You have the certifications. You’ve watched the YouTube videos. You know the theory.

But when you apply for Entry-Level SOC Analyst roles, you keep hearing the same thing: “We are looking for someone with more experience.”

It’s the classic cybersecurity catch-22: You need a job to get experience, but you need experience to get the job.

The solution? Build your own experience.

Hiring managers don’t just want to see certifications; they want to see application. They want to know that you can spin up a server, ingest logs, and detect a threat. In this guide, I’m giving you 4 actionable Blue Team projects with another one coming soon you can build right now to show that you are ready for the SOC.

And the best part? We are going to use the Phoenix Cipher Lab Environment to build them.

Project 1: Build a Virtualized Corporate Network#

The Skill: Infrastructure & Network Segmentation

Before you can defend a network, you have to know how to build one. Simply installing Kali Linux on VirtualBox isn’t enough. To impress a hiring manager, you need to show you understand Enterprise Architecture.

This means setting up a Type-1 Hypervisor (Proxmox), configuring a firewall (pfSense), and segmenting your network into VLANs (e.g., a “Victim Network”, a SIEM network, an “Attacker Network”, etc.) and creating your own VPN server for secure access (through pfSense).

How to do it: I created a step-by-step guide on how to acquire the hardware and set up the virtualization layer. This is the foundation for every other project on this list.

Start Here: Part 1: Hardware & Proxmox Setup and Part 2: pfSense Configuration.

How this can be presented on your resume: “Designed and deployed a virtualized network environment using Proxmox and pfSense, implementing strict network segmentation and VLANs to simulate an enterprise architecture.”

Project 2: Network Traffic Analysis (NIDS)#

The Skill: Packet Analysis & Intrusion Detection

A SOC analyst spends a huge amount of time looking at network traffic. Can you spot a port scan? Can you see cleartext passwords moving across the wire?

For this project, you will deploy Security Onion, a Linux distribution packed with tools like Zeek (bro) and Suricata. Your goal is to monitor the traffic flowing between your virtual machines and identify anomalies.

How to do it: You need to set up a “span port” or mirror port within your virtual environment so your NIDS can see all the traffic.

The Guide: Part 3: Essential Lab Tools - Security Onion.

How this can be presented on your resume: “Deployed Security Onion to monitor network traffic, utilizing Suricata rules to detect unauthorized port scanning and Zeek logs for protocol analysis.”

Project 3: Log Ingestion & Visualization (SIEM)#

The Skill: SIEM Architecture (Splunk)

This is the big one. The SIEM (Security Information and Event Management) is the cockpit of the SOC. If you can list “Splunk Dashboard Creation” on your resume, you are ahead of most applicants.

For this project, you shouldn’t just install Splunk. You need to ingest data. Install the Splunk Universal Forwarder on your Windows/Linux VMs and send those logs to your Splunk indexer. Then, build a map that shows where SSH login attempts are coming from.

How to do it: Splunk is free for up to 500MB of logs per day which is perfect for a home lab.

The Guide: Part 4: Setting up and Configuring Splunk.

How this can be presented on your resume: “Configured a Splunk Enterprise environment to ingest system and network logs. Developed custom dashboards to visualize failed authentication attempts and brute-force attacks.”

Project 4: Automated Malware Analysis Sandbox#

The Skill: Threat Intelligence & Reverse Engineering

Every SOC analyst eventually encounters a suspicious file. “Is this invoice.pdf.exe safe?”

Instead of running it on your host machine, you will build a dedicated Sandbox. This project involves setting up CAPEv2, an automated malware analysis system that detonates the file in a secure and seperate guest VM, records what it does, and spits out a report.

How to do it: This requires careful configuration to ensure the malware doesn’t escape.

The Guide: Part 5: Setup and Configure CAPEv2.

How this can be presented on your resume: “Maintained a self-hosted CAPEv2 malware sandbox for automated dynamic analysis, extracting Indicators of Compromise (IoCs) from suspicious artifacts.”

Project 5: Adversary Emulation (Purple Teaming) – “COMING SOON”#

The Skill: Incident Response & Testing

You have the castle (Network), the guards (Firewall), the cameras (Security Onion), and the alarm system (Splunk). Now, you need a thief.

For your final project, you will simulate a real attack to see if your tools actually work. We will use Atomic Red Team, a library of simple tests mapped to the MITRE ATT&CK framework.

The Project Task: 1.On your Windows Server (from Part 3), download the Atomic Red Team framework. 2. Run Test T1003.001 (OS Credential Dumping: LSASS Memory). 3. Go to your Splunk Dashboard (from Part 4). Did it alert? 4. If not, write a new detection rule to catch it.

This loop: Attack, Detect, Tune, is the essence of “Purple Teaming.”

Add this to your Resume: “Executed adversary emulation plans using Atomic Red Team mapped to MITRE ATT&CK. Tuned SIEM alert logic based on generated telemetry to reduce false negatives.”

Summary: Go Build It.#

Reading about swimming doesn’t teach you how to swim. Reading about cybersecurity doesn’t make you a defender.

If you build these 5 projects, you will have a GitHub repository full of config files, a portfolio full of screenshots, and a resume that proves you can do the job.

Ready to start? Head over to Part 1: Hardware & Proxmox Setup and let’s get to work.