Aspiring SOC Analyst Shares His MYDFIR Forge Experience

Added: 2026-05-08

[00:00:00]this guy Steven his YouTube channel he said this guy he put five or six premium labs that you have to pay for and he just put them on YouTube for free personally I couldn't believe that I was actually doing real investigation on real alert and on real incident you're always telling us to to think the big picture not isolated events for example why this host is breached how it was breached what happened why did it happen how can we prevent this and not just a theory because this is not going to do you anywhere any good.

[00:00:34]>> Hello everybody, welcome to today's video. Today I am joined by Vesselin who is a member of the might forge and today he's going to share his journey and his experience in the forge and going through all of his learnings and go from there. So with that being said, Vesseline, if you can please introduce yourself, what's your background and what got you into cyber security?

[00:00:54]>> Hey guys, nice to meet you all. My name is Vaseline. I'm uh from Bulgaria and I'm currently uh working as a technical account manager. Um I want to transfer to cyber security and start in the security operations center domain. Uh this is the most interesting uh field for me and at the moment I'm part of the my forge community and I'm very happy to to be here.

[00:01:19]>> Awesome. So quick question for you. What were you doing previously to learn cyber security before joining the forge? a great great one. So I was uh following a road map, you know, the this uh buzzword from YouTube. I got um certificates like um A+ security plus then the CCNA. But I quickly learned that just reading and doing certificates won't get you anywhere. The real deal is hands-on experience like lab tutorials, this kind of stuff. And really this is what made me push myself and join the community.

[00:01:57]Do something that's really out of my comfort zone. But at the same time, you cannot learn cyber security just by reading or just filling the blanks or just filling tests and doing tests. This is not how it works.

[00:02:09]>> It's very different whenever you ingest like theory and then try to apply it to a practical experience, right? Like an actual real world experience. It's totally different. So I do highly agree with that take and um out of curiosity, how did you find the community?

[00:02:26]>> Yeah, that's that's a very funny story.

[00:02:29]First I uh completed the myer course and then I learned about the the community and then I decided to join because this is the natural progress of things. But I learned about the different course is from an article. Unfortunately I couldn't find it. I really tried but I was looking for home labs because after I took the CCNA I decided that need some hands-on experience and there was an article and one guy was telling me about this guy Steven his YouTube channel he said this guy he put five or six premium labs that you have to pay for and he just put them on YouTube for free. So I was like okay let me give it a try.

[00:03:11]Let's see let's see this guy. And from there I was hooked. I even bought a PC, desktop PC, especially to have enough resources to build the labs and to to have fun. And that's how I started.

[00:03:25]>> Nice. Nice. That's really amazing. I did not know that I was referred by an article.

[00:03:31]>> Yeah. I I learn something new every day.

[00:03:33]Yeah.

[00:03:33]>> Yeah. It was It was a German guy. That's all I remember.

[00:03:37]>> Okay. Okay. Well, shout out to him.

[00:03:39]>> Yeah.

[00:03:39]>> And uh you mentioned that you purchased a PC. Out of curiosity, what are the specs for that?

[00:03:45]>> If I'm not wrong, I have 64 gigs of RAM.

[00:03:49]Uh I have an uh AMD processor. I think it's 5.8 GHz if I'm not wrong. I have two terabytes uh uh SSD and um just normal uh video card. It's nothing fancy. I think it's GeForce 5.8 if I'm not wrong. Yeah, it's it's a very beefy computer for sure.

[00:04:14]>> Yeah. Yeah. Yeah. It's it's it's really worth the investment because the labs, you know, people may not know, but you have pretty amazing labs with six or seven virtual machines and if you don't have the RAM, nothing's going to work.

[00:04:28]>> Yeah. So tough to to have everything up and running. Speaking about labs, what are what is your experience in terms of like building the hands-on labs? um like virtual machines, sims, just connecting it all together. Was this something that you've done previously or was it something that you learned by watching uh the YouTube videos? I hadn't built any labs before you and to be honest it was very intimidating because most of the stuff are hosted yeah most of the of the cool stuff like edrs are hosted on Linux servers and these Linux servers well as a guy who was doing only uh Windows in his in his day Linux was very frightening to me but uh of course at the end of the day you have to push yourself and it was very strange in the beginning I didn't believe that I could complete any of the labs to be quite honest because in every single step I got errors so we had to move back. I swear I had days that two or three days I spent until I get a server running like properly. Yeah. But now that I look back, totally worth it.

[00:05:36]>> Awesome. It's normal, too, by the way.

[00:05:38]Like if you're if it's the first time building up a lab, spending days, even weeks, just trying to troubleshoot your way out. Man, that right there is like the best experience that you'll ever get indeed.

[00:05:49]>> So, those that are watching right now, yeah, if you've never built a lab, stop this video, go build out a lab, try your hands on it, and and really go through the troubleshooting process because that's going to not only reinforce all your troubleshooting skills, but also your researching skills, right? Well, learning all that, man, it's such a rewarding feeling after after completing it. So, I'm very proud of you to do that and good for you.

[00:06:13]>> Yeah. But just one one advice I have for all the guys. Yeah. Do not use uh AI.

[00:06:20]It's not worth it. You're not going to learn anything by using AI. I mean, for building labs.

[00:06:25]>> Yeah, for sure. For sure. AI though something that you can prompt. You can you're going to have it as more of a colleague per se or just to get a second thought. But yeah, I do I do agree with you. You know, you can put in some of the troubleshooting errors that you get, throw it into AI, see if they can help you with it. If not, that is where you got to do a little bit more research and dig into it. In terms of your expectations, what was that like prior to joining to the uh forge? Well, um a good question. I mean, what I was expecting is to have um like-minded people in the community. And to be honest, I didn't know a lot before I joined the community. I knew about this awesome course. So I naturally it was logical for me to expect some good stuff there, but I didn't expect the the simulator. I didn't expect uh the daily challenges, the CTFs. Yeah, I was I was going in blind to be honest. Uh and I don't regret it a single bit.

[00:07:26]>> You mentioned the simulator there and I do have a question for you regarding that. What is your experience uh with that? Do you do you enjoy you know working within the simulator?

[00:07:36]>> That's that's amazing. I mean I don't know how you uh came up with the idea or how did you build it? because I see it's very complicated uh from the labs that you have but I mean it's something that I think every junior or mid-level sock analyst should at least try in their lifetime or career I should say because it's something that this is real life this is how you learn and at the end of the day even if you're somebody experienced for sure you're going to see or meet an attack or exploit or ransomware or malware or whatever you're going to see it in the simulator first and then this can help you build your thought process. It can help you build confidence in tackling s such kind of situations. I think the simulator is amazing and personally for me it was intimidating at first but after two or three investigations that I have completed I feel very good about it.

[00:08:35]>> Nice. Nice. For those that don't know, this simulator is a environment that I built up in Microsoft Azure and essentially we use uh Microsoft Defender for the XDR and we have pretty much identity, emails, devices flowing in like all all of those tables flowing in.

[00:08:53]We also have Splunk too. So we what I'm trying to do here is essentially mimic a a MSSP, right? a managed security service provider providing all of the the members in the forge an experience to see what it's actually like working in an MSSP where there's multiple clients. Now what we have here are two simulated clients. I mean I created the clients there but I act as like their personas, right? So sometimes I would create a investigation request pretending to be you know the CEO and and and task the members to go and do a threat hunt or an investigation. But aside from that like we also have actual real alerts that come in and those alerts are getting fed into an inbox where the analysts will then go in and take a look. Speaking of that though, there was actually one pretty cool scenario that happened pretty recently and you were lucky to be a part of it and essentially what that was is that one of our clients had experienced a ransur attack and you vesselin being able to go into the sock simulator and seeing that firsthand. What was your experience like?

[00:10:01]>> My it was very strange. It was my first like my first experience with real world threats with something that's uh out of the box, something that's not structured, that's not isolated. It was very strange for me at first.

[00:10:16]Personally, I couldn't believe that I was actually doing real investigation on real alert and on real incident. But it was very funny because after I started digging, I understood that the basics that the knowledge that I already have that I acquired from you guys, it's actually the real deal. It's the real thing. Even if I don't know a lot, just the basics that I know can help me build build up enough queries, enough knowledge, enough data, enough artifacts for me build a real picture and to understand what's going on. And this is something very uh I mean you don't get to experience this kind of stuff in other platforms at least in my opinion.

[00:10:58]I mean I've been in on try hackme where you have you know basically you have isolated cases and you work them on a virtual machine but it's not the real deal. And being a part of a of this challenge was very rewarding experience.

[00:11:14]>> Awesome. You were part of a team too, like I believe five members or four >> uh four members.

[00:11:20]>> Four members. Yeah. And based off of my my uh you know hearings and and and talking to some of the team members there, the tasks were split up. Is that correct?

[00:11:29]>> Yep.

[00:11:30]>> So what part of the I guess the chain what was your responsibility? Were you looking into something like initial access, command and control, lateral movement or what was that?

[00:11:40]>> Yeah. So I was doing the command and control. I was doing the file hashes so I had to and the network events basically the outbound connections which are part of the yeah you mentioned something about Microsoft especially like KQL. So prior to joining the the forge you did you have any kind of experience with it?

[00:12:02]>> Nope. Zero experience zero knowledge.

[00:12:07]>> Yeah let's be honest here. I was very it was out of my reach. If I could ask how did you I guess query those or how did you create those KQL queries then? Did you utilize the help of AI or did you look into cheat sheets or how did you do it? If I'm not mistaken, uh there is a section in in the forge where there there is a link to Microsoft where you can I mean the Microsoft learning center or something like that where you can uh start practicing with KQL queries with the help of I don't know the AI I guess there. But from there I actually opened uh a report from another member of the the forge. So I opened his report for the for another investigation that he made and I saw some queries and then it clicked that actually it's not that different than Splunk or uh SQL because I'm familiar with SQL. I use it in my daily job. So it was not that different.

[00:13:05]Of course when I uh got stuck I used OpenAI to to help me to understand where exactly is my mistake in the in the query in the syntax of the query.

[00:13:16]>> Yeah. And I love that you mentioned that it's pretty similar to uh Splunk and SQL. And I kind of go back to that methodology where it's like a tool's a tool. Uh but what we need to understand is like the investigation, right? Our objective, our questions, trying to understand what are we trying to do for this particular incident. And then when we think about it, oh maybe we're looking for command and control like like what you were tasked for. So then you start building out queries based off of that. in terms of the methodology since I brought that up there. What was your experience like or I want to know what your thoughts are for the my defer sock analyst course aka the 90-day sock accelerator program?

[00:13:56]>> Wow. Uh that's a good question. I thought about it and I can say that in the beginning you feel like you don't know like cyber security is something that's very far away from you. That's something that the the cool guys in the neighborhood are doing, but you don't know anything about it. But then with each and every module that you complete, you understand that it's not that difficult. And I have to to say very good work to you. You know how to explain complex topics in in very simple language. And the tone of your voice is actually pretty calming. I don't know if this is a a desired effect or it's just natural. I don't know but it's it really helps um learning and by the end of the by the end of the course you have experience with so many tools and with so many concepts that you understand that cyber security is not that hard.

[00:14:51]You just have to put time. It's the structure, the consistency, the putting in the hours and going through it to really understand you know what you're learning while you're doing that journey right while you're taking that path and and trying your best to complete it.

[00:15:05]Speaking about the 90-day sock accelerator program, within that program, there is a daily accountability. I want to hear your thoughts on what you think about that.

[00:15:14]>> The accountability, this uh this is first something that keeps you motivated, but at the same time, when you're down and when you don't feel like doing it because let's be honest, cyber security can be very taxing, especially to newcomers. This accountability program is something that can keep you afloat, that can keep you focused. I think this is a great idea and it's not like in other platforms where you just click uh one prompt and then the days go by. Uh it's something that you have to personally write down what you did and why you did it and what did you learn.

[00:15:51]Uh, and I mean knowing that other people are monitoring uh your progress, like this is enough of a motivation for uh for a lot of people. And if you just keep one or two days, you know that you're going to feel bad about it. I mean, you're not lying to anyone else.

[00:16:07]You're lying to yourself. And I really like the accountability program. I really think that a lot of people can get sidetracked and this program can help them with staying focused. Mhm.

[00:16:19]Yeah, absolutely agreed with that. For the accountability post, too, we all learn from each other, too, because they're doing the same post, whoever is going through the 90-day challenge or program there. Yeah. So, like day one, day two, day three, it's the same. It's the same questions, but it's the different answers from each member, right? That's what makes it really special, too. Yeah. On top of the accountability portion. One question for you in terms of going through the forge and the 90-day program, the course and also the sock simulator here. How has your confidence changed at all since joining?

[00:16:54]>> If you ask uh my friends, they think that I'm a hacker by this time. Uh but for me, it's uh it's really been a very rewarding experience. I feel like that well I'm I'm very paranoid now because I think everything is a is an is a is an attack vector everything can be a vulnerability that can be exploited but that's just I think this is a side effect of all cyber security people but I think that my confidence personally I feel is very much up because of this course because u >> yeah because in certifications like a security plus or some other certificates that people are considering doing there.

[00:17:39]You don't get like you don't get the real hands-on experience and you don't understand why something is happening.

[00:17:47]And again, in your in your courses, in your modules, you're you're always telling us to to think the big picture, not isolated events. for example, why this host is breached, how it was breached, what happened, why did it happen, how can we prevent this and not just a theory because this is not going to do you anywhere any good. So in this regard, I think that my confidence uh has gone through the roof because I can now safely say that I can build a timeline. Why did something happen? What happened first? Why did it happen? And what's the impact? because at the end of the day we need to understand the impact so we can triage better and good good job on that. I feel like that you did put a good work and it's really appreciated.

[00:18:38]>> Thank you. Thank you. That that really means a lot to me just hearing that from you like I've been the sock course that I've been working on or that I've completed. I really thought about the steps of you know when I first became a sock analyst what are the challenges that I faced and that was not knowing what to do right we get an alert coming in >> yeah we yeah exactly exactly right we get an alert it's like I don't okay I have the alert this is what I see this is the name this is the asset that's affected but what's next >> it's like I don't know >> I don't know what to do next yeah since you mentioned that you've taken uh quite a bit of trainings there. So, in your opinion, how does the Forge differentiate itself from other communities or courses that you've taken?

[00:19:22]>> The first part is obviously the people because you've built a great community with people that support each other, always here to give you an advice. Of course, the the next one is you, the so-called trainer, teacher, whatever you want to call it. You're different than than the other guys because you don't want to you don't push people to learn.

[00:19:44]You give us the tools, you give us the base knowledge, but from there we need to build up. We need to show up. We need to show you the accountability. We need to show you what we did, the incident reports, the investigations, the daily, sorry, the the weekly uh challenges, the CTFs. This is something that not a lot of communities have and a lot of people they don't want to to put up the work. I mean a lot of trainers they don't want to put up the work to build such um interactive community for other people.

[00:20:17]At least this is my experience and I think this is very valuable. Of course we have so many like versatile security topics that we can explore in in the forge. We have CTFs, we have sock simulator, we have home labs, we have email investigations, malware investigations. I mean, and so much more that I cannot think about right now. And I think this is the big difference that it's an engaging community that at any point of time, you can find someone that can help you. And it's not a guy that's like a senior analyst or CTO or whatever. It's going to be the same guy like you that just picked up the course earlier than you or the guy that has put some more hours than you. And the other thing that I think it's very important that we have to to mention is that you you're very open to questions and you're here for us. And uh personally I have DM'd you like 100 times with a lot of questions and you're always here and I feel like that this is very important that we know as a community that you're here for us. uh it's not something a lot of people are doing or willing to do at least in my opinion and this is very important for newcomers because in my opinion if you don't feel supported you can easily drop out because you don't you don't know you say you're learning every day that that's my opinion at least >> absolutely I try my best to create what needs to be created to make sure that folks like yourself and everybody else in the forge are successful Right? I do want to see that success story, right? I want to see you win. I want to see you land that job and be like, "Stephen, guess what happened?" Right? Like I want that. That is what I'm trying to do and and make sure that I provide uh so you guys do get there, right? That's that's the entire goal. And if there is a blockage, right, if there is something that you have a question on and you just can't do it, you don't know the answer, then of course I would love to help, right? I'm more than more than happy to.

[00:22:21]as you mentioned, very open. So 100 100 DMs, keep them coming. Keep them coming, right? Like I'm I'm here. I'm here for you. I'm here for everybody in the forge. So I'm I'm really happy to hear that, you know, you feel that way, too.

[00:22:34]So thank you.

[00:22:35]>> Of course. I And I'm not I I want to say just sorry about that. I want to just say I'm not sugar coating it. This is how I feel and I'm I'm happy to have this opportunity because at the end of the day, not many people have this opportunity and I'm grateful for it.

[00:22:49]Well, thank you for that. I do have one last question for you and it is a pretty great segue into it. If someone's on the fence about joining the forge, what would you tell them?

[00:22:59]>> Well, uh, a good one. Uh, I mean, what can I tell them? If you want to get your hands dirty or, uh, leave your comfort zone and see what the real cyber security uh, world is like. Give it a try. I mean, you're going to see that a lot of stuff are not like in the in the YouTube videos or the trainings or whatever you're doing in at the moment.

[00:23:25]The Forge is very different. I mean, at the end of the day, a lot of the the certificates, the trainings, they're outdated. And in in the Forge community, you will see real attacks that are happening at the moment. You're going to see real ransomware that's being modified yesterday or a week before. So, you're going to be up to date with a lot of stuff that's going on right now, which at the end of the day, if you want to get a job or an interview in the sock analyst, you're going to need to know this stuff. They're going to ask you about what are the current um the current security trends, what was broken, what are the vulnerabilities, and this kind of stuff. And every day, you don't know what's going to come through the door. And in the in the in the forge community, you can see this every single day in in the sock simulator. Ju just invest in yourself, see what you can do, and at the end of the day, you're going to be thankful that you've joined. I'm completely sure about that.

[00:24:23]>> Wow. Thank you. Thank you so much, Vesseline, for taking the time out of your day. I know it's midnight on over on your side there and sharing your experience with us. And honestly, I I say this quite quite often, but if you ever have any questions, do feel free to reach out to me. Um this is this Yeah.

[00:24:42]Yeah. Like don't hesitate, right? Just be like, "Hey, Stephen, I got I got a question for you." But this is also extended to those that are listening as well, right? If you're if you have a question about the forge, you're not too sure, you want some more clarity with it, I'm more than happy to jump on a chat just like what you and I are doing, right?

[00:25:04]at the end of the day whatever you need to achieve right and uh yeah with that being said thank you so much again for joining and that is it for the video >> thank you for having