The beginner-friendly skills you need for junior Cyber Security / SOC Analyst roles in the UK: networking fundamentals, alert triage, SIEM (e.g. Sentinel/Splunk), EDR, Windows security, incident response basics, and light scripting. Learn the checklist, ship mini-projects, and prep for interviews.
New to the role? Compare duties in the Cyber Security Analyst job description or explore the Cyber Security pathway.
What counts as Cyber Security skills?
Entry-level analysts spot suspicious activity, triage alerts, gather evidence, and escalate with clear notes. Employers value a networking baseline, familiarity with Windows event logs, comfort in a SIEM, and calm communication under pressure.
- Triage consistently: verify detection, check scope/asset, gather indicators (hash/IP/domain), decide next action.
- Document: who/what/when/where/how; timeline + artifacts; clear handover for escalation.
- Hygiene first: patching, MFA, least privilege, secure configuration over “tools for tools’ sake”.
- Collaborate: work with IT to contain, eradicate, and recover safely.
You don’t need to be a hacker to start — be methodical, curious, and reliable.
Quick wins for beginners
- Practise reading Windows logs (4624, 4625, 4688, Sysmon Event ID 1/3/7).
- Run basic packet captures with Wireshark; filter by host/port.
- Learn common phishing tells; write a short user-facing guidance.
- Use
nslookup/whois/ipconfig/netstatconfidently. - Write a tiny PowerShell/Python script to parse a log CSV.
Cyber Security Skills Checklist
Use this learning roadmap. Build breadth first, then go deeper in the tooling used by your target employers.
Networking Fundamentals
- OSI & TCP/IP basics, subnets, CIDR
- Common ports/protocols (HTTP, DNS, RDP, SMB)
- PCAP analysis with Wireshark (filters)
- Basic scanning with Nmap (safe options)
- Firewall rules & NAT basics
Endpoints & EDR
- Windows Event Viewer & Sysmon (key IDs)
- AV/EDR basics (quarantine, exclusions)
- Process trees & command-line flags
- Host isolation & evidence capture
- Baseline vs suspicious behaviours
SIEM & Detections
- Search queries & filters (KQL/SPL basics)
- Use cases: failed logons, lateral movement
- Dashboards & watchlists
- Tuning noisy rules (reduce false positives)
- Alert lifecycle & case management
Incident Response Basics
- Identify → Contain → Eradicate → Recover
- Severity & impact assessment
- Chain of custody & evidence notes
- Post-incident review (PIR)
- Communication & escalation paths
Security Foundations
- Identity & access (MFA, least privilege)
- Hardening baselines (CIS, secure config)
- Patch & vulnerability management
- Email security & phishing handling
- Risk awareness & basic compliance
Scripting & Automation
- PowerShell/Python fundamentals
- Parse logs, search IOCs, export CSVs
- Batch common checks safely
- Use APIs (EDR/SIEM) for enrichment
- Document & version your scripts
Common Tools & Example Alerts
Focus on patterns: validate, scope, enrich, decide, document. Keep timelines and artifacts tidy.
| Area | Typical Tools | Example Alert | What a good analyst note includes |
|---|---|---|---|
| SIEM | Microsoft Sentinel, Splunk | Multiple failed logons (Brute-force) | Time window, source IP/geo, target account, success after failures?, related events, action taken |
| EDR | Defender for Endpoint, CrowdStrike | Suspicious PowerShell execution | Cmdline, parent/child proc, user, hash reputation, prevalence, isolation decision, remediation |
| M365 Defender, Proofpoint | Phishing with credential lure | Headers, URLs/domains, sandbox result, impacted users, purge/quarantine, awareness follow-up | |
| Network | Firewall, IDS/IPS, Wireshark | Outbound to new high-risk IP | Asset owner, process responsible, PCAP snippet, blocklist lookups, ticket to IT for containment |
Mini-Projects to Prove Your Skills
Finish these, take screenshots, and write short summaries. Link them on your CV/portfolio.
Windows Log Triage Playbook
- List key Event IDs + why they matter
- Example queries & enrichment steps
- Template for investigation notes
Deliverable: 2-page PDF + sample ticket text.
PCAP Challenge Write-Up
- Capture benign traffic; filter by host/port
- Identify DNS/HTTP flows & anomalies
- Document methodology & findings
Deliverable: screenshots + 300-word analysis.
Phishing Response SOP
- Headers/URL analysis checklist
- User comms & containment steps
- Awareness tips to prevent recurrence
Deliverable: SOP doc + sample comms template.
CV Bullet Examples (edit to your projects)
- Triage’d 30+ SIEM alerts/month; reduced false positives by tuning rules and adding watchlists.
- Investigated suspicious PowerShell executions; isolated host and removed persistence using EDR.
- Created phishing response SOP; cut time-to-contain by 40% and improved user reporting quality.
- Analysed PCAPs to confirm C2 callbacks; provided indicators for firewall blocks and EDR hunts.
Interview Questions (with strong angles)
- “Walk me through alert triage.” — verify, scope, enrich, decide, document, improve.
- “Which Windows events do you check first?” — 4624/4625 logons, 4688 process create, Sysmon 1/3/7.
- “How do you handle phishing?” — preserve evidence, analyse headers/URLs, purge/quarantine, educate users.
- “What’s the difference between SIEM and EDR?” — log aggregation/detections vs endpoint telemetry & response.
Simple 2-Week Learning Plan
Light but focused. Align with the stack you see in UK job ads (Sentinel/Splunk, Defender/CrowdStrike).
Week 1: Foundations
- Day 1–2: Networking refresher + Wireshark filters
- Day 3: Windows logs/Sysmon key events
- Day 4: SIEM basics (queries, dashboards)
- Day 5: Phishing analysis & response flow
Week 2: Practice & Portfolio
- Day 6–7: PCAP challenge write-up (Project 1)
- Day 8: Triage playbook for 3 common alerts (Project 2)
- Day 9: Phishing SOP + user comms (Project 3)
- Day 10: Publish summaries; apply to 5 roles
Optional Certifications (nice-to-have)
Not required for first roles, but helpful for structure and signalling.
- CompTIA Security+ (general baseline)
- Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) / Security Operations Analyst (SC-200)
- (ISC)² SSCP (for hands-on security ops)
- AZ-900 or AWS Cloud Practitioner (cloud fundamentals)
Ready to turn skills into interviews?
Tailor your CV to these skills and apply to beginner-friendly cyber roles across the UK.