You do not need a six-figure enterprise software budget to learn SOC work. The tools used in real SOCs have free tiers, open-source equivalents, or community editions that are genuinely useful — not just crippled demos. These five are the ones I recommend every aspiring analyst get hands-on with before their first interview.
Interview tip: For each tool below, be able to answer: what does it do, why is it used in a SOC, and give one specific example of a task you performed with it. Vague familiarity does not impress — a concrete example does.
What it is: Open-source SIEM and extended detection and response (XDR) platform. Collects logs from endpoints via lightweight agents, runs detection rules, monitors file integrity, and provides a dashboard for alert triage.
Why SOCs use it: Wazuh is the most capable free SIEM available. Many SMBs and MSSPs run it in production. Knowing Wazuh means you understand SIEM concepts that transfer directly to Splunk, Microsoft Sentinel, and QRadar.
Get started: Follow the homelab setup guide. Single-command install on Ubuntu, dashboard up in 15 minutes. Deploy an agent on a Windows VM and watch events flow in.
What it is: Enterprise SIEM with a free tier limited to 500MB/day ingestion. Full feature access — SPL query language, dashboards, alerts, and the same interface used at large-scale enterprise SOCs globally.
Why SOCs use it: Splunk is the market-leading SIEM in Australia's enterprise and government sectors. Splunk proficiency is listed as a requirement (not a preference) in a significant number of Australian SOC analyst job postings.
Get started: Download Splunk Enterprise from splunk.com. Upload a sample log file (Windows Event Logs work well) and write your first SPL query. The Splunk beginner walkthrough covers the core queries you need to know.
What it is: The world's most widely used network protocol analyser. Captures and inspects network packets in real time or from a saved capture file (.pcap). Reads every protocol — TCP, DNS, HTTP, TLS handshakes, ICMP, and hundreds more.
Why SOCs use it: When a SIEM alert fires on suspicious outbound traffic, the next step is often pulling the packet capture to see exactly what was sent. Wireshark is the tool for that investigation. It also appears in virtually every penetration testing engagement for traffic analysis.
Get started: Install Wireshark (free, wireshark.org), capture traffic on your homelab interface, and filter for a specific protocol: dns, http, or tcp.port == 22. Practice identifying a DNS query and its response. Then download a sample malicious .pcap from malware-traffic-analysis.net and try to identify what the malware was communicating with.
What it is: Open-source security incident response platform. Manages cases (incidents), tracks observables (IPs, hashes, domains), assigns tasks to analysts, and integrates with MISP for threat intelligence enrichment.
Why SOCs use it: When a SIEM alert is confirmed as a true positive, it becomes a case in TheHive. Every action taken, every observable noted, and every analyst involved is tracked. This is the workflow that real Tier 1 and Tier 2 analysts follow every shift.
Get started: TheHive has a Docker deployment that runs in under 5 minutes. Create a sample case for a phishing incident: add the suspicious email address as an observable, create tasks for "analyse headers", "check URL reputation", "notify user", and walk through closing the case. This simulates a full tier-1 alert lifecycle.
What it is: Malware Information Sharing Platform — an open-source threat intelligence platform for collecting, storing, and sharing indicators of compromise (IoCs): malicious IPs, file hashes, domains, and attack patterns mapped to MITRE ATT&CK.
Why SOCs use it: When a Wazuh or Splunk alert fires, one of the first steps is checking whether the involved IP or hash has been seen in previous attacks. MISP is the platform that stores and queries that context. It integrates with Wazuh, TheHive, and most enterprise SIEMs to enrich alerts automatically.
Get started: MISP offers a free VM image from misp-project.org. Import a public threat feed (MISP has a curated list of community feeds) and search for a known malicious IP. Then link MISP to TheHive so your cases are automatically enriched with threat intelligence context when you add an observable.
The Stack in Practice
These five tools are not independent — they form a complete detection and response workflow:
- Wazuh detects the anomaly and fires an alert
- Splunk (or Wazuh's own dashboard) lets you query logs for context
- Wireshark lets you inspect the raw network traffic
- MISP tells you if the IoC is known-malicious
- TheHive is where you manage the case from alert to resolution
Running all five in your homelab — even for a single simulated incident — gives you a story to tell in every SOC interview. Not "I know about SIEM tools" but "I ran Wazuh, triaged the alert in TheHive, enriched the observable in MISP, and confirmed the malicious traffic with Wireshark." That level of specificity is rare in entry-level candidates and it is noticed.