My OSDA Journey

I am happy to share hereby my success story with the OSDA certification. If you are aiming to pass this certification, my journey of preparation and overcoming the examination challenges may offer you valuable insights.

This text is structured into three main parts. First, I will provide an overview of the OSDA certification and explain my motivation for pursuing it. Next, I will detail how I prepared for the exam and my experience during the examination. Finally, I will outline my future plans and offer some advice for those planning to take the exam.

  1. What is OSDA?
    The OffSec Defense Analyst (OSDA) certification is provided by OffSec to individuals who complete the online training course SOC-200: Foundational Security Operations and Defensive Analysis and successfully pass its rigorous exam. This course delves into the foundations of defending networks and systems against cyber threats. The certification demonstrates your ability to detect, analyze, and assess potential security incidents through live exercises.
  2. Why OSDA?
    For many years, I have nurtured the goal of leading a cybersecurity team. My vision is to manage a team composed of offensive security staff, defensive security staff, and other IT professionals. I believe a manager should use both technical expertise and soft skills to guide the team towards achieving the ultimate security objectives: ensuring the confidentiality, integrity, and availability of data.

    To realize this vision, it is essential for me to understand how things are done on both sides of IT security (offensive and defensive). In previous years, I mainly focused on  offensive security certifications. When OffSec announced the OSDA certification related to SOC activities, I knew it was for me; I appreciate the practical aspect of OffSec’s examinations.

    In 2022, I successfully obtained the Certified SOC Analyst (CSA) certification from EC-Council, which gave me insights into the functioning of a SOC team. With the OSDA certification, I aimed to delve deeper into the technical aspects of identifying security attacks through a SIEM.

  3. How did I prepare myself?
    The first thing I did was review the course syllabus to familiarize myself with most of the topics covered. This involved following some online courses and reading articles and blogs about new topics. This initial phase didn’t take too long, as I was already familiar with many topics, such as system attacks, due to my background as a penetration tester. I cannot estimate how long this took, as I worked on it in a very discontinued way since 2023.

    In February 2024, I decided to purchase the course bundle, which offers both text and video modes, with the ability to download them offline. Additionally, it provides three months of access to the labs used in the course and 13 challenges for exam preparation. During the course, I learned a lot about events on Windows and the traces they leave on the system for detection. I focused on the ELK SIEM and learned to write detection rules for attacks encountered in an Active Directory environment. The attacks themselves were not challenging for me to understand, as I already earned a certification related to attacks in Active Directory (OSEP).

    My note-taking strategy involved creating a markdown page on GitHub where I documented every new piece of knowledge, commands, scripts, or rules for detecting specific attacks. The 13 challenges in the labs were particularly interesting. The network architecture’s size grew from Challenge 1 to Challenge 13, with each challenge focusing on a specific attack chain.

    When I started the challenges, I was quickly stuck on the first one. I was overwhelmed with the number of entries in the SIEM and didn’t realize that one key element for detection was determining the relevant logs related to attack. After encountering this difficulty, I decided to write rules to eliminate default logs generated from normal network activities. From challenge to challenge, I customized these rules, which helped me reduce the number of logs to analyze. During practice, I personally found it was easier to detect an attack on a Windows operating system than on Linux when the relevant monitoring tools (like Sysmon) were properly installed on the windows host. This is a personal thought, you may feel the opposite and it is alright. The most important thing is to be able to detect attacks whatever platforms are involved in the attack chain.

  4. How was the exam?
    The exam consisted of an infrastructure with multiple servers and client computers, all within an Active Directory environment. An attacker had managed to compromise an active directory domain in 10 phases. The goal of the exam was to reconstruct the chain of the attack through the logs reported in the SIEM.

    I scheduled my exam for May 1st, 2024, at 2 AM Paris time. As expected, the amount of logs received by the SIEM was enormous. Nevertheless, I began working through the different phases, one by one, step by step. I used CherryTree software to organize and store screenshots. At some points in the phases, I struggled to identify what had really happened; the hosts involved in the activities I was trying to guess were Linux machines and they were sending logs that I did not have opportunity to encounter before either in the challenge labs or in real life scenarios. It was stressful not knowing whether my findings were correct. There were no flags to find and submit, so after finishing the exam, I couldn’t have a clear sense of my performance.

    The following day, I began writing the report. I encountered an issue with Microsoft Word that I had never faced before, and the online tutorials were not helpful. With time running out, I had to decide whether to continue debugging the issue or restart the report using LaTeX. I chose LaTeX because I knew in case of errors, I would get clear error messages and find the right solutions. It was stressful, but I finally  managed to  finish the report and submit it within the 24-hour time frame .

    Next, the waiting game began. During this time, I kept thinking about the screenshots I should have included in the report and the things I should have done differently. Honestly, this was the first OffSec exam for which I submitted the report without a clear sense of my success rate. As I mentioned, there were no flags to discover.

    Finally, on May 6th, at 12:31 AM, just as I was getting ready to sleep, I received an email confirming that I had successfully passed the exam. I was so happy. I took a moment to express my gratitude to Lord, then shared the joyful news with my family and close friends.

  5. What is the next step?
    Successfully passing this exam was a significant step forward for me in my goal of becoming a responsible leader of a cybersecurity team in my career.

    Then, I started to take an interest in cybersecurity management courses to enhance my leadership and management skills. Additionally, I am considering other technical courses to deepen my technical knowledge so that I can be able in most cases to guide and support my future staff when they need.

  6. Piece of advice
    If you are attempting to pass the OSDA examination, here are my pieces of advice:

    • Complete the 13 Challenges: The exam is not overly difficult, but ensure you have studied the 13 challenges in the labs. They are crucial for understanding the types of attacks and detection methods.
    • Utilize resources: If you encounter any difficulty in the challenges, make use of the Discord group. The community is kind and available to explain concepts. Additionally, there is a chatbot available to provide hints for each phase of every challenge. I personally found the chatbot very helpful, I used it a lot.
    • Write detection rules: After each attack you discover, try to write a detection rule alert. This practice will be invaluable during the exam. I created many detection rules while working on the lab challenges, and loaded them all during the exam, which helped me quickly identify where to focus my efforts during the analysis.
    • Create a KQL Cheat Sheet: Develop your own cheat sheet of KQL queries after successfully identifying an attack in the lab challenges. This will save you time and effort during the exam.
    • Prepare a report template: Have a template ready for the exam report to save time.
    • Simultaneous reporting: During the exam, if possible, start writing the report as you progress. It’s easy to forget to take relevant screenshots when deeply involved in the technical tasks. Writing the report concurrently with the detection process helps you keep track of your logic and avoids the omission of important screenshots.
    • Detailed explanations and screenshots: Since there are no flags to submit, careful attention should be given to the explanations and screenshots in the report. Make sure your report is well written and clearly demonstrates your findings and methodologies.

    By following these tips, you can better prepare yourself for the OSDA examination and increase your chances of success. Good luck!

Share this post

About the author


Offensive Security Experienced Penetration Tester (OSEP)
Offensive Security Web Expert (OSWE)
Offensive Security Certified Professional (OSCP)
Certified Soc Analyst (CSA)
Certified Ethical Hacker (CEH)
Web Developer

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *