Build your own SOC: Theory and practice combined, on-premises, independent of expensive vendor solutions, and in compliance with the requirements of the NIS2 Directive.
In a time when cyber threats are increasing exponentially and the NIS2 Directive introduces new binding cybersecurity requirements, building and operating a professional SOC has become essential for organizations and public authorities. This foundational course provides you with the complete knowledge required to implement an independent, on-premises (on-site) hosted SOC and to operate it sustainably using targeted techniques and open-source applications – thereby actively strengthening your digital sovereignty.
The course begins with the essential fundamentals and prerequisites for successful SOC operations. You will learn how to assess and map a digital infrastructure, which Disaster Recovery Plans (DRP) and Business Continuity Plans (BCP) are required, and how business processes can be systematically integrated into a security architecture. Only those who understand their own processes can effectively protect them.
In the second module, we focus on the requirements of SOC operations: Which SOC services are needed? Which roles are required? Which technologies are used? You will gain a solid understanding of the Security Incident Response process, vulnerability management, and an introduction to the MITRE ATT&CK Framework – the world’s leading knowledge base of adversary tactics and techniques. The development of playbooks, use cases, and detection rules forms the core of effective SOC operations.
In the practical part, you will enter a dedicated SOC lab environment. You will learn how to automatically deploy a complete SOC setup, configure individual tools, and monitor relevant data sources. The digital infrastructure is fully mapped within the SOC, including IPAM, inventory, and CMDB systems, as well as system and network monitoring, vulnerability scanning, and centralized logging via SIEM and XDR. You will perform triage and case management, create your own rules and SOAR workflows, and finally face realistic attack scenarios executed by the trainers, which you must detect, classify, and respond to within the SOC environment.
Course Objectives
This basic course provides all the essential knowledge and practical skills required to build and operate a SOC.
In the first part, participants are introduced to the fundamental theoretical components such as SOC services, roles, processes, plans, and technologies. These form the foundation for smooth and effective SOC operations.
In the second part, participants gain access to a dedicated lab environment. They will install, configure, and operate the core components of a SOC. After the setup, instructors will launch simulated attacks against the lab environment, and participants will learn how to detect and handle these incidents within the SOC. This provides a comprehensive, hands-on understanding of how a Security Operations Center operates in practice.
Benefits
- NIS2 compliant: Supports preparation and implementation of regulatory cybersecurity requirements
- Digital sovereignty: Full control over security processes, infrastructure, and data
- On-premises ready: Local deployment with no dependency on external cloud providers
- Vendor-independent: No licensing costs and no vendor lock-in, ensuring maximum flexibility
- Theory + practice: Combines solid conceptual knowledge with hands-on lab experience
- End-to-end SOC architecture: Covers the full lifecycle from design to operational SOC
- Realistic attack scenarios: Hands-on training with live attack detection and response exercises
- Comprehensive Toolset: Integration of the Most Important Open-Source Security Tools
Technology Division & Components
- SIEM: Wazuh, Opensearch
- SOAR: n8n, Shuffle
- EDR / XDR: Wazuh
- Network Detection: Suricata, Zeek
- Cyber Threat Intelligence: MISP
- IPAM/CMDB: Netbox
- Incident Response: DFIR-IRIS
- Vulnerabilities: OpenVas, Wazuh, DefectDojo
- Additional tools: CheckMK, LibreNMS, Zammad, Guacamole
Target groups & relevance
- Security Managers – Understanding SOC requirements and resource planning
- Aspiring Security Engineers – Building a solid foundation in SOC technologies and architecture
- Aspiring Security Analysts – Learning practical SOC workflows and security tool operation
- SOC Managers – Gaining an overview of SOC structures, roles, and key performance indicators (KPIs)
- Chief Information Security Officers (CISOs) – Strategic guidance for SOC planning, budgeting, and implementation
- IT Project Managers – Managing the technical implementation and delivery of SOC projects
- System Administrators – Integration with Existing Infrastructure
Our SOC Expert:
Costs and Completion
Minimum number of participants: 6 (maximum 8)
Course duration: 5 days
Cost per participant: € 5,000
Course location: SBA Research
A certificate of completion for the course will be issued.
Your contact person: Alexander Szönyi, aszoenyi@sba-research.org
Photo credit: Niklas Schnaubelt