Intermediate 6 topic areas 43+ exercises

SOC Analyst / Threat Hunter

SOC Analysts and Threat Hunters spend their days reading alert queues, writing triage notes, hunting for indicators of compromise, and escalating incidents — almost always in English, regardless of where they work. This path builds the precise vocabulary for SIEM alert analysis, threat intelligence reports, escalation emails, and cross-team incident communication.

Topics covered

  • SIEM & Alerting
  • Threat Intelligence Language
  • IOC & TTP Vocabulary
  • Triage & Escalation
  • Incident Reporting
  • Hunting Hypothesis Language

Vocabulary spotlight

4 terms every SOC Analyst / Threat Hunter should know in English:

indicator of compromise n.

Forensic evidence — such as a malicious IP, file hash, or domain — that suggests a system has been breached

"The threat intelligence feed flagged three indicators of compromise matching the IP ranges used in the recent financial-sector campaign."
false positive n.

An alert triggered by benign activity that is incorrectly identified as malicious, leading to wasted analyst time if not tuned

"The rule generated 200 false positives per day until we added a whitelist of known CI/CD IPs."
dwell time n.

The period between an attacker gaining initial access and their detection, often measured in days or weeks for sophisticated threats

"Post-incident analysis revealed a dwell time of 18 days before the lateral movement was detected."
lateral movement n.

The techniques an attacker uses to progressively move through a network after gaining initial access, seeking higher-privilege systems

"SIEM correlation rules detected lateral movement when the compromised workstation authenticated to three servers it had never accessed before."
Open full glossary →

📚 Vocabulary Reference

Key terms organised by category for SOC Analyst / Threat Hunters:

Threat Intelligence

IOCTTPthreat actorcampaignthreat feedMITRE ATT&CKkill chainTTPs

SIEM & Detection

alertrulecorrelationfalse positivetrue positivetuningenrichmentbaseline

Incident Analysis

dwell timelateral movementprivilege escalationpersistenceexfiltrationbeaconingC2triage

Reporting

IOC summaryfindingseverityconfidenceattributionremediation recommendationexecutive summary
Study full vocabulary modules →

Recommended exercises

Real-world scenarios you'll practise

  • Writing a triage note in the SIEM ticket system explaining why a lateral-movement alert is a true positive and escalating to Tier 2.
  • Presenting a threat hunting report to the CISO covering the hypothesis, data sources queried, TTPs investigated, and findings.
  • Responding to a security engineering team's request to tune a noisy SIEM rule, explaining the false-positive/false-negative trade-off in writing.
  • Writing an executive-level IOC summary after confirming a phishing compromise, balancing technical accuracy with plain-English readability.

Recommended reading

Explore another role

🚨 Incident Commander

Open path →

Frequently Asked Questions

What English skills do SOC Analyst / Threat Hunters most need to improve?+

SOC Analyst / Threat Hunters most commonly need to improve: technical vocabulary (the correct English terms for domain concepts), collocation accuracy (using the right verb for each action), written communication (bug reports, PR descriptions, technical docs), and spoken communication for standups, code reviews, and stakeholder meetings.

How long does the SOC Analyst / Threat Hunter learning path take?+

The SOC Analyst / Threat Hunter learning path contains 20–40 hours of material studied comprehensively. Most learners focus on the highest-priority modules first and return to the rest over time. Spending 30 minutes per day for 4–6 weeks produces noticeable improvement in workplace English.

What vocabulary should a SOC Analyst / Threat Hunter prioritise first?+

Start with the vocabulary that appears most in your daily work — terms you read in documentation, use in commit messages, and hear in meetings. The SOC Analyst / Threat Hunter path begins with the most frequent vocabulary clusters before moving to advanced communication patterns.

Are there interview exercises for SOC Analyst / Threat Hunter roles?+

Yes. The SOC Analyst / Threat Hunter path includes role-specific interview question modules with model answers and key phrases — the actual questions interviewers ask and the vocabulary needed to answer them fluently. There is also a dedicated Interview Practice hub for general interview skills.

Does this path include pronunciation help?+

Yes. The path links to pronunciation exercises for the technical terms most commonly mispronounced in this domain. The Pronunciation hub includes drills for acronyms, silent letters, word stress, and minimal pairs — all in IT context.

What are the most common English mistakes SOC Analyst / Threat Hunters make?+

The most common mistakes: incorrect collocations (using the wrong verb with a technical noun), false friends from L1, tense errors when narrating past incidents or walkthroughs, and using overly formal or overly casual register in written communication.

How do I improve my English for code reviews?+

Learn the standard code review collocations: approve a PR, request changes, leave a nit, address feedback, block a merge, resolve a conversation. Use hedging language for suggestions: "This might be cleaner as…", "Have you considered…?". The Collocations section includes a dedicated Code Review set.

Can I use this path alongside my daily work?+

Yes — the path is designed for working professionals. Each exercise set takes 10–15 minutes. The most effective approach is to study a vocabulary module before a meeting or task where you'll use that vocabulary, then practise immediately after. Context-linked practice produces much faster retention.

Is the content free?+

Yes, completely free. No registration required, no payment, no time limit. All vocabulary modules, exercises, glossary entries, and learning path guides are open access.

How do I track my progress through this path?+

Progress is tracked in your browser's local storage — completed exercise sets are marked with a checkmark when you return. No account is needed. You can bookmark specific modules and use the exercises overview to see which sets you've completed.