What I Learned About Defensive Security (from a TryHackMe Course)

Fhilip YanusFhilip Yanus
3 min read

As someone new to cybersecurity, I recently completed a simulation on TryHackMe that helped me understand the two main areas of defensive security. I want to share what I learned, both the concepts and the hands-on experience, to clarify my own thinking and maybe help others doing the same.

1. SOC vs. DFIR (Cops vs. Detectives)

There are two core fields in defensive cybersecurity:

  • Security Operations Center (SOC): like cyber cops
  • Digital Forensics and Incident Response (DFIR): like cyber detectives

SOC professionals respond to threats in real time, trying to minimize or prevent damage.
DFIR professionals investigate after an incident has happened, trying to understand what went wrong.

2. Security Operations Center (SOC)

SOC professionals mainly focus on:

  • Vulnerabilities

  • Policy violations

  • Unauthorized activity

  • Network intrusions

A major task in SOC is Threat Intelligence, gathering information about current or potential attackers. Think of this like being a spy. This intelligence helps create a threat-informed defense.

3. Digital Forensics & Incident Response (DFIR)

Digital Forensics is the analysis of digital crime scenes, usually across:

  • File systems

  • System memory

  • System logs

  • Network logs

The 4 Phases of Incident Response:

  1. Preparation: Set up tools, training, and policies

  2. Detection & Analysis: Identify that an incident has occurred

  3. Containment, Eradication, and Recovery: Stop the attack, remove the cause, and restore affected systems

  4. Post-Incident Activity: Document lessons learned and improve future responses

4. Malware Analysis

Malware = Malicious Software
Common types of malware:

  • Virus: modifies or deletes files

  • Trojan Horse: looks useful but hides harmful code

  • Ransomware: encrypts files and demands payment for the key

Malware analysis can be done in two ways:

    1. Static Analysis: inspects malicious software without running it.

      1. Dynamic Analysis: inspects malicious software by running it in a controlled environment to see how it behaves.

5. What I Learned from the TryHackMe Simulation

In the TryHackMe simulation, I played the role of a SOC analyst.

  • I spotted suspicious activity using a SIEM system

  • I checked the user's IP against a threat database

  • I chose the SOC Lead to ask permission from to block the IP

  • Then I blocked the IP to contain the attack

Even though it was a simulation, it helped me get a feel for:

  • How SOC professionals operate

  • How to read logs and identify threats

  • How containment decisions are made in practice

6. Final Thoughts

This experience made these ideas feel real, not just theory. I’m still early in my cybersecurity journey, but hands-on learning like this makes a huge difference.

If you’re just starting out too, I highly recommend trying small, practical simulations and reflecting on what you learn.

7. What’s Next for Me:

  • Practice more on SIEM tools

  • Explore malware analysis labs

  • Continue writing to solidify what I learn

  • Share more of my journey here

Thanks for reading! If you found this helpful or are also learning security, feel free to connect with me here or on LinkedIn.

0
Subscribe to my newsletter

Read articles from Fhilip Yanus directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritydefensive securityComputer Science

Written by

Fhilip Yanus
Fhilip Yanus