Open in app

Sign in

Write

Sign in

Home

Following

Library

Stories

Stats

TryHackMe SAL1 Exam Review

Rich
6 min read4 days ago

--

TL;DR Review of the SAL1 exam, TryHackMe’s brand new hands on certification.

Exam Reviews

Altered Security Certified Red Team Professional (CRTP)

eLearn Junior Pentester (eJPT)

ISC2 Certified in Cybersecurity (CC)

Microsoft Applied Skills Administer AD DS

TCM Practical Junior Penetration Tester (PJPT)

Altered Security CRTP renewal exam

TryHackMe Security Analyst Level 1 (SAL1)

Background

In late February 2025 TryHackMe announced that they had launched their brand new certification exam Security Analyst Level 1 (SAL1). Additionally they announced that anyone who currently held CompTIA CySA+ or Blue Team Level 1 (BTL1) could apply for a free exam voucher.

Needless to say I jumped on that deal.

Should you take SALI?

IMHO anyway, you should take SAL1 if:

  • You took CompTIA CySA+ and you want to do a hands on compliment to it.
  • You want to learn.
  • You love learning via hands on.
  • You love a bargain when it comes to certs.

You should not take SAL1 if:

  • You are just trying to fluff a resume.
  • You are trying to hit an HR filter.

TryHackMe is relatively well know, but this certification is brand new and likely will not gain name recognition any time soon.

Preparation

TryHackMe recommends using their Cyber Security 101 and SOC Level 1 pathways to prepare for the SAL1 exam. I only had a month to prepare as the free exam voucher had to be used before 31 March 2025. I crashed through the Cyber Security 101 pathway, and then realized about halfway into the SOC Level 1 pathway that I would not have time to finish it before attempting the exam.

Therefore I prioritized the rooms dealing with Endpoint security, SIEMs, and phishing. Specifically I concentrated on Splunk as other reviews on Reddit mentioned the importance of it on the SAL1 exam.

The most critical preparation though is doing the free SOC Simulators. This will familiarize you with the dashboard and Analyst VM before you are on a time crunch during the real exam.

The Exam

The maximum score on SAL1 is 1000 points. The breakdown is

  • 200 points: 80 multiple choice questions, 1 hour to complete.
  • 400 points: Scenario I, 100% hands on, 2 hours to complete.
  • 400 points: Scenario II, 100% hands on, 2 hours to complete.

You have access to an alerts dashboard, Splunk, and an Analyst VM. This VM was not terribly useful on my exam, I only used it to copy/paste IPs into ‘TryDetectThis’, TryHackMe’s fake VirusTotal site for exam purposes. I used Splunk heavily however.

It is very important to close all True Positive alerts before the 2 hour timer runs out during the two hands on scenarios. I saw a quick & dirty review on Reddit where the poster got 0 points on a scenario. Apparently you receive no credits for alerts you closed if the timer runs out before you close all the True Positives.

On the flip side, the scenario ends as soon as you close the last True Positive, regardless of whether you closed the False Positive alerts or not. Therefore the biggest tip on this exam is don’t worry about the False Positive alerts and don’t bother writing reports for them.

The annoying part of the exam was that TryHackMe’s instructions were rather vague and unclear on whether a True Positive should be escalated or not. I am fairly certain that most of the points I lost on Scenario II were due to this. I saw the attack play out step by step in Splunk, so I escalated every alert tied to it.

Don’t overthink the multiple choice questions. If you have taken CompTIA Sec+, ISC2 SSCP, or EC Council CND you should fly through these with plenty of time to spare. Just doing the 101 pathways on TryHackMe will also prepare you adequately. Overall I liked the questions.

Reporting

I had a simple template in Notepad that I had made while doing the free SOC Simulator. It looks like the below:

Alert description: <type of attack>

5Ws
Who: <include as much as you can regarding usernames, IPs, hostnames, etc used by the attacker>
What: <type of attack>
Impact: <compromised internal workstation, data exfiltration, whatever happened>
When: <copy/paste timestamps from Splunk. If multiple events then put the interval as well>
Where: <device whose logs showed the attack in Splunk>
Why: <what was the attacker doing and why>

Likely attacker intent: <gain initial access, launch ransomware, whatever>
Impact: <was the attack successful>
MITRE ATT&CK: <Google the attacker TTP and then copy/paste the MITRE name here>

IOCs:
<Put everything here you found; IPs, hostnames, usernames, anything and everything related to the attack. The more the better>

Recommendation:
<block IPs at the FW, disable a compromised account, whatever you think best>

Lastly state whether you are escalating the alert and why.

Your reports are graded by AI, not a human, and it seems to be mostly checking

  • whether you flagged the alert correctly as a True Postive or False Positive
  • the details you include in your 5Ws
  • whether you made a good guess at the attacker’s intent
  • the details you include in IOCs

Most of all though the AI is judging you very harshly on whether you guessed correctly whether or not it thinks you should have escalated the alert or not.

I didn’t do well on this part.

The good news is that as long as you include the right details, IPs, hostnames, etc the AI doesn’t care if you make typos or your report doesn’t flow well.

My Verdict

It bugged me that I couldn’t actually do anything to stop the attack I would see in Splunk. I would see the alerts on the dashboard, poke around in Splunk, and see the attack step by step. I wanted to isolate victim systems, disable victim usernames, etc. I am pretty sure I lost points on Scenario I because I kept marking everything even remotely tied to the attacker kill chain I was seeing in Splunk as Escalate.

I had one small complaint with the exam format; TryHackMe does not provide you the scenario information until after the 2 hour timer starts. Additionally the timer is running while the VMs boot and the logs load into Splunk. Other exams like CRTP don’t count VM bootup time against your timer. Hence once you hit start blow through the ‘Next’ buttons and hit the button to start the VMs … then read the scenario information. You will be waiting a few minutes for the first alert to come in anyway.

Overall though I think it is a good exam. It may or may not be worth the $200 price if you didn’t get a free voucher. That’s for you to decide for yourself given your own education level, experience, and what jobs you are working towards.

Summary

I found myself wishing TryHackMe had a Red Team exam shortly after finishing SAL1, maybe something called Red Team Level 1 (RTL1). I really liked that in CRTP, eJPT, PJPT, etc I knew when I had finished because I had achieved root, Administrator, or Enterprise Admin.

I have taken 6 hands on exams total now and 2 that had a small hands on portion. 4 of the hands on exams were Red Team/Penetration Testing focused, 1 was a Microsoft exam on AD aimed at system administrators, and this was my first Blue Team hands on exam. It did help that the two exams I took that had a small hands on portion were both Blue Team focused, and I have worked in IT and cybersecurity for a few years now.

However I believe that a beginner who simply knocks out the relevant TryHackMe pathways has a good shot at passing SAL1. When one does you get a nice certification, Credley badge, and maybe some bragging rights.

Sign up to discover human stories that deepen your understanding of the world.

Tryhackme
Sal1
Cybersecurity
Comptia
Comptia Cysa Plus

--

--

Rich
Rich

Written by Rich

329 Followers
10 Following

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech