How I Passed the Practical SOC Analyst Associate (PSAA) Certification by TCM Security
If you’re targeting a blue team career, you’ve likely heard of TCM Security’s Practical SOC Analyst Associate (PSAA). This isn’t your…
If you’re targeting a blue team career, you’ve likely heard of TCM Security’s Practical SOC Analyst Associate (PSAA). This isn’t your…
If you’re targeting a blue team career, you’ve likely heard of TCM Security’s Practical SOC Analyst Associate (PSAA). This isn’t your standard multiple-choice exam. It puts you in realistic SOC scenarios where you need to investigate incidents, analyze evidence, and write a professional report just like a real SOC analyst.
I recently passed the PSAA, and in this post, I’ll share how I prepared, what the exam experience was like, and what I wish I had known before starting.
Why I Chose the PSAA
This is my second certification; my first was CompTIA Security+ (SY0–701). My goal is to break into cybersecurity as a blue teamer, so I wanted something hands-on and practical.
The PSAA’s investigation-focused approach stood out to me because it simulates the actual work of a Tier 1–2 SOC analyst: analyzing alerts, digging into artifacts, and retracing attacker steps.
Another bonus?
- The certification does not expire- It includes one free retake- At $249, it’s one of the most affordable practical cybersecurity certs out there, and as a student, I got it for $200.
How I Prepared
1. The SOC 101 Course
The PSAA voucher includes 12 months of access to the Security Operations (SOC) 101 course. Honestly, this course alone is enough to pass the PSAA.
It covers:
- Security Operations Fundamentals- Phishing Analysis- Network Security Monitoring- Network Traffic Analysis- Endpoint Security Monitoring- Endpoint Detection and Response- Log Analysis and Management- Security Information and Event Management (SIEM)- Threat Intelligence- Digital Forensics- Incident Response
I didn’t just watch the videos. I paused constantly, took screenshots, and recreated the scenarios in my lab. I took around one and a half months to complete the full course. This course is 30+ hours long, and you can find the first 12 hours on YouTube.
You can access the course during the exam, but I don’t recommend relying on it; it’ll eat up valuable time. Make sure you complete all the course videos and the exercises before taking the exam.
2. Hands-On Practice
Before taking the PSAA, I completed extra practice from the SOC 101 instructor, Andrew Prince, and some TryHackMe and HackTheBox challenges. These aren’t required for passing, but they definitely sharpened my skills.
Here’s what I practiced before the exam:
- https://tryhackme.com/r/room/posheclipse- https://tryhackme.com/r/room/paymentcollectors- https://tryhackme.com/r/room/summit- https://tryhackme.com/r/room/mondaymonitor- https://tryhackme.com/r/room/warzoneone- https://tryhackme.com/r/room/snappedphishinglin- https://blueteamlabs.online/home/investigation/piggy-aij2bd8h2- https://blueteamlabs.online/home/investigation/deep-blue-a4c18ce507- https://tryhackme.com/room/juicydetails- https://app.hackthebox.com/sherlocks/Dream%20Job-1/play- https://app.hackthebox.com/sherlocks/Brutus/play
(I have the write-ups for most of these rooms in my posts; you can check them out.)
Before the exam, I reset my SOC 101 lab progress and redid the exercises without hints. If you can do that, you’re more than ready.
Exam Experience
The PSAA exam is split into two parts:
1. Investigation Phase (2 Days)
You’re dropped into a hosted SOC environment and given multiple incident tickets. Your task: Determine what happened, how it happened, and what the evidence shows.
2. Report Writing Phase (2 Days)
You submit a professional-grade report using the provided template. This includes findings, investigation steps, IOCs, and recommended actions.
I felt that the exam could be done in less than the allotted time, one day for investigation, one day for the report, but I took my time.
Here’s my advice for exam day:
- Document As You Go: This was my secret weapon. As I investigated, I kept a running document open. I took screenshots of key findings and wrote a quick sentence explaining what I found and why it was important. This made the report-writing phase easier. By the end, my final report was 54 pages long.- Pace Yourself: It’s easy to fall down a rabbit hole. If you feel stuck on one incident, note where you left off and move to another one. A fresh perspective can reveal clues you missed before.- Stay Organized: Keep a clean, running list of IOCs (IP addresses, file hashes, malicious domains), important log entries, and queries you used. This will be the backbone of your final report.- Trust the Evidence: Don’t over-complicate your theories. Follow the data trail logically. More often than not, the most obvious lead is the correct one.- The better your report, the better your score.
Key Takeaways
- Comprehensive Prep is Non-Negotiable. The SOC 101 course isn’t just helpful; it’s the blueprint for the exam. Master it.- Your Report is as Important as Your Investigation. A brilliant analysis will still fail if it’s communicated in a sloppy, unprofessional report.- Practice Transforms You from a Test-Taker into an Analyst. The extra labs shifted my mindset. I stopped thinking about “what’s on the test” and started thinking about “how do I solve this incident?”
Final Thoughts
The PSAA is one of the few certifications that feels like real SOC work. If you want to break into security operations or improve your incident response skills, I can’t recommend it enough.
Treat it like your first SOC job: investigate thoroughly, document clearly, and trust your skills. The exam is just your chance to prove them.
If you have any questions, drop them in the comments. I’m happy to help!