top of page
  • Writer's pictureCSNP

A Career in Defensive Security (Blue Team)

Updated: Dec 28, 2021



Author Swetha Kannan


What is the Blue team or Defensive Security?


A Blue Team carries out analysis of information systems or the IT infrastructure. The aim is to guarantee maximum security, recognize vulnerabilities, and confirm the efficacy of all the security measures applied. Blue Team security ensures that each of the defense measures implemented prove helpful.


Organizations that implement a Blue Team strategy can actively test their present cyber defenses and competencies in a low-risk setting. Blue Teams are defensive security experts whose duty is to maintain the internal network defense of an organization against all forms of cyberattacks. Blue Team exercises typically include preparation, identification, containment, eradication, recovery, and lessons learned. Steps to becoming a blue team professional


Blue teams consist of several career paths in different teams such as SOC analysis, Incident response, threat intelligence, malware analysis, BCP DR and so on. Here we cover the steps to entry level SOC analyst. Once you are in the field you may experiment and follow your interest to choose the field of expertise.

Step 1: Strengthen computer networking basics

Begin by reading about the subject. Use articles, textbooks and guides, and find videos on the subject — not just on SOC teams but on general cybersecurity practices, roles and researches.

As a beginner you must be familiar with basics of one or more of the following:

  • Familiarity with the concepts of software applications, Security Information & Event Management (SIEM), Intrusion Detection and Prevention System (IDS & IPS) etc.

  • Knowledge of the security approach across technologies, people, and tools.

  • Technical hardening skills of all systems for decreasing the attack surface that perpetrators can exploit.

  • Knowledge of attack and threat vectors or Analysis competence for correctly detecting critical threats and prioritizing responses appropriately.

  • Ability to analyze logs to find potential intrusion and create playbooks (scripting knowledge) to automate defensive techniques

Job experience in roles such as sysadmin or network tech will help you build a good foundation for blue team roles. In a technical role, you’ll gain a thorough practical understanding of how networks, applications, and systems work. Once you know how they work and interact with each other, it’s easier to defend and secure them. Those initial years will also allow you to assume security roles to build your security resume. It may not be a security role right away. Instead, it might be network configuration compliance, log analysis, scripting and automation, etc. Use your current job to get the security experience and use it to build your resume

Step 2: Learn the Tools and gain hands-on experience


There are several online materials/training videos that talk about day-today operations in Security Operations Centre (SOC). Read and understand these material to see if your interests align with the roles offered in blue teams. Splunk provides free training materials for beginners to get hands on experience on SIEM. You can access the material here

In addition to MOOCs, you can get hands-on training on blue team skills on various platforms such as:

Use these resources and platforms to learn the necessary skill sets required for the blue team role you aspire for.


Step 3: Get Certified


Roadmap to Blue Team Security Certifications


You should apply for network defense certification when you are working as an IT or Network Admin or have knowledge of Linux along with basic computer and internet usage. Network+, CCNA, Security+ will help you establish your competence in computer networking basics. Once you are in the industry you may choose to do one of the following certifications based on your interest and career.


Splunk fundamentals 1 & 2


Splunk provides materials training and certifications for beginners as well as advanced levels. The details can be found in their official website. SIEM platforms in general are the hotness at the moment so studying and training yourself on those products is a good move for your career. There also isn't another product currently that can compete with Splunk's capabilities or customization at the level Splunk is at.


Network Security Fundamentals


Network Security Fundamentals (NSF) is ideal for building a solid grasp of the basics of network security. But, at the same time, it doesn’t miss any of the vital elements of network security. NSF covers the key issues plaguing the network security world. The course module covers subjects like the fundamentals of networks, various components of the OSI and TCP/IP model, and concepts of identification, authentication, and authorization.


Certified Network Defender (CND v2)


Certified Network Defender by EC-Council focuses on a Protect, Detect, Respond, and Predict approach which enables a blue team security officer to stay ahead of hackers by anticipating their moves. CNDv2 maps to maps to NICE 2.0 framework and offers hands-on approach to learning. The certification program is accredited by U.S. Department of Defense (DoD), American National Standards Institute (ANSI) and NICF. These credentials make Certified Network Defender an ideal network defense program for aspiring blue team security officers.


The learning path for a network defender doesn’t stop at CNDv2. You can grow further with niche industry specializations programs offered by EC-Council.


Step 4: Getting your foot on the ladder of SOC roles