> HTB CDSA Exam Review/Thoughts


Yep, I am a Certified Defensive Security Analyst. I submitted my report last Tuesday and woke up and checked my email to see HTB Academy being like "yo you passed go grab your certificate". I honestly thought it was a phishing email but it was not, therefore some poor guy/girl stayed up reviewing my report overnight to check if it was up to snuff, and I guess it was!

I can't share a ton about the environment since I like being certified and don't want my only certification to be taken away lol, but I can say a few things. First of which is that, in my opinion, the SOC Analyst Job Path does not prep you a bunch for the exam. Some things do apply but my biggest tip, universally for Incident Response practices, is to think like an attacker and address TTPs. Attackers HAVE to follow the Cyber Kill Chain/MITRE to get Actions On Objectives. When we see an incident, it is imperative to go as far back as we can; look for the low hanging fruit like basic enumeration commands like whoami, ping, etc.

Report writing is actually pretty easy. The best thing you can do for addressing incidents is to create a technical timeline of events found, both to include in a report but also to help you understand the path the attackers took and how fast they were able to get Actions On Objectives. Granted, in a professional environment, with real companies and directors, as far as I know from a friend who works in the SOC, nobody cares for your technical analysis; they only want the Executive Summary. Is it critical? Did we lose money? No? Business as usual boys, don't bother! Final tips for report writing is to 1) maintain good grammar and 2) use more neutral language; Threat Actors vs. Attackers, etc

Not much else to say except to give it your all! You get 7 days to complete the labs and report. I spent all 7 effectively, submitting within the last 12ish hours, but you can 100% do it faster by practicing in SOC simulations and whatnot (people say a lot about Splunk's Boss Of The Soc, so maybe check that out!) There's no big external practice to do other than completing the Job Path to access the exam and maybe watching some IR videos of people triaging incidents, although most that I know of use Microsoft Defender products which are incredible for threat hunting compared to Splunk/Elastic which you will use throughout the Job Path.

That is all I have to share! Feel free to DM me on Discord if you have any questions regarding my experience with the exam. I won't give anything about the exam environment or my report, but if you want tips for how to feel ready, please let me know!

cd .
cd ..
cd ../notes-and-resources
cd ~