This is an honest review, with my personal opinion on the structure and "challenges" I've had regarding TryHackMe's SAL1 exam which to me it seems like a solid choice for anyone that wants exposure to security concepts from a defensive perspective.

TLDR: My opinion is that the exam is a good option for people on a tight budget, it covers a multitude of topics allowing you to get familiarity with key concepts that are utilised in blue teaming across organisations. it comes with a set of rapid-fire questions and practical scenarios each taking up to 2 hours to complete. The scenarios completes once you closed the final True Positive alert.

The good

Materials! There are plenty of them that you can go through at your own pace designed by the team at TryHackMe, big shoutout to Ben (CMNatic), his content is solid and provides in depth coverage of the Blue Team topics such as Pyramid of Pain , Unified Kill Chain or Velociraptor just to name a few.

Even after having a few years of experience in the field especially from a consultancy point of view the content was a breeze to go through and on top of that I've picked up a few new skills and insights around how to utilise tooling better and improve processes internally.

The scenarios, they were varied some of them with more alerts, in one of the scenarios i had somewhere around 24 alerts, which was exhausting and made me reconsider my life choices for a hot second, haha! Going past that, some of them were realistic and showcased how important is to have logs ingested from various sources in case an attacker compromises the device.

The SOC notes, whilst some of them were more of a meme it shows that communications may not always come through official appraoches and sometimes testing in production is the way to go.

The bad

Whilst rated as an entry-level exam I wouldn't advise to go for it especially if you are barely starting your journey in Cybersecurity, as some of the concepts covered in the exam, whilst they are beginner friendly, they are not easy to grasp if you lack familiary with the IT field.

The incident handling notes, while it was the same process for all the alerts, it would've been beneficial to provide a varied incident handling process associated with the scenario as different SOCs have different ways to handle incidents.

The ugly

The only downside of this exam, i think, while interesting and a sensible approach to reduce effort, the utilisation of AI.

In my second attempt, I've made clear by stating which of the W i am covering at each step to make it simple to understand and noticed how my success rate and score on the scenarios increased drastically.

It would also be really cool to collect information such as mean time to acknowledgement, or service level agreements, around how much time it took the analyst to pick up or resolve the alert/s.

End note

The exam was a good, positive experience showcasing real world scenarios that could happen to various organisations out there.