f44a8d17e93c05b12aa34fe6d78b90c14e2d5a67f31

Scattered Spider: Identity-First Attack ChainBlack Basta: Email Bomb to EncryptionFake Zoom to Ransomware: The Social Engineering PipelineCloud Token Theft: Identity Under SiegeKerberoasting: Service Ticket to Domain AdminEvilginx AiTM: Session Cookie HijackCI/CD Pipeline Hijack: GitHub Actions CompromiseCobalt Strike: Beacon DetectionMFA Fatigue: The Notification FloodQR Code Phishing: Scan to CompromiseCredential Harvesting: The Lookalike Login

New operations drop every week, built on the current threat landscape.<br>Browse all operations

7h·590 XP

SOC Analyst Foundations<br>View track<br>Your first week on the job: phishing, credential theft, and social engineering basics. Learn to investigate the initial access vectors every SOC analyst sees on day one.<br>Beginner

5h·1465 XP

2026 Infostealers: The Stealer-Log Economy<br>View track<br>Work the infostealer families actually active in 2026 - Lumma, Vidar 2.0, StealC, and the macOS stealer AMOS - from the lure that drops them to the single stolen log that takes down an enterprise.<br>Intermediate

Malware Analysis Fundamentals<br>Coming soon

Identity & Cloud Attacks<br>Coming soon

Supply Chain & Software Threats<br>Coming soon

Ransomware Response<br>Coming soon

Two tracks are available today, with more releasing soon on 2026 threats.

Coming soonComing soon.Shift Mode is launching soon.<br>Operations and Tracks are available today.

Shift ConsoleLive queue<br>3 open<br>criticalSIEMImpossible travel: finance VP<br>3m<br>Same session token signed in from two continents 3 hours apart. MFA satisfied via replayed token, not a fresh prompt.<br>Indicators<br>src41.58.94.22userv.rao@corp.comdomaingraph.microsoft.com<br>Event details<br>location: Lagos, NG<br>sign_in_risk: high

+ Add note (optional)<br>ResolveFPEscalatePinInvestigate

highFirewallBeaconing to rare ASN<br>10.10.4.22 → 185.220.101.47

8m<br>highXDROAuth consent grant: Mail.Read.All<br>14m

Impossible travel: finance VP<br>critical · SLA 02:48

Same session token observed signing in from two continents 3 hours apart. MFA was satisfied, but with a replayed token, not a fresh prompt.<br>Correlated evidence<br>SIEMEntra sign-invrao@ · 41.58.* (Lagos, NG) · token reuse<br>XDRToken replaygraph.microsoft.com · scope Mail.Read.All<br>FirewallEgress185.220.101.47 (TOR exit) · 4.2 MB out

Your call<br>True positiveFalse positive<br>Graded against the feed's real verdict. Escalate the right calls, and don't burn the queue on false alarms.

Watch your competence become measurable.<br>Every triage decision you make is scored across eight analyst competencies, so your progress is something you can see, not guess at.<br>Triage speed and accuracy. How fast you respond and how often you classify true vs false positives...

real from soon token training analyst

Related Articles