Introduction
Are you preparing for the new Practical SOC Analyst Associate (PSAA) certification exam? As the creator of the certification and included SOC 101 training materials, I collected a few high-level tips to help you feel confident and prepared going into the exam.
What is the PSAA?
The Practical SOC Analyst Associate (PSAA) is a practical exam and certification offered by TCM Security based on the materials covered in the Security Operations (SOC) 101 course. The PSAA certification is designed to validate the essential skills and knowledge needed for a Tier 1 or Tier 2 Security Operations Center (SOC) Analyst role.
Specifically, SOC 101 is a comprehensive 30+ hour curriculum, covering the foundational aspects of security operations, including phishing analysis, incident response procedures, threat detection techniques, log analysis, SIEM management, and the use of various security tools. The PSAA exam tests your ability to apply this knowledge in real-world incident scenarios.
By earning the PSAA certification, you’ll demonstrate to employers that you’re ready to succeed within a security team and have the practical skills needed to advance your career.
Understand the PSAA Exam Format
The first step in preparing for the PSAA exam may seem obvious, but it’s important to thoroughly understand the type of assessment you’ll be facing. While you may be eager to dive right into starting the exam, having a good picture of what to expect will allow you to better tailor your preparation strategy and time management.
The PSAA is a practical, hands-on assessment, meaning you’ll be tasked with triaging real-world security alerts rather than answering multiple-choice questions or capturing flags. This format is designed to test your ability to apply concepts and tools in scenarios similar to those you’ll encounter in the field, in an actual SOC environment. You can expect tasks related to any of the major domains covered in the SOC 101 material, with a focus on monitoring, detecting, analyzing, and responding to threats.
More specifically, you’ll be dropped right into the heart of a Security Operations Center (SOC) and briefed on a number of security scenarios based on user reports, alerts, or system and network artifacts. You will need to investigate, identify indicators of compromise, and analyze activity across multiple systems and endpoints—all based on real-world attacks and campaigns.
It’s also important to understand the assessment and reporting duration of the exam. You will have two (2) full days to complete the assessment and an additional two (2) days to write a professional report. The full exam details can be found on the PSAA certification page, so you should be familiar with them before going into the exam.
Understand the Report Structure
Understanding and following the reporting requirements for the PSAA exam is one of the most important steps to ensure you receive a passing grade. The exam not only tests your technical abilities, but also evaluates how well you can document and communicate your findings. This same methodology applies to a real SOC environment or security team. The quality and clarity of your reports directly ties into how well incidents, threats, and recommendations are communicated to other teams or management.
For the Practical SOC Analyst Associate exam, you’ll be expected to produce a detailed, professional report detailing the steps you took during your investigation, the tools you used, and the findings you uncovered. Unlike a penetration testing report or a full incident response post-mortem, the goal of the PSAA exam report is to document your findings and address the incident questions outlined within each ticket. As best practice, your report should be structured in a clear, concise, and professional format, ensuring that another analyst or technically competent reader can easily follow your analysis and arrive at the same conclusion. This means including step-by-step walkthroughs, report or command-line outputs, or any gathered indicators, verdicts, or screenshot evidence.
Fortunately, you will be provided with a report template to work off of as soon as you start your exam. You can use your own preferred template, however, its structure needs to meet the requirements set out in the exam guide. At a high level, this means for each incident, you thoroughly document:
- The incident summary
- The investigation or executive summary
- Detailed answers to the proposed incident questions, including evidence and screenshots
- A list of indicators of compromise (IOCs) pertinent to the incident
- Any reactive or proactive recommendations pertinent to responding to the incident
Understand Security Controls
In addition to reporting considerations, it’s useful to have a good understanding of common security controls and how they might apply to your findings in the PSAA exam. The SOC 101 course covers all of the information you need to know about security controls and how they are used in a SOC. Recommending the right reactive and proactive measures in your report is a significant portion of demonstrating that you can effectively mitigate and prevent security incidents in a real-world SOC environment. In the Practical SOC Analyst Associate exam, you’ll be expected to propose measures that can help contain, remediate, or prevent future attacks. Often, these recommendations should closely relate to your findings and documented indicators of compromise.
For example, if you uncover a phishing attack during your investigation, you might recommend using a firewall or web filtering solution to block access to a specific malicious domain, URL, or IP that was used in the attack. This would be a reactive measure aimed at preventing further connections to the attacker’s infrastructure.
In your report, tie these recommendations directly to the incident, explaining why a particular control is necessary and how it can help prevent or mitigate similar threats in the future. This demonstrates your ability to think beyond just detection and response and focus on overall security posture improvement.
Hands-On Practice
One of the most important aspects of preparing for the PSAA exam is hands-on practice. Fortunately, the SOC 101 course on its own provides everything you need to succeed. In addition to walking through the deployment and configuration of building out a SOC analyst workstation, the course also includes bespoke challenge scenarios spread throughout each domain, simulating the types of tickets or incidents you’ll encounter in the exam. These challenges give you plenty of practice, which will reinforce your technical knowledge and help you apply it in real-world situations.

Our metrics show that students who follow the course in its entirety, including working through the included challenges and practice scenarios, score the highest on the PSAA. To get the most out of these exercises, treat each challenge as if it were a real incident. Focus on building a methodical process for approaching incidents, analyzing artifacts, gathering evidence, and recommending the appropriate controls or responses. The more familiar you are with handling these types of incidents, the more comfortable and confident you’ll feel when it comes time to sit for the Practical SOC Analyst Associate exam.
Additional Practice and PSAA Study Materials
Although the SOC 101 course includes everything you need to succeed, some students enjoy getting as much additional practice in as possible. If you are interested in a small group study format, join our SOC Level 1 Live Training from April 14-17, 2025. We will review everything you need to know to pass the exam and you’ll have the ability to ask questions and get extra lab practice.
It’s useful to get hands-on practice analyzing phishing artifacts, malware, and network traffic. The following resources provide a wide variety of phishing and malware samples to work with:
PhishTank: A community-driven platform where you can check, track, and report phishing attacks. It’s a great source for real-time phishing URLs.
OpenPhish: Similar to PhishTank, OpenPhish is a phishing intelligence feed that is helpful in getting your hands on phishing URLs, hostnames, IPs, and more.
Phishing Pot: A GitHub repository filled with phishing samples, which is great for analyzing the anatomy of phishing emails.
Malware Bazaar: A collection of malware samples that you can download for research and analysis.
Malware Traffic Analysis: A repository of real-world malware traffic and packet capture (PCAP) files, which is a go-to recommendation for practicing network traffic analysis and understanding how malware behaves across the network.
EVTX Attack Samples: A collection of Windows Event Logs for attack simulations to practice manual and automated log analysis or endpoint detection on.
Additionally, to enhance your understanding of technical incident reporting structure, the following resources provide excellent real-world examples and research:
Finally, the conclusion section of the SOC 101 course also lists a number of specific Capture the Flag (CTF) challenges, labs, and cyber range activities from TryHackMe and others that are thematically useful in preparing you for the PSAA.
Stay Calm and Focused
Lastly, it’s important to remember that you have plenty of time to work through the PSAA exam. It’s designed to test your ability to handle real-world SOC incidents, not to rush you through them, so finding a way to maintain a calm and focused approach is the best way to make the most of your time.
This means that you should pace yourself as you work through each incident. Carefully read through the provided tickets, and take your time analyzing the context and available artifacts before jumping into conclusions. Break down each task step-by-step, and ensure that you’re thoroughly documenting your findings with details, screenshots, command outputs, or verdicts. If you find yourself stuck on a particular issue, take a step back, revisit the evidence, or focus on a different part of the exam. It’s completely open-book, meaning you can always return to your notes or go back to a particular lesson in the course as needed.
Lastly, trust your preparation. The SOC 101 course equips you with all of the tools, methodology, and knowledge to succeed, and you’ve practiced real-world scenarios through labs and challenges. If you’ve followed the course and engaged with the exercises, you’re more than ready to handle the exam. Keep a clear head, work methodically, and stay confident in your abilities.
Conclusion
The SOC 101 course is your most valuable resource for preparing—its comprehensive curriculum, hands-on labs, and challenge scenarios align directly with the skills and knowledge you’ll be tested on. Above all, trust in the preparation you’ve put in, work methodically, and rely on the strong foundation you’ve built from the course. With the right preparation and mindset, you’ll not only pass the Practical SOC Analyst Associate exam, but also be well-equipped to succeed in your security operations career.
Good luck, and happy defending!

About the Author: Andrew Prince
Andrew is a seasoned and passionate security professional who brings a wealth of experience in areas such as security operations, incident response, threat hunting, vulnerability management, and cloud infrastructure security. With a professional background in development and system administration, Andrew offers a well-rounded perspective on his security strategy. Andrew also navigates both offensive and defensive operations to provide a holistic approach to keeping people, processes, and technology secure. He is also active in developing various Capture the Flag challenges, creating security training, and sharing knowledge through content creation. Andrew created the Security Operations (SOC) 101 course in TCM Security Academy and the Practical SOC Analyst Associate certification.
Social Media Links:
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.