CompTIA CySA+ (CS0-004)
The defender’s discipline. This SOC analyst training course teaches you to monitor, detect, investigate and respond to real-world cyber threats — using the same tools as professional security operations centres. Deploy Security Onion as a full SIEM stack, hunt threats with Zeek and Suricata, perform digital forensics with Volatility and FTK Imager, and build Splunk detection dashboards. SOC analyst training available in Johannesburg and online. CompTIA CySA+ CS0-004 exam-ready.
SIEM architecture and log management fundamentals. Deploy Security Onion in your VM lab. Configure log sources: Zeek (network metadata), Suricata (IDS alerts), Elasticsearch/Kibana dashboards. Establish a baseline and tune alert thresholds to reduce false positives.
MITRE ATT&CK framework: tactics, techniques and procedures (TTPs). Sigma rules for detection engineering. Threat intelligence feeds (OTX, MISP). Proactive threat hunting: hypothesis-driven hunting across Zeek logs, identifying lateral movement and C2 beaconing.
The IR lifecycle: Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned. Memory forensics with Volatility: process analysis, network artefacts, malware detection. Disk imaging and evidence preservation with FTK Imager. Chain of custody principles.
Nessus credentialed and uncredentialed scanning. CVSS v3.1 scoring and risk prioritisation. Patch management workflow. Vulnerability reporting for non-technical stakeholders. Compliance scanning against CIS Benchmarks.
Splunk architecture, log ingestion via forwarders, SPL (Search Processing Language) fundamentals, correlation rules, alert creation and dashboard design. CySA+ CS0-003 full domain review, mock exam paper, and module capstone assessment.
Taught by Arnold — Code College founder, lead trainer and practitioner with 20+ years of developer and security training experience. Live sessions, not recordings.
Every topic has a corresponding lab exercise in your local VM environment. You build, break and defend real systems — building a portfolio of lab evidence from day one.
Attend in-person at Code College's Woodmead campus or join 100% live online from anywhere in South Africa. Both options deliver the same experience.
Earn the “SOC Analyst” Code College Digital Badge on passing the module assessment — immediately shareable to LinkedIn. Stack badges toward the full bootcamp certificate.
Module 4 runs Security Onion, Kali Linux and at least one attack simulation VM simultaneously. Security Onion alone requires 8 GB RAM as a minimum — combined with your host OS and other VMs, 16 GB is the practical minimum for stable lab performance. A hardware guide is provided on enrolment. If your laptop has only 8 GB RAM, contact us — cloud-hosted lab alternatives are available at additional cost.
Security+ (Module 2) is a broad baseline covering policy, compliance and general threat awareness. CySA+ (CS0-003) is the next step — it focuses specifically on applying behavioural analytics, threat intelligence and incident response at the analyst level. CySA+ assumes you already hold Security+ or equivalent knowledge, which is why Module 2 is the prerequisite.
A certified SOC Analyst (L1/L2) with CySA+ can expect R360,000–R480,000 p.a. in South Africa as of 2026. L2 incident responders with 1–2 years' experience typically earn R480,000–R650,000 p.a. Financial sector employers (banks, insurers) tend to pay at the higher end. Remote roles for UK/EU employers are increasingly available at £35,000–£50,000 p.a.
Yes. Week 2 (Threat Hunting) and Week 5 (Splunk) use pre-recorded attack scenarios — PCAP captures and log datasets from real incidents — that you analyse as if responding live. Week 4 includes a simulated incident response scenario where you receive an alert, investigate with Volatility and Zeek, and produce a formal IR report.
Yes. Corporate clients can submit CySA+ training as a qualifying skills development expense under the SDL provided it appears on your Workplace Skills Plan. We issue an official certificate of completion and provide an SDL-formatted training schedule and provider letter on request. Contact our corporate training team for group booking rates.
CySA+ CS0-004 — launched in 2025 — adds AI-powered threat detection, cloud-native SIEM tools (Microsoft Sentinel, AWS Security Hub) and updated incident response playbooks aligned to NIST CSF 2.0. Module 4 is updated to CS0-004 content, ensuring you study for the current exam version. The older CS0-003 remains available until its retirement date if you have already begun preparation.
Enrol in this SOC analyst training course as a standalone module or as part of the full Cybersecurity Bootcamp. Live online and in-person in Johannesburg, South Africa.