Breaking into cybersecurity in 2026 is harder than it has ever been. The baseline for entry into the industry has steadily risen over the last decade, and landing your first role or internship is now more competitive than ever. This post looks at what it takes to get into blue team and SOC roles in 2026, the skills that actually matter, and the things that help candidates stand out.

I've written a lot over my career(lessons learnt from leadership) about how to get into the security industry but it has always been heavily focused on getting into the red side of the house and I appreciate that is where my interest mostly lies, I have however been getting more and more involved in the blue team side of things of recent.

Blue teaming is also an area that there doesn't appear to be enough about out there as to how to get into it, what to look at and what the different roles / trainings are available.

Having also been involved in recruiting, interviewing and hiring this blog post will showcase some of the key wins you can look to if you're looking at getting your first job in the industry, the core focus will be on blue team but there's also lots of useful information around red teaming too.

If you've not already, please go watch my good friend Neil Lines' talk about how to get into red team / pentesting and some of the things to consider:

https://www.youtube.com/watch?v=VM6WKk0MqNM

Neil has a unique manner of presenting talks and does excellent story telling, his talk dives into how he got into this industry and the steps he took but the talk also covers lots of excellent topics.

What is Blue Teaming

At its core, blue teaming focuses on defending organisations from attacks. This typically involves monitoring systems, detecting suspicious behaviour, investigating incidents, and helping organisations improve their overall security posture.

A common way to think about defensive security is through the lifecycle of:

Prevent → Detect → Respond → Recover

Preventing attacks where possible, detecting the ones that get through, responding to contain them, and recovering systems afterwards.

Realistically, in practice, most blue team roles touch multiple parts of this flow and being able to touch on the skillsets allows you to navigate better.

Core Skills

Regardless of which side of the house you end up on, there are some core skills that make life a lot easier in this industry. Having both technical and social skills will help far more than focusing on one or the other.

Sysadmin Experience

Build something. Run your own services. Break them. Fix them. Understanding how systems actually operate and learning to troubleshoot them is one of the most valuable foundations you can have in security.

Writing Things

Write code, write blog posts, document what you learn.

Create a GitHub and publish things you’ve built or experimented with. It does not have to be revolutionary. It just needs to demonstrate curiosity and understanding.

For example, I created RandomScripts, which is simply a collection of random tools and scripts I’ve written over the years that might be useful for one thing or another.

Operating System Fundamentals

You should be comfortable navigating and troubleshooting both:

• Windows
• Linux

Understanding how processes, services, authentication, permissions, and logging work at an operating system level is essential.

Logging and Telemetry

Regardless of whether you end up on red team, blue team, or any of the other flavours of colour teams. Understanding logging and telemetry is incredibly valuable. Logs are often the key to debugging issues, understanding incidents, and figuring out what actually happened during an attack.

Scripting

Pick one scripting language and learn the basics.

Good options include:

• Python
• PowerShell
• Bash

You don’t need to become a software engineer, but understanding how functions work, how to use libraries, and how to automate simple tasks goes a long way.

Understanding Attacker Behaviour

Whether you’re red team or blue team, understanding how adversaries think and operate will improve your ability to detect and defend against them because nothing says defence like a good understanding of offence. This does not mean understanding the criminal motivations. It means understanding the techniques, behaviours, and patterns attackers use.

Networking and Traffic Analysis

You do not need to memorise the OSI model perfectly. My personal memory trick has always been:

All People See Trees Near Dalmuir Park

Do I remember what every layer is called without Googling it? Honestly, no but having a general understanding of networking and being able to analyse traffic will help enormously when investigating incidents. Another key area to understand is what job roles in the industry look like and what to search for.

Job Roles

Here's a bit of a breakdown of common job titles, what sort of level of entry each has and the rough outline of what each does to give you a better idea of things to search when looking for a job!

Entry Level Roles

SOC Analyst (Tier 1) – Entry-level monitoring and triage role within a Security Operations Centre

• Monitor alerts from SIEM, EDR, IDS and other security tooling
• Triage alerts to determine whether activity is benign, suspicious, or malicious
• Escalate incidents to more senior analysts when deeper investigation is required
• Document incidents and maintain investigation notes

Junior SOC Analyst – A learning-focused SOC role typically paired with mentoring

• Assist with alert monitoring and initial investigation tasks
• Review logs and endpoint alerts
• Learn investigation workflows and security tooling
• Support incident documentation and reporting

Security Operations Analyst – A generalist security monitoring role

• Monitor organisational security dashboards and alerts
• Investigate suspicious login activity or endpoint behaviour
• Assist with security incident response tasks
• Maintain situational awareness across systems and infrastructure

Threat Intelligence Analyst (Junior) – Entry-level role focused on analysing threat information

• Track threat actors, campaigns, and emerging vulnerabilities
• Analyse threat reports and intelligence feeds
• Produce internal threat briefings
• Support SOC investigations with intelligence context

Vulnerability Analyst – Role focused on identifying and tracking vulnerabilities

• Run vulnerability scans across systems and networks
• Review vulnerability scan results and prioritise findings
• Work with IT teams to coordinate remediation
• Track patching progress and risk exposure

Investigation and Response Roles

SOC Analyst (Tier 2) – Intermediate analyst responsible for deeper investigation

• Investigate alerts escalated from Tier 1 analysts
• Perform log correlation across systems and security platforms
• Identify attacker techniques and suspicious patterns
• Recommend containment or response actions

Incident Responder – Specialist focused on handling active security incidents

• Investigate confirmed security incidents
• Coordinate containment actions such as isolating hosts
• Perform root cause analysis of breaches
• Work with IT teams to recover systems safely

Threat Hunter – Analyst focused on proactively searching for attackers

• Search logs and telemetry for signs of compromise
• Develop hypotheses based on attacker behaviour
• Investigate suspicious patterns across endpoints and networks
• Identify stealthy attackers who bypass automated detection

Digital Forensics Analyst – Specialist focused on forensic investigation

• Analyse disk images, memory dumps, and logs
• Reconstruct attacker timelines during incidents
• Identify evidence of compromise
• Support legal or compliance investigations when required

Malware Analyst – Specialist who studies malicious software

• Reverse engineer malware samples
• Identify indicators of compromise and attacker techniques
• Produce technical analysis reports
• Support detection engineering with malware insights

Engineering and Detection Roles

Detection Engineer – Specialist responsible for building security detections

• Develop detection rules for SIEM, EDR, and monitoring platforms
• Map detections to attacker techniques such as MITRE ATT&CK
• Tune alerts to reduce false positives
• Improve detection coverage across environments

Security Engineer – Engineer responsible for deploying and maintaining security tooling

• Deploy and configure SIEM, EDR, and logging platforms
• Integrate security tools into organisational infrastructure
• Maintain logging pipelines and alerting systems
• Support security automation and tooling development

Purple Team Engineer – Role bridging offensive and defensive security

• Simulate attacker techniques to test defensive controls
• Validate detection rules and response processes
• Work with both red and blue teams to improve security posture
• Identify detection gaps and recommend improvements

Leadership and Strategic Roles

SOC Manager – Responsible for running SOC operations

• Manage SOC analysts and investigation workflows
• Coordinate incident response across teams
• Define monitoring strategies and escalation processes
• Report on SOC performance and security posture

Security Operations Lead – Senior role guiding defensive strategy

• Oversee detection engineering and threat hunting initiatives
• Coordinate defensive improvements across infrastructure
• Develop incident response strategies and playbooks
• Mentor junior analysts and engineers

Threat Intelligence Lead – Senior intelligence role guiding threat analysis

• Lead intelligence analysis efforts
• Track advanced threat actors and campaigns
• Translate intelligence into detection improvements
• Provide strategic threat briefings to leadership

Courses and Certs

There are a huge number of courses and certifications available now. Some are excellent, some are less so, and the reality is that certifications alone will not get you a job in this industry.

What they can do however is give some structure to your learning and show you’ve taken the time to dig into certain areas.

If you are aiming for blue team or SOC roles, certifications that focus on practical investigation, logging, detection, and incident response tend to be far more valuable than purely theoretical ones.

It is also worth remembering that many organisations care far more about what you can demonstrate in practice than the number of certifications on your CV. Also when it comes to CVs, make sure that if you list something on there be willing to be able to talk about it happily as it's one of the first things I do when interviewing someone is look at their CV/Resume then dive into the projects and things that they have listed.

Roll Your Own Lab

One of the best things you can do if you want to stand out when applying for security roles is to build your own lab environment. I have written a lot about home lab creations here, here and here. Plus I plan on overhauling this setup soon and document some new bits and pieces I've pulled together.

Running your own infrastructure teaches you far more than reading documentation or watching training videos. You will learn how systems actually behave, how logs are generated, and how things break but also valuable skills in troubleshooting, especially when it comes to building things like hypervisors and active directory environments.

Some simple things you can build in a home lab include:

• A small Windows domain environment
• Linux servers running common services
• Endpoint logging and monitoring tools
• A SIEM platform for analysing logs
• A vulnerable application to generate attack traffic

Once you have something running, start experimenting.

Break things. Generate suspicious activity. Analyse the logs and figure out what happened.

The goal is to build a feedback loop of building, breaking, defending, and fixing which better prepares you for what the world of the industry looks like.

Finding Jobs

Neil’s talk that I referenced earlier includes some excellent advice around actually finding roles in the industry.

One of the tips he mentions is looking up companies that advertise the kinds of roles you are interested in and seeing who already works there. Connecting with people in similar roles can sometimes give you insight into what the company is looking for, what the work is like, and occasionally whether there are opportunities coming up.

That said, try not to be overzealous with this approach. Security companies in particular can be cautious about people trying to connect with large numbers of employees at once, so approach it respectfully and professionally.

Another useful tip I picked up from a recent talk was to look up recruiters who work with companies in the industry and reach out to them directly. Recruiters often have visibility into roles before they are widely advertised, and building a relationship early in your career can be extremely helpful.

More broadly, networking plays a much bigger role in this industry than many people realise. Platforms like LinkedIn, Twitter, and industry job boards are all useful, but some of the best opportunities often come from simply meeting people.

Attend conferences if you can, go to local meetups, and speak to like-minded people. The security community is generally very open, and building connections within it can open doors that job applications alone sometimes will not.

Resources

Here's a quick fire of all the resources I've pulled together such as free courses and data, what they are and why they're useful:

Blue Team Labs Online

What it is:
A gamified online training platform focused on defensive cybersecurity challenges.

Why it’s useful:
Provides hands-on incident investigation scenarios where you analyse logs, alerts, and security events similar to a SOC analyst role.

Link:
https://blueteamlabs.online/

Hack The Box Academy

What it is:
A structured cybersecurity learning platform with guided modules and practical labs.

Why it’s useful:
Although well known for offensive security, it includes strong blue team modules covering detection engineering, investigations, and defensive tooling.

Link:
https://academy.hackthebox.com/

PicoCTF

What it is:
A free capture-the-flag platform with security challenges across many topics.

Why it’s useful:
Great for building technical fundamentals through short practical challenges covering areas such as web security, reverse engineering, and cryptography.

Link:
https://picoctf.org/

Kusto Detective Agency

What it is:
An investigation game where you solve data mysteries using Kusto Query Language (KQL).

Why it’s useful:
Helps develop strong log analysis and query skills used in Microsoft Sentinel and Defender environments.

Link:
https://detective.kusto.io/

Security Blue Team – Blue Team Level 1 (BTL1)

What it is:
A certification focused on entry-level defensive cybersecurity skills.

Why it’s useful:
Covers practical SOC fundamentals including threat detection, incident response, digital forensics, and network monitoring.

Link:
https://www.securityblue.team/certifications/blue-team-level-1

Blu Raven Academy – Introduction to KQL for Security Analysis

What it is:
A hands-on training course teaching Kusto Query Language for security investigations.

Why it’s useful:
KQL is heavily used in Microsoft security tooling, making it valuable for threat hunting and SOC analysis roles.

Link:
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis

Cisco Networking Academy – Cybersecurity Courses

What it is:
Free cybersecurity training provided by Cisco.

Why it’s useful:
Provides solid foundational knowledge around networking, security principles, and cyber defence concepts.

Link:
https://www.netacad.com/cybersecurity

Ludus Cyber Range

What it is:
A platform used to deploy realistic cyber lab environments and security ranges.

Why it’s useful:
Allows you to simulate attacks and observe defensive telemetry in a controlled environment, helping understand what real attacks look like in logs.

Link:
https://ludus.cloud/

Elastic Security (ELK Stack Lab Guide)

What it is:
A SIEM and analytics stack based on Elasticsearch, Logstash, and Kibana.

Why it’s useful:
Widely used for logging and security analytics. Running it in a lab helps learn detection pipelines and log analysis.

Link:
https://docs.ludus.cloud/docs/environment-guides/elastic/

Wazuh

What it is:
An open-source XDR and SIEM platform for endpoint monitoring and threat detection.

Why it’s useful:
Provides log monitoring, file integrity monitoring, and security alerting useful for building a home SOC environment.

Link:
https://github.com/wazuh/wazuh

Closing

Alongside writing blog posts, tools, and giving talks I also have found the time in my career to write two books and a course (https://lms.zsec.red). The books are available for free here: https://leanpub.com/b/LearningTheRopes/c/dc33dec25 or if you'd prefer a physical copy they're on Amazon world wide to purchase and print on demand(Amazon print it and post it to you)