CertCompass
Certification deep dive

SAL1 Certification: Complete Guide for 2026

Everything about TryHackMe's Security Analyst Level 1 — exam format, preparation path, real costs, and whether it's the right next step for SOC analyst careers.

15 min read
Last updated May 2026
Defensive · SOC analyst
SAL1 security analyst certification badge
Quick answer

SAL1 is TryHackMe's flagship defensive certification — a hybrid exam combining multiple-choice and hands-on simulation, priced at $349 with 3 months Premium and one retake included. It maps directly to Tier 1 SOC analyst roles. Plan for 3–6 months of focused prep via the SOC Level 1 path. Worth it for serious SOC candidates, but pair with Security+ for stronger HR-filter presence.

Skip ahead: Exam structure Preparation path Is it worth it? FAQ

The Security Analyst Level 1 (SAL1) certification launched in 2025 as TryHackMe's answer to a real gap in the cybersecurity certification market: most entry-level credentials test what candidates know, not whether they can actually do the job. SAL1 changes that with a hybrid exam where the majority of the score comes from a working SOC simulation rather than multiple-choice questions.

That practical emphasis matters because Tier 1 SOC analyst roles are dominated by the same misalignment everywhere: hiring managers want demonstrated skill, applicants arrive with theoretical certifications, and the gap shows up in technical interviews. SAL1 directly addresses this — passing the exam means you've actually triaged alerts, analyzed logs, and written incident reports under time pressure.

This guide covers everything about SAL1 in 2026: the exact exam structure, realistic preparation timelines, total costs (including hidden ones), how it compares to Security+ and other defensive certifications, and clear answers on whether it deserves a place in your roadmap.

At a glance

SAL1 by the numbers

The essential facts before diving deeper.

Cost
$349
Includes 3 months Premium + 1 retake
Format
Hybrid
Multiple-choice + hands-on simulation
Duration
24 hours
Full exam window with breaks
Passing score
750/1000
Minimum total points required to pass
Prerequisites
None official
SOC Level 1 path strongly recommended
Renewal
3 years
Continuing education or re-take
Exam format

How the exam works

Two sections. The hands-on portion carries the most weight.

01

Multiple-choice section

~1 hour 20%

Tests theoretical knowledge across cyber defense fundamentals: attack types, network protocols, security tooling, incident response phases, and threat intelligence concepts.

Key topics tested

  • Cyber kill chain and MITRE ATT&CK framework
  • Common attack vectors and indicators of compromise
  • SIEM concepts and log analysis fundamentals
  • Network security and traffic analysis
  • Endpoint security and EDR concepts
  • Threat intelligence and OSINT
02

Hands-on simulation

~4 hours 80%

Realistic SOC environment with active alerts, suspicious activity, and incidents to investigate. Demonstrates whether you can actually do the job, not just describe it.

Key topics tested

  • Triage incoming SIEM alerts
  • Analyze logs across multiple data sources
  • Investigate phishing campaigns
  • Document findings in incident reports
  • Use detection tooling under time pressure
  • Distinguish true positives from false positives
The path

4-phase preparation roadmap

Sequential phases. Most candidates need 3–6 months total.

01

Complete the SOC Level 1 path

10–14 weeks

TryHackMe's SOC Level 1 path is the foundation. The exam draws heavily from this content — covering cyber defense fundamentals, network security, endpoint security, SIEM, threat intelligence, and digital forensics. Expect 100–150 hours of focused study to complete properly.

Action items

  • · Cyber Defense Frameworks module
  • · Cyber Threat Intelligence module
  • · Network Security & Traffic Analysis module
  • · Endpoint Security Monitoring module
  • · Security Information and Event Management (SIEM)
  • · Digital Forensics & Incident Response
02

Reinforce with hands-on practice

3–4 weeks

Theory alone won't pass the practical section. Complete additional rooms beyond the path, focusing on log analysis, alert triage, and incident investigation. Build muscle memory for SIEM workflows.

Action items

  • · Splunk-focused rooms (the exam tests Splunk-style queries)
  • · Phishing analysis rooms
  • · Wireshark / network forensics rooms
  • · Investigating Windows event logs
  • · MITRE ATT&CK navigator practice
03

Build documentation skills

Ongoing

The simulation requires writing incident reports under time pressure. Practice clear, structured documentation throughout your room work — most candidates underestimate this and lose points on the practical.

Action items

  • · Write detailed walkthroughs for completed rooms
  • · Practice the 'what / why / impact / next steps' incident format
  • · Time yourself: aim for clear documentation in under 15 minutes per incident
04

Take the exam

1 day

Schedule when you've completed all SOC Level 1 modules and feel comfortable with simulated investigations. The 24-hour window allows breaks — use them. Most candidates finish active exam time in 8–10 hours.

Action items

  • · Schedule when fully prepared, not based on subscription expiry
  • · Take strategic breaks (sleep, food, decompression)
  • · Document everything as you go — saves time on final report
  • · Use the retake voucher if needed; no shame in second attempts
Reality check

What candidates actually report

Common patterns from SAL1 holders in 2026.

The simulation feels real

Unlike multiple-choice-only exams, the SAL1 simulation puts you in a working SOC environment with active alerts. That realism is the certification's biggest strength — and what makes it harder than the price tag suggests.

Time pressure is significant

The 24-hour window seems generous until you start working through actual incidents. Documentation alone can consume 30–50% of your time. Most candidates report feeling time pressure even with the long window.

TryHackMe Premium isn't optional

While the exam includes 3 months of Premium, you'll likely need significantly more time on the platform before attempting the exam. Plan for 6–9 months of Premium access total ($90–$135 above exam cost).

Hands-on score matters more

The 60% weighting on the simulation means strong performance there can carry weaker multiple-choice results. Conversely, dominating multiple-choice cannot save a poor simulation score. Practice the practical work hardest.

Total investment

The real cost of SAL1

$349 is the sticker price. Here's what it actually costs to pass.

Exam voucher
Includes 3 months Premium + 1 retake
$349
Additional Premium time
Most candidates need 6+ months total
~$60–90
Optional supplementary resources
Books, additional courses (rare)
$0–50
Realistic total
For most candidates, end-to-end
~$410–490

Compare this to OSCP ($1,749) or CEH ($1,199 + training that pushes total past $2,500). SAL1's total cost-to-recognition ratio is favorable for SOC-targeted candidates, even after the hidden costs.

The decision

Is SAL1 worth pursuing?

A direct yes/no for the most common scenarios.

Yes — if you're targeting SOC analyst roles

SAL1 maps directly to Tier 1 job descriptions and provides hands-on validation that theoretical certs lack. Pair with Security+ for HR filter coverage and you have one of the strongest entry-level SOC profiles available in 2026.

Yes — if you learn best by doing

The SOC Level 1 path is hands-on by design. Candidates who struggle with pure theory exams (Security+, ISC2 CC) often perform better with SAL1's practical format. Skill compounds faster when you're investigating real-feeling incidents.

Maybe — if you don't have Security+ yet

SAL1 alone won't pass HR filters at most large employers in 2026. If budget allows for only one certification, Security+ has broader applicability. SAL1 makes more sense as a second cert, after Security+ has cleared the HR layer.

No — if you want offensive security

SAL1 is purely defensive. If your target role is penetration testing or red team work, eJPT v2 ($249), TCM PJPT ($199), or HackTheBox CPTS ($210) are more relevant credentials. SAL1 won't help you in offensive interviews.

Common questions

Frequently asked questions

Tap any question to expand.

01

What is SAL1 and what does it test?
SAL1 (Security Analyst Level 1) is TryHackMe's flagship defensive cybersecurity certification, launched in 2025. It validates entry-level SOC analyst skills through a hybrid exam combining multiple-choice questions on cyber defense fundamentals with a hands-on simulation where candidates triage real-style alerts in a virtualized SOC environment. The certification specifically targets Tier 1 SOC analyst job descriptions.
02

Is SAL1 worth $349?
For candidates targeting SOC analyst roles, generally yes. The $349 price includes the exam, 3 months of TryHackMe Premium for preparation, and one retake — a notably better package than most certifications offer. The certification carries growing recognition in 2026 and provides hands-on validation that theoretical certs like Security+ don't. The trade-off: brand recognition still trails CompTIA, so SAL1 alone may not pass HR filters as reliably as Security+.
03

How does SAL1 compare to CompTIA Security+?
They serve different purposes. Security+ ($404) is broader, more theoretical, and significantly more recognized at the HR-filter level — appearing in roughly 70% of entry-level cybersecurity job postings. SAL1 is more specialized (defensive/SOC focus), more hands-on, and demonstrates practical skill that Security+ cannot. The strongest entry-level SOC profile combines both: Security+ to clear filters, SAL1 to demonstrate real capability. If forced to pick one, Security+ wins for general applicability; SAL1 wins for technical interviews and SOC-specific roles.
04

How long does SAL1 take to prepare for?
Most candidates need 3–6 months of focused preparation, totaling 100–200 hours of study time. The TryHackMe SOC Level 1 path itself takes 10–14 weeks at 8–12 hours per week. Add another 3–4 weeks of supplementary practice on additional rooms. Candidates with prior IT background (help desk, sysadmin) often compress this to 2–3 months. Career changers with no IT background should plan for 6+ months including foundational learning before starting the SOC path.
05

Does SAL1 require Security+ as a prerequisite?
No, SAL1 has no official prerequisites. However, the exam assumes baseline cybersecurity knowledge that the SOC Level 1 path builds. Most candidates either have IT experience, complete TryHackMe's Pre-Security path first, or have foundational certifications like ISC2 CC or Security+ already. Going into SAL1 with zero prior exposure is technically possible but adds 2–3 months to the realistic timeline.
06

What's the SAL1 pass rate?
TryHackMe doesn't publish official pass rates. Community discussion suggests first-attempt pass rates around 50–65% for candidates who complete the SOC Level 1 path before attempting. Including retakes, overall pass rates likely reach 75–80% — which is why the included free retake significantly affects the certification's effective difficulty. Candidates who fail typically struggle most with the simulation section's time pressure rather than knowledge gaps.
07

What jobs can I get with SAL1?
SAL1 maps directly to Tier 1 SOC Analyst, Junior Security Analyst, and entry-level Cyber Defense Analyst roles. In 2026, employers including MSSPs, mid-market SaaS companies, and some corporate SOCs increasingly recognize the certification — though it's still building HR filter presence compared to CompTIA credentials. The strongest applications combine SAL1 with a more recognized cert (Security+) and demonstrated platform practice (TryHackMe profile, home lab on GitHub).
08

Should I take SAL1 before or after Security+?
Most candidates benefit from Security+ first, then SAL1 as a hands-on follow-up. Security+ provides foundational knowledge that makes SOC Level 1 content easier to absorb. It also clears HR filters that SAL1 alone doesn't yet — making the combination more powerful for first applications. The reverse order works if you're already targeting employers who recognize SAL1 directly (some MSSPs, technical teams) and want hands-on validation first. Either sequence reaches the same end state in 6–9 months.
Final word

The bottom line

SAL1 is one of the strongest entry-level defensive certifications available in 2026. The combination of hands-on validation, reasonable cost, and direct alignment with SOC analyst job descriptions makes it a worthwhile investment for serious candidates targeting that career path.

The two real caveats: brand recognition still trails CompTIA Security+ at the HR-filter level, so SAL1 works best as a complement rather than replacement; and the time investment (3–6 months on the SOC Level 1 path) is significant. Candidates who shortcut the preparation typically struggle on the simulation.

For the right candidate — someone targeting SOC roles, comfortable with hands-on learning, with budget for both Security+ and SAL1 — this is the strongest one-two punch available for entry-level defensive cybersecurity in 2026.

Next step

Ready for the SOC analyst path?

See the complete 6-step path from zero to your first SOC role — including how SAL1 fits in.

Read the SOC analyst guide
Keep reading

Related guides

Resources

TryHackMe vs HackTheBox: Honest Comparison

Side-by-side analysis of the two biggest cyber learning platforms.
Certifications

10 Best Cybersecurity Certifications for Beginners 2026

Compare every entry-level certification by cost, difficulty, and career fit.