TryHackMe SAL1 Review

Background

Security Analyst Level 1 (SAL1) is an entry-level certification from TryHackMe, developed in collaboration with Accenture, Salesforce, and industry experts. The certification aims to help learners validate their skills and knowledge in relation to core SOC concepts, and apply these in real-world scenarios within a simulated SOC environment.

The exam was launched in late February 2025 and TryHackMe offered a completely FREE exam voucher to anyone with an existing Blue Team Level 1 (BTL1) or CompTIA CySA+ certification, with the only caveat being that this was redeemed by 31 March 2025.

The standard cost for an exam voucher is:

  • £255 for existing Premium subscribers of TryHackMe
  • £299 for non-subscribers (with learning included)*

All options include a FREE retake voucher, which allows peace of mind should you happen to miss out on the first attempt.

*The learning included for non-subscribers is 3 months of Premium access to complete the Cyber Fundamentals and SOC Level 1 pathways, which will help develop your skills and practice hands-on labs before you sit the exam.

Exam Details

The exam is divided into three sections:

  • Section 1 - 80 Multiple-Choice Questions (1-hour time limit, 20% of score)
  • Section 2 - SOC Simulator Scenario (2-hour time limit, 40% of score)
  • Section 3 - Additional SOC Simulator Scenario (2-hour time limit, 40% of score)

An initial check-in process will take place before you start the exam. You are required to take a selfie and provide a suitable form of ID verification (passport, driving licence etc). This takes less than 5 minutes and does not count towards the overall exam time.

You have a full 24-hours to complete the exam once you start, and each section must be completed in order. Results are provided instantly as soon as you finish the exam.

Section 1 aims to test core knowledge of cybersecurity fundamentals, including computing and networking, common security tooling, common malicious behaviour, cybersecurity frameworks, and SOC workflows and activities.

Section 2 and 3 take place in the simulated SOC environment where you are presented with a dashboard that includes real-time alerts requiring triage, investigation and reporting. You will have access to a SIEM to analyse various event logs, and an analyst VM to conduct further analysis, both of which will help you determine if an alert is a True or False Positive, and if escalation is required.

Experience

I found the multiple-choice questions to be pitched at the right level for an entry-level analyst, with all questions relevant to the knowledge a candidate would be expected to demonstrate when applying for a SOC analyst role. The 1-hour time limit for this part of the exam felt completely fine and allows a relaxed pace to read through each question and consider each answer appropriately.

The SOC simulator is extremely well-designed to deliver a hands-on experience with realistic alert scenarios - this includes waiting for the alerts to arrive in real-time - and allows you to gain a true feel for the daily duties of a SOC analyst. Whilst I can't provide specific detail or examples, the alerts varied from simple to complex attack chains.

The reporting interface is fairly simple and consists of a free-text field to enter your detailed findings, a radio box to specify if the alert is a True or False Positive, and another to select whether or not it requires escalation. However, something I learnt the hard way was that navigating away from the report page to check information I'd entered in previous alerts resulted in the loss of all data I had entered for the current alert! My advice would be to open the alert dashboard, SIEM, Analyst VM, and company information in separate tabs so you can easily switch between them and obtain the information you need.

As much information as possible should be included in your report detail to ensure the highest number of marks are awarded by the AI-engine that does the analysis and scoring. I aimed for consistency by including the 5W's (who, what, when, where, why), IOCs, details of MITRE ATT&CK tools, tactics and techniques, with suggested steps for remediation and prevention. Building a template in advance would be a good method of allowing some additional time for gathering the appropriate information as part of your investigations using the SIEM and Analyst VM.

For the scenarios I was presented with, use of the Analyst VM was pretty basic. This feels like a good area for further development to include more hands-on analysis of files, network traffic etc.

Final Thoughts

A dedicated SAL1 learning path within the TryHackMe platform would prove beneficial for existing subscribers considering taking this exam, or as part of the dedicated learning included for non-subscribers purchasing the bundled version.

I would definitely recommend the SAL1 exam - it is more affordable and offers a lot more hands-on experience than other entry-level certifications - however, CompTIA CySA+, Security+, or the BTL1 are likely more appealing to employers at this time.

With the certification being brand new, it is unlikely to gain immediate recognition and may take some time for employers to be aware of this, and whether it will then play a part in their recruitment processes. It certainly has the potential and further refinements would make this a lot stronger.

Please feel free to contact or follow me on Twitter and thanks for reading.