TryHackMe SAL1 Certification: Honest Review, Exam Tips, and How I Passed It

The TryHackMe Security Analyst Level 1 (SAL1) certification is the platform's first official credential and an ambitious attempt to bridge practical blue team skills with entry-level industry recognition. As someone who took the exam twice (failing once, passing the second time), I’m giving you an unfiltered, practitioner-first breakdown. This guide will explain what SAL1 is, what it isn't, and most importantly, whether it's worth your time and money.

Related Videos:

Note: This blog article is NOT sponsored

What is SAL1?

SAL1 is a hybrid certification that combines theory and hands-on practical elements. The exam has three components:

1. Multiple-Choice Section: 80 questions, 60 minutes, worth 20% of your score.

2. SOC Simulation 1: Two hours, hands-on alert triage, worth 40%.

3. SOC Simulation 2: Another two-hour scenario, also worth 40%.

   
   

You get a 24-hour window to complete these three sections, but you only spend a maximum of five hours actively testing. The exam isn’t proctored, but it does require ID verification.

Who Is It For?

TryHackMe targets a broad audience, but SAL1 is best suited for:

• Aspiring SOC Analysts

• Entry-level Cybersecurity Analysts

• Junior Blue Teamers

• IT pros pivoting into security

  
  

It can be useful for red teamers or pentesters who want deeper insight into how defenders operate, but it’s not designed for offensive roles.

What Makes SAL1 Unique?

SAL1 simulates a Security Operations Center (SOC) environment where you receive alerts, determine if they’re true or false positives, escalate appropriately, and write detailed case reports. You’ll use a SIEM, a virtual machine, and multiple tools to make decisions.

You can batch related alerts together and write one detailed case report for all of them, which is a great time-saver. But if you’re vague or light on detail, you’ll lose points fast. This isn’t a "check-the-box" cert. You’re graded on precision.

The Secret Sauce to Passing

Here’s what you need to know upfront:

• The Case Reports Matter... A LOT

  • My first attempt failed because I treated them like afterthoughts.

  • My second attempt passed because I wrote 5–6 paragraph case reports filled with technical details.

  • Include IPs, timestamps, usernames, URLs, and exact behaviors.

    
    

• False Positives Will Hurt You

  • Marking false positives as real attacks costs you points.

  • Better safe than sorry doesn't work here. Accuracy over caution.

    
    

• Slow is Smooth, Smooth is Fast

  • Don’t rush. Let your alert queue build up.

  • Correlate events before assigning them. Only assign related alerts.

  • Write one report for multiple events if they’re similar.

    
    

• The Simulation Ends Unexpectedly

  • When you resolve the final true positive, the scenario ends.

  • Close out your false positives and write their reports first.

    
    

• No Real-World Urgency Required

  • Unlike a real SOC, you’re not judged on speed.

  • Focus on accuracy, depth, and following scenario-specific rules.

    
    

Why I Failed the First Time

I underestimated the importance of the case reports. I breezed through the alerts, classified everything quickly, and gave weak write-ups. The result? I crushed the multiple-choice and did okay on classification and escalation, but I bombed the report sections.

Why I Passed the Second Time

• Took my time.

• Batched alerts properly.

• Wrote deep, structured case reports.

• Followed scenario instructions exactly.

  
  

Even though I technically failed one of the SOC simulations the second time, I scored so high on the other sections that I still passed. This means you can fail one part and still get certified.

SAL1 vs. CompTIA CySA+

Hands-on: SAL1 blows CySA+ out of the water. CySA+ has basic performance-based questions. SAL1 puts you in a live SOC environment.

Multiple-choice: CySA+ is tougher. The questions are more abstract, often with multiple correct answers, where you have to pick the "best" one. SAL1’s multiple-choice questions are easier and more straightforward.

Recognition: CySA+ is still more recognized. Hiring managers are familiar with it. SAL1 is brand new and will take time to gain traction.

Job readiness: SAL1 is better in terms of practical readiness, especially for someone who wants to be a SOC analyst. CySA+ is better for getting past HR filters.

Is It Worth It?

Yes, if you know what you're signing up for.

• Price: At $297 (or $349 without a subscription), it’s a solid deal for a certification that includes hands-on labs, theory, and a free retake.

• Prep: The SOC simulations in TryHackMe’s learning path are good practice. Don't skip them like I did if you want to pass on your first try.

• Training Included: Comes with 3 months of premium TryHackMe access.

  
  

It’s not a silver bullet. No certification guarantees a job. But SAL1 gives you tangible skills and a taste of what real SOC work looks like. If you pair it with something like CySA+ for name recognition, you’ll be in a stronger position for entry-level roles.

Final Verdict

SAL1 gives aspiring analysts a practical, affordable, and well-structured way to showcase blue team skills. But you’ll need to take the exam seriously. If you skip the case reports or rush through the alerts, you’ll probably fail like I did.

If you want hands-on experience and you're willing to put in the work, SAL1 is absolutely worth it.

Want to become a SOC Analyst? Check out my complete career roadmap where I walk through every step I’d take if I were starting from scratch.