Landing your first cybersecurity job is difficult when every listing demands experience you do not yet have. The fastest way to fix that is by completing practical SOC Analyst projects that mirror real work inside modern security operations teams.
These projects teach you how to analyze alerts, investigate suspicious activity, understand logs, detect attacks, document findings, and connect technical signals to actual threats. They work because they show employers proof of capability, not just theory or certifications.
Below are 10 high value SOC Analyst projects to gain skills and add to your resume. They are practical, beginner friendly, and aligned with the exact responsibilities of Tier 1 and Tier 2 analysts.
| Project | Key Skills Developed |
|---|---|
| 1. SIEM Log Monitoring and Threat Detection | Log analysis, detection engineering, SIEM queries, alert triage, correlation, Sysmon event review |
| 2. Simulated Phishing Attack and Incident Response | Incident response workflow, phishing analysis, Windows event analysis, malware tracing, reporting |
| 3. IDS Deployment and Packet Analysis | Network intrusion detection, packet capture review, signature tuning, protocol analysis, traffic analysis |
| 4. Cloud Security Monitoring with AWS or Azure Logs | Cloud logging, IAM event monitoring, misconfiguration detection, cloud threat analysis, alerting |
| 5. Endpoint Monitoring with Sysmon and Wazuh | Host based detection, process tree analysis, registry and file monitoring, Sigma and YARA style logic |
| 6. Threat Hunting in Real Datasets | SPL and KQL queries, anomaly detection, hypothesis testing, MITRE mapping, timeline building |
| 7. Security Automation Script | Python or PowerShell scripting, API enrichment, log parsing, automation workflows, JSON reporting |
| 8. Honeypot Deployment and Threat Intel Collection | Threat intelligence, attacker behavior analysis, OSINT enrichment, IOC extraction, log analysis |
| 9. Threat Intelligence IOC Research | IOC collection, enrichment, malware campaign analysis, threat profiling, adversary mapping |
| 10. Phishing Email and Malware Analysis | Email forensics, sandbox detonation, attachment analysis, IOC extraction, blocking recommendations |
Best Way to Use This Guide
You do not need to build these labs by guessing. Let AI guide you step by step just like a personal SOC mentor.
Copy any project description from this guide, paste it into your favorite AI chatbot, and ask for a full walkthrough:
environment setup, tools to install, commands to run, attack simulation, analysis steps, and how to document the results for your resume. Don’t forget to ask about potential costs and ways to reduce or mitigate them.
1. SIEM Log Monitoring and Threat Detection
SIEM experience is one of the most critical skills for any aspiring SOC analyst. In this project, you build a full Splunk or Elastic Stack environment and learn how real security teams detect attacks through log data.
You start by ingesting Windows event logs, Sysmon telemetry, and Linux authentication events. Once data is flowing, you simulate attacks like brute force attempts, suspicious PowerShell commands, and privilege misuse. The core of the project is writing detection rules, building dashboards, and learning how to triage alerts.
Quick setup steps:
- Provision a small lab: one Windows VM, one Linux VM, and one SIEM VM (Splunk or Elastic) in VirtualBox, Proxmox, or a cloud provider.
- Install Splunk Enterprise or Elastic Stack on the SIEM VM and enable receiving on a dedicated port (for example, 514 or 5514 for syslog).
- On Windows, enable security auditing, install Sysmon, and configure it using a popular community config (for example, SwiftOnSecurity or Olaf Hartong).
- On Linux, enable auth logs and system logs, then forward them using a shipper like Winlogbeat/Filebeat or native syslog to your SIEM.
- Generate test activity: failed logons, new user creation, privilege changes, and suspicious PowerShell commands.
- Build dashboards for logons, process creation, and admin actions, then write simple correlation rules for brute force and privilege escalation patterns.
- Practice triaging alerts: review raw events, identify root cause, and document findings in a simple investigation template.
Key learning outcomes:
- Understanding log sources and event types
- Querying data to find suspicious patterns
- Creating detections for brute force, PowerShell misuse, privilege escalation
- Learning how real SOC triage and correlation take place
This project is highly valuable because SIEM tools are used in nearly every security operations center.
2. Simulated Phishing Attack and Incident Response
Most real incidents begin with phishing. This project recreates that workflow so you can practice full incident response end to end.
You craft a realistic phishing email, send it to a controlled inbox, and trigger a malware download or command execution. Then you examine email headers, inspect attachments, trace the infection through Windows event logs, analyze process creation activity, and build a complete timeline. For realistic validation of event data, refer to Microsoft event documentation: Event 4688.
Quick setup steps:
- Create a lab mail environment: use a test mailbox in Microsoft 365 trial, a local mail server, or a disposable mail provider for practice.
- Write a phishing style email that imitates a password reset, invoice, or urgent notice, but send only to your own controlled inbox.
- Attach a benign macro document or script that simulates execution (for example, opening calc.exe or a harmless script) in a sandbox or VM.
- On the target Windows VM, enable detailed logging, including process creation and PowerShell transcription where possible.
- Open the email in the VM, interact with it, and capture all resulting events in your SIEM or local Event Viewer.
- Analyze headers in the mail client or with tools like Message Header Analyzer, extract URLs, domains, and IPs.
- Document the full incident timeline: initial email, user action, executed process, indicators, and recommended containment steps.
Key learning outcomes:
- Email header analysis
- Windows event ID review
- Documenting attack paths
- Containment and remediation
- Writing an incident report
This prepares you for Tier 1 queues, where phishing alerts make up a large portion of daily workload.
3. IDS Deployment and Packet Analysis
Network visibility is essential for understanding attacks that bypass endpoint tools. In this project, you deploy Snort or Suricata and analyze network traffic in real time.
You generate attack traffic using tools like Nmap, Hydra, or SQL injection attempts. The IDS captures suspicious signatures and triggers alerts. You then analyze PCAP files in Wireshark to examine protocol layers, packet payloads, and attacker behavior.
Quick setup steps:
- Provision one VM as a router or gateway and install Snort or Suricata in inline or passive mode on that host.
- Configure network interfaces so that the IDS sees traffic between an attacker VM and a victim VM on the same virtual network.
- Load a default IDS ruleset (for example, Emerging Threats) and verify that the engine starts without errors.
- From the attacker VM, run Nmap scans, weak password attempts, or simple web probes against the victim VM.
- Confirm that IDS alerts are generated and logged to files or a console output location.
- Capture network traffic with tcpdump or built in capture in the IDS, then open the resulting PCAP in Wireshark.
- Identify which packets triggered which alerts and label them by technique such as scanning, brute force, or exploitation attempt.
Key learning outcomes:
- Understanding IDS alerts
- Recognizing scanning behavior
- Identifying attack signatures
- Packet analysis with Wireshark
- Rule tuning to reduce false positives
This project teaches how attackers move on the network and how SOC teams detect them.
4. Cloud Security Monitoring with AWS or Azure Logs
Cloud visibility is a modern SOC requirement. This project introduces cloud logging, identity activity, and misconfiguration detection.
You enable AWS CloudTrail, S3 Access Logging, GuardDuty, or Azure Defender for Cloud. Then you simulate events such as unauthorized S3 access, suspicious IAM changes, region hopping, login anomalies, or privilege escalation.
Quick setup steps:
- Create a low cost AWS or Azure test account with billing alarms so the lab remains controlled and predictable.
- Enable CloudTrail or Azure Activity Logs, and route them to a central log destination such as CloudWatch Logs, S3, Log Analytics, or an external SIEM.
- Create a few IAM users and roles with least privilege, then intentionally misconfigure one (for example, overly broad admin rights) for test purposes.
- Generate events by signing in from different regions, changing IAM policies, accessing S3 buckets or storage accounts, and creating or deleting resources.
- Review the logs in CloudTrail, GuardDuty findings, or Defender alerts to understand which actions triggered which records.
- Write basic detection queries in CloudWatch Logs Insights, Athena, Kusto, or your SIEM to surface risky IAM and access patterns.
- Document common fields such as user identity, source IP, region, action name, and use them to build simple cloud detection use cases.
Key learning outcomes:
- IAM activity analysis
- Detecting unauthorized access
- Understanding cloud misconfigurations
- Identifying anomalous behavior
- Cloud monitoring in a SOC workflow
Cloud-focused analysts are in high demand due to widespread visibility gaps in enterprise environments.
5. Endpoint Monitoring with Sysmon and Wazuh
Endpoints are the starting point of most intrusions. This project teaches how analysts detect malicious activity using Windows telemetry.
You install Sysmon to capture events such as process creation, network connections, registry operations, and file modifications. Logs are forwarded to Wazuh, where you create detection rules for credential dumping, persistence, or suspicious PowerShell behavior.
Quick setup steps:
- Deploy a Windows VM as your monitored endpoint and a separate Linux VM for the Wazuh server or manager.
- Install Sysmon on the Windows VM using a recommended config file that focuses on high value events like process creation and network connections.
- Install Wazuh on the Linux VM following the official quickstart, including Elasticsearch and Kibana or the Wazuh dashboard.
- Install the Wazuh agent on the Windows VM and configure it to forward Sysmon and Windows security logs to the Wazuh manager.
- Generate events by running PowerShell, downloading files, creating scheduled tasks, and making new user accounts.
- Create or tune Wazuh rules to flag suspicious parent child process relationships, odd PowerShell command lines, or unusual persistence mechanisms.
- Use the dashboard to visualize events, drill into alerts, and document a short case study of one or two simulated attacks.
Key learning outcomes:
- Reading Sysmon events
- Host forensics fundamentals
- Identifying malicious process trees
- Writing Wazuh detection rules
- Mapping endpoint behavior to attacker tactics
This experience aligns closely with enterprise EDR platforms like CrowdStrike, Microsoft Defender, and SentinelOne.
6. Threat Hunting in Real Datasets
Threat hunting is a core Tier 2 skill. This project uses public datasets to build investigative hypotheses.
You load Zeek logs, Windows logs, or structured SOC datasets into Splunk or Elastic. You form hypotheses such as lateral movement, brute force success, or privilege escalation, then query the data using SPL or KQL. For reference, see the MITRE ATT and CK framework: MITRE ATT and CK.
Quick setup steps:
- Download a public dataset such as Zeek logs from a capture the flag event or anonymized SOC logs from a training source.
- Import the data into Splunk, Elastic, or a log analysis platform by defining appropriate sourcetypes and field extractions.
- Define two or three clear hunting hypotheses related to credential abuse, lateral movement, or data exfiltration.
- Write SPL, KQL, or Lucene style queries to search for anomalies in logon behavior, process names, network destinations, or volume of activity.
- Tag interesting findings with labels such as suspicious, benign, or unknown, and pivot deeper into related events.
- Map the discovered activity to MITRE techniques and build a short narrative describing the likely attack path.
- Produce a concise hunting report that includes hypothesis, methods, findings, and recommended follow up detections.
Key learning outcomes:
- SPL and KQL querying
- Recognizing suspicious patterns
- Mapping activity to MITRE ATT and CK
- Building timelines
- Threat hunting reporting
This project shows analytical thinking beyond alert triage.
7. Security Automation Script (SOAR Lite)
Automation removes repetitive workload from SOC teams. This project introduces simple enrichment and parsing scripts.
You build a Python or PowerShell script that collects indicators of compromise, enriches them using the VirusTotal API or AbuseIPDB, and outputs structured results. You can automate log parsing, extract suspicious entries, and tag high-risk events.
Quick setup steps:
- Choose a scripting language you are comfortable with, usually Python for portability or PowerShell for Windows heavy environments.
- Gather a list of IOCs such as IPs, domains, and hashes from previous labs, public reports, or your honeypot.
- Create an API key for VirusTotal or AbuseIPDB and store it securely in an environment variable or configuration file.
- Write a script that reads IOCs from a CSV or text file, sends them to the API, and parses the JSON responses.
- Normalize the output into a structured CSV or JSON file that includes fields like IOC value, category, reputation score, and detection count.
- Extend the script to also process a simple log file, match entries containing any of the IOCs, and flag them as high priority.
- Document how to run the script, expected input and output, and a few example use cases in an internal readme style note.
Key learning outcomes:
- Scripting fundamentals for cybersecurity
- Using security APIs
- Automating enrichment workflows
- Building repeatable triage tools
- Outputting structured data
This demonstrates both technical and analytical ability.
8. Honeypot Deployment and Threat Intel Collection
A honeypot allows you to observe real attackers safely. This project focuses on deploying the Cowrie SSH honeypot to capture brute-force and botnet activity.
You deploy the honeypot on a cloud server, monitor logs over several days, and analyze attacker commands, password attempts, and dropped files. Then you enrich IP addresses using OSINT tools such as AlienVault OTX or VirusTotal.
Quick setup steps:
- Deploy a low cost VPS with a public IP address, using a Linux distribution such as Ubuntu Server.
- Install Cowrie following the official documentation, ensuring that it listens on a chosen SSH port while your real SSH service, if any, is on a different port or locked down.
- Harden the server itself with a firewall that only exposes the honeypot service and your management access.
- Leave the honeypot credentials weak or default by design so that automated scanners and bots will attempt logins.
- Configure log output to files or a remote destination so logs are preserved even if the server is impacted.
- After a few days, extract logs and identify common usernames, passwords, commands, and IP addresses observed.
- Enrich the most active IPs with OSINT tools to learn about hosting providers, geolocation, and any known malicious tags.
Key learning outcomes:
- Threat intelligence collection
- IOC enrichment
- Understanding attacker behavior
- OSINT investigation
- Threat reporting
This project generates real-world data that strengthens your portfolio.
9. Threat Intelligence IOC Research
This project focuses on researching a real malware family or threat group and collecting indicators of compromise.
You gather IOCs from trusted sources such as Mandiant reports, MITRE ATT and CK Groups, and enrich them through WHOIS, VirusTotal, and public feeds. You categorize domains, hashes, IPs, registry keys, and map techniques to MITRE.
Quick setup steps:
- Select a specific malware family or threat group based on a recent public report or advisory.
- Read through at least one detailed report and extract all listed IOCs such as domains, URLs, hashes, and IP addresses.
- Organize the IOCs into a spreadsheet or small database with columns for type, value, source, and notes.
- Enrich each IOC with VirusTotal, WHOIS, or reputation feeds to gather additional context and relationships.
- Cross reference activity with MITRE to identify associated tactics, techniques, and procedures.
- Create a short threat profile summarizing the group or malware, common targets, typical tools, and observable indicators.
- Produce a one to two page intelligence summary that a SOC could consume to improve their detection rules.
Key learning outcomes:
- IOC collection and validation
- Malware campaign research
- Threat profiling
- Mapping adversary behavior
- Intelligence summary writing
This is ideal for analysts preparing to pivot into Threat Intelligence roles.
10. Phishing Email and Malware Analysis
Phishing is still the most common attack vector. This project walks through capturing a suspicious email, analyzing it, and identifying potential malware.
You inspect email headers, decode URLs, verify sender authenticity, and analyze attachments using sandboxes such as ANY.RUN or a virtual machine. You extract IOCs and determine behaviors such as command execution, persistence, or data exfiltration.
Quick setup steps:
- Set up a dedicated analysis VM with no personal data and snapshots so you can safely roll back after each test.
- Obtain example phishing emails from training repositories, spam folders, or publicly shared samples that are safe to analyze.
- Export the email in raw format and examine headers to identify sender IP, authentication results, and suspicious routing paths.
- Extract embedded URLs and attachments, and submit them to a sandbox like ANY.RUN or execute them carefully inside the analysis VM.
- Monitor process creation, network connections, and file changes while the sample runs, using tools like Process Explorer or Sysmon.
- Collect all resulting IOCs and classify them by type, then compare them against threat intelligence sources.
- Write a short analysis report containing initial lure, technical behavior, impact, and recommended blocking or detection actions.
Key learning outcomes:
- Email forensics
- Sandbox malware analysis
- Behavioral classification
- Extracting indicators
- Recommending remediation actions
This is one of the best beginner-friendly SOC analyst projects because it mirrors real-world tasks.
Final Thoughts
Hands on experience is one of the most important factors in landing a SOC analyst job. Certifications help, but employers hire based on demonstrated skills, not theory. These projects give you practical experience with SIEM monitoring, log analysis, incident response, cloud security, endpoint detection, network analysis, and threat intelligence.
By completing even a few labs, you gain resume ready accomplishments and real examples to talk about during interviews. Make sure to include keywords like SIEM, Splunk, log analysis, detection engineering, IR, threat hunting, cloud logs, IDS, packet analysis, IOC enrichment, and endpoint monitoring. These terms are recognized by recruiters and applicant tracking systems.
To get started quickly, copy any project description, paste it into your favorite AI chatbot, and ask for a guided walkthrough. You will get step by step help for setup, simulation, investigation, and documentation.
With consistent practice, these projects help you build confidence, strengthen your technical foundation, and position yourself as a capable entry level cybersecurity professional.
