Skip to main content

TryHackMe Security Analyst Level 2

AdvancedSOC / Blue TeamPaid

TryHackMe's advanced defensive certification, built with NCC Group, for analysts stepping up to mid-level SOC work. It tests whether you can carry a complex investigation end to end: incidents spanning cloud, Active Directory, network, and endpoint evidence, worked through SIEM platforms like Splunk and Elastic and EDR consoles, with the prioritisation calls and written reporting that real escalations demand. The exam is 12 multi-stage SOC scenarios in a 72-hour window.

What you'll prove

  • Carry multi-stage incident investigations across cloud, Active Directory, network, and endpoint evidence
  • Drive investigations through SIEM platforms such as Splunk and Elastic plus EDR consoles
  • Make prioritisation calls under pressure and write reports that hold up to scrutiny

Frequently asked

Do I need SAL1 before taking SAL2?

No. TryHackMe recommends the SAL1-then-SAL2 order because SAL2 assumes solid defensive fundamentals, but nothing enforces it.

How much does SAL2 cost?

$749, covering the exam, one free retake, and 6 months of premium content access, with 15% off for Premium or Max subscribers. For context, TryHackMe's own comparison table puts BTL2 at $2,500 and GIAC GSOC north of $5,999 once training is included.

What roles does SAL2 prepare you for?

TryHackMe aims it at mid-level SOC analyst, detection engineer, threat hunter, and incident response roles, and frames a pass as recognition of mid-level SOC capability.