Hack The Box Certified Defensive Security Analyst (CDSA) Review

By Vincent DinhTooling

Here’s a Review of the Certified Defensive Security Analyst Certification from HackTheBox.

Official Description from HackTheBox

“HTB Certified Defensive Security Analyst (HTB CDSA) is a highly hands-on certification that assesses the candidates’ security analysis, SOC operations, and incident handling skills. HTB Certified Defensive Security Analyst (HTB CDSA) certification holders will possess technical competency in the security analysis, SOC operations, and incident handling domains at an intermediate level. They will be able to spot security incidents and identify avenues of detection that may not be immediately apparent from simply looking at the available data/evidence. They will also excel at thinking outside the box, correlating disparate pieces of data/evidence, and pivoting relentlessly to determine the maximum impact of an incident. Another skill they will bring is the creation of actionable security incident reports tailored for diverse audiences.”

The Exam Description

“The candidate will have to perform security analysis, SOC operations, and incident handling activities against multiple real-world and heterogeneous networks hosted in HTB’s infrastructure and accessible via VPN (using Pwnbox or their own local VM). Upon starting the examination process, a letter of engagement will be provided that will clearly state all engagement details, requirements, objectives, and scope. All a candidate needs to perform the required activities is a stable internet connection and VPN software. HTB Certified Defensive Security Analyst is the most up-to-date and applicable certification for Security Analysts, SOC Analysts, and Incident Handlers that focuses on both security incident analysis and professionally communicating security incidents.”

The Exam Domains

  • Incident Handling Process
  • Security Monitoring & SIEM Fundamentals
  • Introduction to Threat Hunting & Hunting With Elastic
  • Windows Event Logs & Finding Evil
  • Understanding Log Sources & Investigating with Splunk
  • Windows Attacks & Defense
  • Intro to Network Traffic Analysis
  • Intermediate Network Traffic Analysis
  • Working with IDS/IPS
  • Introduction to Malware Analysis
  • JavaScript Deobfuscation
  • YARA & Sigma for SOC Analysts
  • Introduction to Digital Forensics
  • Detecting Windows Attacks with Splunk
  • Security Incident Reporting

Certification Process

To take advantage of the examination process, you must fully complete the modules and their respective lab at the end of most sub-modules and complete the module “Skill Assessment” which tests students understanding. In addition, there is a “SOC Analyst Prerequisites” path that teaches Assembly, Linux, Windows, and networking fundamentals.

The test costs approximately $200 and includes two vouchers, so if you fail your first attempt, you can retake it at no additional cost. You don’t need to purchase the exam to access the study materials. Additionally, once you complete the material, it remains permanently available in your account, allowing you to reference it anytime without maintaining a subscription.

Prices for HTB Academy (Which includes material for CPTS, CBBH, and CWEE):

The SOC Analyst Job Role Path
“The SOC Analyst Job Role Path is for newcomers to information security who aspire to become professional SOC analysts. This path covers core security monitoring and security analysis concepts and provides a deep understanding of the specialized tools, attack tactics, and methodology used by adversaries. Armed with the necessary theoretical background and multiple practical exercises, students will go through all security analysis stages, from traffic analysis and SIEM monitoring to DFIR activities and reporting. Upon completing this job role path, you will have obtained the practical skills and mindset necessary to monitor enterprise-level infrastructure and detect intrusions at an intermediate level. The SOC Analyst Prerequisites skill path can be considered prerequisite knowledge to be successful while working through this job role path.”

The role path is 15 modules, with varying difficulty levels, and is all text-based (no videos). You are going to be using HackTheBox’s Pwnbox, which is their interface that is a ParrotOS machine that is often used to RDP into Target Machines (Windows, Kali).

In order of Difficulty, Here is how I would rank the modules (From Least — Most)
Security Incident Reporting

  • Incident Handling Process
  • Intermediate Network Traffic Analysis
  • Intro to Network Traffic Analysis
  • JavaScript Deobfuscation
  • Security Monitoring & SIEM Fundamentals
  • Detecting Windows Attacks with Splunk
  • Windows Event Logs & Finding Evil
  • Windows Attacks & Defense
  • YARA & Sigma for SOC Analysts
  • Understanding Log Sources & Investigating with Splunk
  • Introduction to Threat Hunting & Hunting with Elastic
  • Working with IDS/IPS
  • Introduction to Digital Forensics
  • Introduction to Malware Analysis

The Exam

The exam is quite challenging, with many participants reporting that it took the full seven days to complete. It consists of two incidents: the first requires capturing 20 flags, while the second involves writing a comprehensive report without any guidance or flags. The seven-day duration is designed to fit into a typical workflow.

Most students who passed the exam noted that all necessary information was covered in the modules, eliminating the need for additional research. The Security Incident Reporting module, which includes an example report, is particularly useful for the exam.

To pass, you must capture at least 17 out of the 20 flags and produce a strong report. Simply submitting the flags without the accompanying report will invalidate your exam.

Here is the format of the reporting:

Executive Summary: Includes Severity, Status, Overview, Key Findings, Stakeholder Impact.

For the report, the largest portion is the Technical Analysis. I separated my report into these categories (which can also be found in the Security Incident Reporting Module):

  • Reconnaissance
  • Initial Compromise
  • C2 Communications
  • Enumeration
  • Lateral Movement
  • Data Access & Exfiltration
  • Malware Deployment or Activity (including Process Injection and Persistence)

  • Indicators of Compromise (IoCs)
  • Root Cause Analysis
  • Technical Timeline (same as Technical Analysis, just explaining what happened)
  • Nature of the Attack

Hack The Box provides a template, and sysreptor to help with the report.

Commentary & Guidance

I completed the job role path from March 7 to April 15, taking 39 days in total. While HackTheBox estimates 23 days for completion, I still consider my time relatively quick. After finishing the path, I took a week to review modules that I found particularly challenging or dense.

For additional support, I found the website The DFIR Report helpful for understanding reporting structures. Members of the HTB Discord server also recommended completing the Sherlock challenges to gain familiarity with investigations and practice report writing, although I chose not to do these.

The HTB Discord server was invaluable for assistance. The CDSA and Modules tabs, along with previously answered questions, provided great guidance throughout my journey.

During the exam, I captured all 20 flags within 3 to 4 days, spent the next few days building my report, and used the final day for editing. I submitted my work on April 29, 2024, and received my results on May 20, 2024. HackTheBox typically provides results 20 business days after submission, releasing them in batches rather than individually.

My prior experience includes BTL1, completion of the SOC 1 path from TryHackMe, CySA+, and participating in BOTS from Splunk.

Tips

When it comes to note-taking, I found it largely unnecessary because you can always revisit the modules. Although I created extensive notes totaling over 1,000 pages on CDSA, I rarely referred back to them during the test.

Make sure to allocate sufficient time for the exam and thoroughly investigate every potential flag and incident. Remember, the exam content is crafted by the same experts who created the modules. Always keep in mind that you are investigating an attack, and refer to the Cyber Kill Chain to understand the stages of an attack, which can guide you in identifying incidents.

Take regular breaks to avoid burnout and maintain motivation. Stepping away for a while can help you return with a fresh perspective.

Practice your reporting skills, or at least familiarize yourself with the Cyber Kill Chain and the methods for identifying malicious activities. I found using Microsoft Word more convenient than Sysreptor for reporting. Sysreptor automatically populates sections with template information, which might be useful. You can learn more about it at Sysreptor Documentation.

BTL1 Comparison

Some of you might be undecided between choosing BTL1 or HTB CDSA. BTL1, offered by Security Blue Team, is more established and widely known. It also has a follow-up certification, BTL2, which creates a cohesive pathway for many.

BTL1 has a shorter path and does not require a report, making its exam significantly easier and less nuanced compared to CDSA. The content in BTL1 is heavily focused on conceptual matters. Additionally, the BTL1 exam duration is 24 hours, while the CDSA exam spans 7 days.

Content Differences:

When comparing BTL1 and HTB CDSA, there are several key differences to consider.

BTL1 focuses on:

  • CMD and PowerShell for Incident Response
  • DeepBlueCLI
  • Phishing
  • MISP
  • TheHive
  • File Carving

CDSA offers more depth in:

  • Network traffic analysis
  • ELK
  • Advanced Splunk
  • Windows Attacks and Defense, and their detection in Splunk
  • Advanced malware analysis
  • In-depth Digital Forensics
  • JavaScript deobfuscation
  • Windows Event Log analysis
  • YARA & Sigma
  • IDS & IPS systems (Snort, Zeek, Suricata)

HTB Academy provides access to all course materials without requiring you to pay for the exam upfront. Once you have access, you retain the material indefinitely and can choose when to take the exam. In contrast, Security Blue Team’s model restricts access to the materials and mandates completing the test within a set period.

In terms of pricing, BTL1 costs around $500, while CDSA is about $200. Both certifications include two vouchers.

While CDSA offers more value for money and covers more advanced topics, it does feel intermediate and presents a larger skill gap compared to the very beginner-friendly BTL1. Additionally, HTB Academy’s Skill Assessments do not provide answer keys, unlike those from Security Blue Team.

← Back to Blog