I recently passed the Offensive Security Defensive Analyst (OSDA) exam, which is OffSec’s first and only defensive security course aimed at analysts and threat hunters working in Security Operations Centers (SOC).
At the time of writing this article, the SOC-200: Fundamentals of Security Operations and Defensive Analysis course consists of 19 modules (including lab sections), with a focus on Windows systems. Six modules specifically cover how to identify attacks targeting Windows systems, while two modules discuss Active Directory. Only two modules address how to identify attacks targeting Linux systems, and there are no modules covering macOS. Additionally, the course includes modules on network detection, antivirus alerts, and evasion (also targeting Windows systems), as well as network evasion and tunneling techniques.
The structure of all modules is similar; each module introduces the topic, then details five to fifteen attack methods grouped by category, and finally demonstrates how to identify these attacks in logs. For example, the “Windows Server-Side Attacks” module is divided into three categories: credential abuse, web application attacks, and binary exploitation, with multiple attack methods under each category. The “Web Application Attacks” section provides an overview of IIS and then details local file inclusion, command injection, and file upload attacks. As with other OffSec courses, the explanations of these attacks are excellent. The level of detail in the course was sufficient to help me understand and identify the attacks in the exam.
My entire study period took about three months, during which I completed the training and all challenge labs alongside my full-time job. These labs were fantastic and made me feel that the course was worth the investment. The labs covered most of the attacks in the course, and I found that the strategies and techniques used closely matched what I encountered in my actual work in the Security Operations Center (SOC). When you start a phase, it triggers a scripted attack that can be completed in as little as 10 minutes. Therefore, I recommend noting the time you trigger the phase, waiting 10 minutes, and then limiting your search time to that 10-minute window. I also suggest trying to complete all phases of each lab in one go, as I found that repeating phases without waiting for the specified time can lead to confusion and errors in the attacker’s sequence of actions.
When doing the labs, treat each lab as a mock exam because these labs are your only practice opportunity. This exam is not like the OSCP, where there are 50 machines in the lab and over 100 in the exam room; there are no other similar labs to practice on. Take detailed notes and screenshots, and organize each set of notes into a mock report.
The OSDA exam is a proctored exam lasting 23 hours and 45 minutes, simulating a corporate environment, including an integrated Security Information and Event Management (SIEM) system. The exam is divided into 10 phases, each containing several attacker behaviors that candidates must detect, understand, and document. As with other OffSec exams, candidates also have 24 hours to complete and submit their reports.
I scheduled my exam for noon, and based on my experience in the labs, I estimated that each phase would take about an hour to complete. This estimate was correct; I took a 30-minute break after finishing the fifth phase and ended the exam around 10:30 PM. During the various phases, I took detailed notes and screenshots of all my actions. I had a good night’s sleep and woke up around 7 AM to start writing the report, which took about 3 hours, and I submitted the final report by 10 AM. Everything went smoothly during the exam, with no unexpected issues. Feel free to check out the OSDA video course for more details!


Watch free videos to learn
LAB discounts as low as 8~8.5%
The SOC-200 course and OSDA exam are very practical for junior analysts aspiring to become SOC analysts, especially for those using the ELK technology stack as their SIEM system.
The course provides thorough explanations of all attacks, sufficient to help those who have not previously undergone any penetration testing or taken other 200-level OffSec courses to pass the exam. The course presupposes a considerable amount of foundational knowledge, but completing all the free 100-level courses on the Learn One platform will provide the necessary understanding of the course content.
My only criticism of this course is that ELK is introduced only in the 17th module; prior to that, students need to manually retrieve information from logs using PowerShell, which is rarely used in actual corporate environments. ELK should be used from the beginning so that students have time to learn the syntax of Kibana query language. Nevertheless, I still really enjoyed this course, especially the challenge lab section, and I recommend everyone to take this course.
I hope OffSec continues to invest in and develop SOC-300, and I hope it can become the de facto standard for blue team certification, just as OSCP is for penetration testing. I also hope they will offer the SOC-300 course, and I will definitely participate.
