I recently left my GRC position at Viettel Headquarters and moved “down” to take on a SOC Analyst Tier 3 role at Viettel Cyber Security. If you saw the title “Learning from Scratch”, you might be thinking — wait, SOC Tier 3 and starting from zero? :)))
And looking at my profile, most of my technical skills lean heavily toward offensive work — pentesting and red team stuff. So why take a Tier 3 SOC role? And do I really deserve it? Short answer: yes — and here’s why.
From GRC to Hands-On Security
During my two years at Viettel HQ, I worked in Governance, Risk, and Compliance (GRC) — managing policies, frameworks, and ensuring the organization met its security obligations.
During two years in GRC at Viettel HQ I managed policies and compliance. That role showed me something big: a large enterprise with vast IT infrastructure needs not just policies, but hands-on capabilities to protect that infrastructure.
Even though I wasn’t part of the SOC directly, I often worked with their tools and processes, and that exposure helped me understand the operational side of cybersecurity.
That’s when it hit me — every large business with complex IT infrastructure desperately needs people who can defend, detect, and respond. That’s what Blue Teams do.
The Blue and the Red: Two Sides of One Coin
In cybersecurity, Blue Teams protect, while Red Teams attack. I came from the Red side — pentesting, CTFs, exploit development. I loved the creativity and freedom of offense work.
But here’s something people often misunderstand:
A good defender must understand attackers — and a good attacker must understand defenses.
Red Teams simulate real adversaries to help enterprises test resilience. Blue Teams build detections, contain incidents, and strengthen the system. Both are essential. Both are challenging in their own way.
To outsiders, Red Teams often seem cooler, they “hack things,” move fast, and break barriers. Blue Teams appear quieter, process-driven, compliance-oriented, disciplined. But the truth is, without Blue Teams, no organization survives. A business can live without pentests for a month, but not without monitoring for a day.
The Backbone of Cybersecurity
From a business perspective, SOC services are the lifeblood of many cybersecurity companies. Enterprises cannot ignore SOC — the larger and more data-rich the company, the bigger the target and the stricter the compliance burden. That’s why companies either build or outsource their SOCs.
But how do you prove a SOC is good? Big vendors like Splunk make that obvious over time with market presence and mature tooling. A newcomer often leans on marketing: “our Red Team is so OP, our Research Team is so OP so do our Blue Team.” And honestly, that logic makes sense. If you know how to attack effectively, you can design better defenses.
You know how guns work, you know how to make bulletproof vests.
What I Learned from the Red Side
When you watch real attack patterns in monitoring systems, you’ll be amazed at the creativity of real attackers. You’ll also realize how many gaps exist in your own systems. If you can only attack in CTFs or labs, your approach is often a blunt hammer — find the hole, smash through. Real-world adversaries are stealthy.
My experience as a pentester (web apps, CTFs, HTB labs, Active Directory, AV bypass, persistence, etc.) gave me an edge here. I recognize attack patterns in SIEM alerts — because, well, I’ve done those attacks myself. But being in SOC made me realize another truth:
You can’t fix what you can’t detect, and if you don’t understand attacker tradecraft you can’t build the right detections
Seeing my old attack methods pop up in SOC alerts taught me humility — and respect for defenders.
The GRC perspective
My GRC background turns out to be an unexpected advantage. It helps me bridge the technical and managerial sides of security — understanding not only how an incident happens, but why it matters for compliance, risk, and business continuity.
This cross-disciplinary perspective is exactly what a Tier 3 Analyst needs. It’s not just about triage or writing rules — it’s about understanding the full picture of organizational security.
What’s next
I see this SOC Tier 3 role as the next step in my journey — not a step down. It’s where I’ll deepen my understanding of real-world detection, response, and automation (SOAR, SIEM, and beyond).
At the same time, I’m keeping my Red Team roots alive. I’m working through HTB Pentester Path, planning to earn HTB CPTS and later OSCP.
Like I said in my LinkedIn bio — I don’t idolize Red or Blue. Both are vital. I value balance — and mastery across both sides.
What this blog series will cover
This post is just the beginning. In the coming weeks, I’ll be documenting my learning path — covering both tools and mindset shifts, (might be) including:
- Sysinternals Suite (Autoruns, Process Monitor, Process Explorer)
- Wireshark
- SIEM and SOAR tools
- Detection engineering and incident response basics
- Lessons learned from real cases
If you’re also transitioning from Red to Blue, or simply curious how offensive skills translate into defense — follow along. I’ll share both my successes and mistakes, and hopefully help someone else starting this path too.