Career Path · Updated April 2026

SOC Analyst Roadmap: 4 certs, 12–18 months, ordered the way hiring managers screen

Q: Why Splunk Core specifically?

Because most SOC L1 job postings list 'Splunk' as a required or preferred skill — it's the dominant SIEM in enterprise environments. The Core Certified Power User cert is entry-level (one exam, ~3–4 weeks of study) and shows you can write SPL queries and navigate dashboards. If your target employer uses a different SIEM (Microsoft Sentinel, Elastic, QRadar) you can substitute the equivalent cert, but Splunk is the safest default.

Last reviewed Apr 27, 2026 · ~12 min read · No bootcamp affiliate revenue

4Certifications

12–18 moRealistic timeline

~340 hTotal study

$62–78kL1 base salary (US)

TL;DR — the 30-second version

The path is Network+ → Security+ → CySA+ → Splunk Core, in that order. Network+ gives you the substrate every other security topic depends on. Security+ is the floor most ATS systems screen for. CySA+ is what actually maps to the SOC L1 job description. Splunk Core proves you can use the tooling on day one.

Skip Network+ only if you already know subnetting, NAT, and routing cold. Don't skip CySA+ — it's the cert that converts "I have Security+" into "I can do this job." Plan for ~340 hours of study and a homelab on the side; the homelab is where most candidates lose offers, not the certs.

Who this path is for

This roadmap is built for someone targeting an L1 / Tier-1 SOC Analyst role at an MSSP, MSP, or in-house enterprise SOC. The job involves triaging alerts in a SIEM (typically Splunk, Sentinel, or Elastic), escalating real incidents, writing runbooks, and slowly building toward L2 detection-engineering or threat-hunting work.

It is not the right path if your target is:

Penetration testing — see the Pentester roadmap instead.
Cloud security architect — the cloud paths plus AZ-500 / AWS SCS-C02 are a better fit.
GRC / risk analyst — CISA, CISSP, and ISO 27001 lead-auditor are the right shape.

The 4-step path, in order

Each step lists the cert, why it sits there in the sequence, what skills you'll actually walk away with, and roughly how long it takes for someone studying ~10 hours per week.

CompTIA Network+ N10-008

4–6 weeks ~70 hours Foundation

Why here: every security topic that comes later assumes you understand TCP/IP, subnetting, VLANs, NAT, routing, and how DNS actually works. Skipping this means you'll memorize Security+ instead of understanding it.

Network+ is the only cert in this path that's purely foundational — you won't put it on a SOC analyst resume on its own, but every cert that follows leans on it. If you already have hands-on networking experience (homelab, helpdesk, NetAcad), skim a practice set to confirm you're solid and skip ahead.

TCP/IPSubnettingVLANsNAT/PATRouting basicsDNS/DHCPWireless

Network+ practice pack 5-Q quiz

Checkpoint · before moving on You should be able to subnet a /24 into four /26s on paper without a calculator, explain what a default gateway does, and read a Wireshark capture of a TCP handshake. If any of those are fuzzy, do another week of Network+ before starting Security+.

CompTIA Security+ SY0-701

6–8 weeks ~110 hours ATS gate

Why here: Security+ is the cert most enterprise ATS systems and DoD 8570 contracts screen for. It's not the most useful cert in this path — CySA+ is — but it's the one without which your resume gets filtered before a human reads it.

Security+ covers the breadth of security: threats, cryptography, IAM, incident response, governance, network security. It's a mile wide and an inch deep. Treat it as table-setting for CySA+, not as the deep dive.

Threat actorsCrypto basicsIAMNetwork securityIR fundamentalsRisk & compliancePKI

Open Security+ course Practice quiz

Checkpoint · build a homelab now, not later The biggest mistake at this point is rushing to CySA+. Stop for one weekend and stand up a Splunk Free instance on a Linux VM, point it at your home router's syslog, and write one detection rule. You'll spend ~10 hours and save yourself 30 in step 4.

CompTIA CySA+ CS0-003

6–8 weeks ~120 hours Job-shaped

Why here: CySA+ is the single cert whose objectives map most directly to the L1 SOC analyst job description. SIEM workflows, threat hunting, vulnerability management, incident response. This is the cert that turns Security+ into a job.

Where Security+ asks "what is a SIEM?", CySA+ asks "how would you triage this specific Windows event ID 4625 burst from a single source IP at 3am?" Most candidates feel like they actually understand security after CySA+, not after Security+.

SIEM workflowsThreat huntingIOC analysisVuln managementIR playbooksSOAR basicsLog analysis

CySA+ practice pack 5-Q quiz

Checkpoint · you can apply now With Network+, Security+, CySA+ and a documented homelab, you're past the ATS filter at most MSSP / regional SOC roles. Some candidates apply here and finish Splunk on the job. The trade-off: applying now means lower offers; finishing the path first means stronger negotiation leverage.

Splunk Core Certified Power User

3–4 weeks ~40 hours Tooling

Why here: Splunk is the dominant enterprise SIEM. Most L1 job postings list it as required or preferred. The Power User cert proves you can write SPL queries, build dashboards, and navigate the platform — the day-one skills.

If your target employer uses Microsoft Sentinel (KQL), Elastic, or QRadar instead, substitute the equivalent vendor cert. Splunk is the safest default because it generalizes; if you know SPL, learning KQL takes a week, not a month.

SPL queriesDashboardsField extractionsLookupsAlertingReports

Splunk practice pack 5-Q quiz

What you'll be able to do at the end

Concretely, after completing this path plus ~60 hours of homelab work, you should be able to:

Read a SIEM alert, look at the surrounding events, and decide in under five minutes whether it's a true positive worth escalating.
Write SPL or KQL queries to investigate suspicious authentication patterns, beaconing traffic, or PowerShell abuse.
Walk through a NIST 800-61 incident response lifecycle and explain what happens at each phase.
Triage a phishing email using header analysis, URL reputation, and attachment sandboxing.
Articulate the difference between a vulnerability scanner finding and an actively exploited issue, and how to prioritize.

What this path is worth

Snapshot of the SOC Analyst L1 market in 2026 (US). Verify against current postings in your metro before negotiating.

Median base (L1)

$62k–$78k

MSSPs at the lower end. In-house enterprise SOCs at the upper end. Major metros add 15–25%.

L2 after 2–3 yrs

$85k–$110k

Detection engineering and threat hunting roles. Adds GIAC GCIH or GCIA on top of the L1 stack.

Open postings (US)

~31,000

Cyberseek snapshot. Healthy demand even in soft labor markets — SOCs run 24/7 and turn over.

Top hiring sectors

MSSP · FinServ · Health

MSSPs hire L1 in volume. Financial services and healthcare pay better but hire more selectively.

Common mistakes that cost candidates offers

No homelab. The single biggest signal in interviews. Even a Splunk Free + Sysmon + a Windows 10 VM combo, documented on GitHub, separates you from candidates with the same certs and no proof.
Memorizing without understanding. The cert path produces analysts, not test-takers. Every concept should pass the "could I explain this to a colleague over Slack?" test before you mark it complete.
Applying too early to senior roles. L1 first. The salary delta isn't worth the rejected applications — and L2 with a year of L1 experience pays more than L2 hired straight in.
Skipping the soft skills. SOC analysts write a lot of tickets and incident reports. Practice clear writing. "Suspicious activity detected" is not an incident report; "User alice@corp logged in from 178.62.x.x at 03:14 UTC; geolocates Romania; ten failed attempts preceded success; isolated host pending investigation" is.
Ignoring cloud. Modern SOCs investigate AWS CloudTrail and Azure sign-in logs as often as Windows events. AWS Cloud Practitioner or AZ-900 on top of this path is a noticeable resume bump.

Start step 1 right now — no signup

Every cert in this path has a free practice pack on CertQuests with engineer-written explanations on every question. Start with a 5-question quiz to baseline where you are.

Network+ — 5-Q quiz Security+ — 5-Q quiz CySA+ — 5-Q quiz Splunk — 5-Q quiz

Frequently asked questions

How long does it take to become a SOC analyst from zero?

Realistic range: 12–18 months of consistent part-time study (8–12 hours/week) covering the four certs in this path. Faster (6–9 months) is possible with a full-time bootcamp or prior IT experience. Slower than 18 months usually means burnout — split the path into 2 phases instead of pushing through all four.

Can I skip Network+ and go straight to Security+?

You can — Security+ doesn't require Network+ as a prerequisite — but you'll struggle with about a third of Security+ topics that assume you understand subnetting, VLANs, NAT, and routing fundamentals. If you already know networking from a job or homelab, skip Network+. If you don't, the 4–6 weeks Network+ takes will save you 2x the time later when you hit Security+ network security domains.

Is CySA+ worth it after Security+?

For a SOC analyst role specifically, yes — CySA+ is the single cert that maps closest to the L1 SOC analyst job description. It covers SIEM workflows, threat hunting, incident response, and vulnerability management, which Security+ touches but doesn't drill into. If your goal is GRC, pen testing, or cloud security, CySA+ is less essential.

Why Splunk Core specifically?

Because most SOC L1 job postings list "Splunk" as a required or preferred skill — it's the dominant SIEM in enterprise environments. The Core Certified Power User cert is entry-level (one exam, ~3–4 weeks of study) and shows you can write SPL queries and navigate dashboards. If your target employer uses a different SIEM (Microsoft Sentinel, Elastic, QRadar) you can substitute the equivalent cert, but Splunk is the safest default.

Do I need a degree on top of these certs?

No, but it helps for some employers (especially Fortune 500, defense contractors, government). The four-cert path is enough to get past most ATS screens and pass HR filters at MSPs, regional MSSPs, and mid-size enterprise SOCs. A degree shifts the conversation from "do you have the basics" to "are you a culture fit" — useful, not required.

What does a SOC Analyst L1 actually earn?

US median for SOC Analyst L1 in 2026 is roughly $62,000–$78,000 base, with MSSPs at the lower end and in-house enterprise SOCs at the higher end. Major metros (NYC, Bay Area, DC) push 15–25% higher; remote-first roles are slightly below in-office equivalents. After 2–3 years, L2 roles typically pay $85,000–$110,000. Source: BLS + 2025 Cyberseek snapshots — verify against current postings before negotiating.

What if I already have Security+? Where do I start?

Mark Network+ and Security+ complete and start at step 3 (CySA+). The path is sequenced for a reason but it's not gated — you can pick up where your knowledge already is. We recommend skimming a Security+ practice set first to confirm you remember enough to build on it; if you're rusty, a week of Security+ refresh before CySA+ will save you weeks of confusion later.

Are there hands-on requirements beyond the certs?

Yes — and this is where most candidates lose offers. Hiring managers expect you to have used a SIEM, even if only in a homelab. Build one: install Splunk Free, ingest logs from your home router and a Linux VM, write detection rules for failed SSH and PowerShell encoded commands, and document it on GitHub. TryHackMe's SOC Analyst path and LetsDefend.io are the two most common ways candidates fill this gap. Budget 40–80 hours on top of the cert study.

How we wrote this roadmap

No bootcamp affiliate revenue. We don't take money from CompTIA, Splunk, TryHackMe, LetsDefend, or any cert vendor mentioned. The sequence is based on what L1 job descriptions actually list as required vs. preferred, plus interviews with SOC managers across MSSPs and in-house enterprise SOCs in 2025–2026.

What we'll change without being asked: if CompTIA replaces SY0-701 or releases a new CySA+ revision, we'll re-sequence. If Microsoft's SC-200 displaces Splunk Core in postings (it's gaining ground), we'll add it as the recommended substitute. Tell us what you'd change. Last reviewed: April 27, 2026.