Welcome! This self-paced, hands-on roadmap will help you transition from beginner to job-ready in cybersecurity incident response and threat hunting. It is designed to build both your theoretical foundations and practical skills with a strong emphasis on labs, detection engineering, and real-world cases.

• Cyber kill chain, MITRE ATT&CK, Pyramid of Pain
• Incident response lifecycle:
  Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned
• Threat intelligence basics: TTPs, IOCs, IOAs

• Log analysis fundamentals (Windows Event Logs, Sysmon, Linux logs)
• Network traffic basics (TCP/IP, DNS, HTTP/S)

• Build a lab (VMs: Windows, Linux, SIEM like Splunk/ELK/Graylog, Sysmon)
• Install and practice with Sysinternals tools

• Book: The Practice of Network Security Monitoring (Richard Bejtlich)
• MITRE ATT&CK
• TryHackMe: Intro to Cyber Defense path

• What is SIEM, SOAR, and EDR
• Rule creation & tuning
• Detection methodologies (signature-based vs behavioral)

• Splunk/ELK queries (search, alerts, dashboards)
• EDR tools (CrowdStrike Falcon, Microsoft Defender for Endpoint, Velociraptor)
• Correlation & threat hunting queries

• Use Splunk free edition or ELK to analyze logs
• Write correlation rules for brute force, lateral movement, persistence

• Splunk Boss of the SOC (BOTS) CTF labs
• Blue Team Labs Online / CyberDefenders challenges
• TryHackMe: SOC Level 1 path

• Hypothesis-driven threat hunting
• Hunting with MITRE ATT&CK mapping
• Use cases: phishing, ransomware, privilege escalation

• Building hunting playbooks
• Memory analysis (Volatility, Redline)
• PCAP analysis (Wireshark, Zeek)

• Capture live attack traffic in your lab
• Hunt for persistence mechanisms in Windows registry
• Use Volatility to extract IOCs from memory dumps

• Threat Hunting Project
• Book: Practical Threat Hunting (S. Lee)

• Digital forensics basics
• Containment strategies (network isolation, account disablement)
• Eradication & recovery (reimaging, patching)
• Reporting & documentation

• Live response data collection
• Incident report writing
• Case management

• IR simulation (respond to simulated ransomware)
• Analyze phishing email headers and attachments
• Practice chain-of-custody documentation

• SANS IR case studies (FREE PDFs)
• TryHackMe: Blue Primer & Phishing Analysis rooms

• Threat intel feeds & enrichment (MISP, OpenCTI, AlienVault OTX)
• Advanced hunting with YARA, Sigma rules
• Automation with Python & PowerShell

• Write YARA rules to detect malware
• Build Sigma rules for SIEM
• Automate log parsing with Python

• Create your own Sigma-to-Splunk pipeline
• Enrich IOCs with VirusTotal & OTX APIs
• Script IOC extraction from logs

• Sigma HQ GitHub
• Florian Roth’s YARA rule sets
• Book: Blue Team Handbook: SOC, SIEM, and Threat Hunting

• Purple teaming basics (how attackers think vs defenders react)
• Real-world APT case studies
• Measuring SOC/IR effectiveness (MTTD, MTTR)

• Participate in CTFs (Blue Team, SOC challenges)
• Conduct end-to-end IR exercise in lab
• Build portfolio (document hunts, incident reports, detection rules)

• Run Red Team tools (Caldera, Atomic Red Team) against your lab
• Simulate incident → detect → respond → report

• Beginner: CompTIA Security+ or Blue Team Level 1 (BTL1)
• Intermediate: GIAC GCFA (Forensics), GCIA (Intrusion Analysis), or GCTI (Threat Hunter)
• Budget-friendly: TryHackMe SOC Level 2, CyberDefenders labs

• 40% → Theory & Reading
• 40% → Labs & Hands-on
• 20% → Notes, reporting, and writing playbooks

• Work as SOC Analyst (Tier 2/3), Incident Responder, or Threat Hunter
• Build hunting playbooks, write detection rules, and handle incidents end-to-end
• Show hands-on experience via labs, GitHub portfolio, and case writeups

Stay curious, document everything you learn, and build your portfolio!