Esc
↑↓ navigate   Enter open   Esc close
Upper-intermediate 6 topic areas 46+ exercises

SOC Analyst / Threat Hunter

SOC Analysts and Threat Hunters monitor security telemetry, investigate alerts, and communicate findings to technical and non-technical audiences. Their English work includes writing escalation reports, documenting investigation timelines, producing threat intelligence summaries, and communicating incident impact to management. This path builds the language of proactive and reactive security operations.

Start first exercise → Browse all exercises

Topics covered

  • Alert triage & investigation
  • Threat hunting
  • MITRE ATT&CK
  • SIEM & SOAR operations
  • Threat intelligence
  • Incident escalation

Vocabulary spotlight

4 terms every SOC Analyst / Threat Hunter should know in English:

IOC (Indicator of Compromise) n.

Evidence that a system has been breached: a malicious IP, hash, domain, or behavioural pattern observed after the fact

"The threat actor's C2 server IPs were added to our IOC blocklist within 30 minutes of identification."
threat hunting n.

A proactive security practice of searching through systems for adversary activity that has evaded automated detection

"During threat hunting, the analyst found lateral movement that SIEM rules had not triggered on."
MITRE ATT&CK n.

A knowledge base of adversary tactics, techniques, and procedures (TTPs) used as a framework for describing and categorising attack behaviour

"The intrusion mapped to T1566.001 (Spearphishing Attachment) in the MITRE ATT&CK framework."
false positive n.

An alert that fires for benign activity that resembles malicious behaviour — the alert is technically correct but the activity is not a real threat

"After tuning the rule, we reduced false positives from 200/day to under 10."
Open full glossary →

📚 Vocabulary Reference

Key terms organised by category for SOC Analyst / Threat Hunters:

Detection & Alerting

SIEMSOARalertruletuningfalse positivetrue positivenoise reductionbaselineanomaly detectionplaybook

Threat Intelligence

IOCIOATTPthreat actorAPTcampaignMITRE ATT&CKtacticstechniqueprocedurethreat feedSTIX/TAXII

Investigation

triagealert investigationroot causelateral movementpivottimelinekill chainforensic artefactlog analysisthreat hunting

Communication

escalationseverity ratingconfidence levelimpact assessmentcontainmentremediationexecutive summaryincident reportlessons learned
Study full vocabulary modules →

Recommended exercises

Cybersecurity Vocabulary 25 exercises
Vocabulary
Incident Calls — Listening 3 exercises
Listening
Writing Incident Communications 3 exercises
Writing
Passive Voice in Technical Writing 5 exercises
Grammar
Reporting Clauses 5 exercises
Grammar
SOC Analyst Interview Questions 5 exercises
Interview

Real-world scenarios you'll practise

  • Writing an escalation report for a suspected credential stuffing attack — factual, investigation-led
  • Summarising a threat hunting finding for the CISO: TTP mapping, affected systems, confidence level
  • Explaining the difference between a false positive and a true positive to a junior analyst
  • Writing a post-incident IOC report that external partners can use for threat sharing

Recommended reading

Explore another role

🚨 Incident Commander

Open path →