Zero to SOC Analyst in 90 Days: The 2026 Roadmap That Actually Works

90 days is aggressive. But if you're focused and structured, it's completely doable.

This isn't the roadmap that tells you to "study networking, get Security+, then apply." That advice exists everywhere and it's vague enough to be useless. This is the specific 90-day breakdown—what to do, when to do it, and why.

Before You Start: What 'Zero' Actually Means

This roadmap assumes you have:

- Basic computer literacy (you can navigate a file system and run commands)

- Time: 2-3 hours per day, 5-6 days per week

It doesn't assume:

- An IT or networking background

- A degree

- Previous security experience

If you're starting with less than basic computer literacy, add 30 days of foundational work before Phase 1. There's no shame in that—just be honest with yourself about where you're starting.

Phase 1: Days 1–30 – Build the Foundation

This phase is about building the vocabulary and concepts that everything else depends on. You're learning the landscape before you start patrolling it.

Week 1-2: Networking and OS fundamentals

You need to understand how networks communicate before you can detect threats on them. Focus on:

- TCP/IP, DNS, HTTP/HTTPS—what actually happens when you visit a website

- The OSI model (know it conceptually, don't just memorize layers)

- Windows command line basics: ipconfig, netstat, tasklist, net user

- What a firewall, IDS, and SIEM do at a high level

Free resources: Professor Messer's CompTIA Network+ videos on YouTube. TryHackMe's Pre-Security learning path.

Week 3-4: Security fundamentals and start Security+ prep

Start CompTIA Security+ prep now—but don't try to pass it in week 3. You're building the foundation. Goal by end of Day 30: you can clearly explain phishing, malware, credential theft, and lateral movement in plain English.

Resources: Professor Messer's Security+ course (free on YouTube) or Jason Dion's course on Udemy.

Phase 2: Days 31–60 – Get Hands On

This is where most roadmaps fail people. They stay in theory mode too long. You need to actually do things.

Week 5-6: SIEM basics and log analysis

Security Information and Event Management platforms are the core tool of SOC work. You need to:

- Run basic searches and filters

- Read common log formats: Windows Event Logs, firewall logs, authentication logs

- Understand what a correlated alert actually looks like

Use Splunk Free (60-day trial) or Elastic's free tier. Get your hands on one. Watching videos about SIEMs is not the same as using one. When you're ready to go deeper, the SPL cheat sheet for SOC analysts is a solid reference for the queries you'll actually use.

Week 7-8: Work real SOC scenarios

This is where you start thinking like an analyst, not a student. Work through:

- TryHackMe SOC Level 1 learning path

- Blue Team Labs Online (free investigation challenges)

- Boss of the SOC (BOTS) Splunk datasets—real log data, real investigations

Goal by end of Day 60: you can open an alert, trace it through logs, and write up what happened in plain English. That's the job.

Phase 3: Days 61–90 – Get Job Ready

Week 9-10: Pass Security+

You've been studying for 60 days. Take the exam. Security+ is required on most entry-level SOC job postings—you need it, and now is the time to get it done.

Week 11-12: Build your investigation portfolio

Here's the move most no-experience candidates skip. Document 3-5 of your best practice investigations as professional write-ups:

- What was the alert or scenario?

- What did you investigate?

- What did you find?

- What's the verdict?

Put these on GitHub or a simple personal page. In interviews, when they ask about experience, you point to this. It works.

Also Week 11-12: Start applying

Don't wait until you feel ready. Apply anyway. Target:

- MSSP Tier 1 analyst roles

- Help desk roles with a security focus (foot in the door)

- Entry-level SOC positions at mid-size companies

For a deeper look at exactly how to navigate the no-experience application process, this guide walks through the full strategy step by step.

What If 90 Days Isn't Enough?

That's fine. The 90-day timeline is a target, not a mandate.

If you need 120 or 150 days, extend Phase 2. More hands-on practice is never wasted time. The goal is to start applying—not to be perfect first.

What slows most people down: staying in Phase 1 (theory) too long before getting hands-on in Phase 2. Push yourself into hands-on work earlier than feels comfortable.

TL;DR – The 90-Day Blueprint

Days 1-30: networking and OS fundamentals, start Security+ prep. Days 31-60: get into a SIEM, work real log analysis scenarios, investigate actual alerts. Days 61-90: pass Security+, build your investigation portfolio, start applying. The magic isn't the timeline—it's doing the hands-on work in Phase 2 that most people skip. Once you're in the door, check the 2026 SOC analyst salary guide to understand what the progression actually looks like financially.

---

FAQs

Can I really get a SOC job in 90 days starting from zero?

If you're consistent and focused on hands-on work, yes—though your first role will be entry-level Tier 1. The 90 days gets you interview-ready, not senior-analyst-ready. Those are different goals.

Do I need a degree?

No. Most entry-level SOC roles require Security+ (or equivalent), demonstrable skills, and the right attitude. A portfolio of investigation write-ups often matters more than a degree for Tier 1 positions.

What if I can only study 1 hour per day?

Double the timeline to 180 days. The phases work the same—they just take longer. Consistency beats intensity every time.

Which SIEM should I learn first?

Splunk. It's the most common in enterprise environments and appears most frequently on job postings. If you know your target employer uses Sentinel or Elastic, pivot to that—but Splunk is the safe default.

---

Sources & References:

- CompTIA Security+ Certification

- TryHackMe SOC Level 1 Learning Path

- SANS SOC Curriculum Resources

---

Final thought: The 90-day timeline works if you don't spend 60 days on theory and 30 days wishing you'd done more hands-on work. Flip it. The practice is the preparation.

How EpicDetect Can Help

Ready to do the hands-on work? EpicDetect Adventures puts you inside real SOC investigations—email forensics, endpoint analysis, SIEM log queries—built around the same workflows you'll use on day one of the job.

Head to the EpicDetect Atlas for structured learning paths covering SOC fundamentals all the way through detection engineering.

New here? Sign up and start learning for free. No credit card required.