- SIEM platforms (Splunk, Microsoft Sentinel) – the operational centre of analyst work. Appear in 70%+ of job postings. Non-negotiable.
- EDR/XDR (CrowdStrike, SentinelOne) – endpoint detection and response. Appear in 65%+ of postings. Required for any SOC role.
- Network analysis tools (Wireshark, Zeek, Suricata) – reading traffic is foundational. Cannot be skipped.
- Vulnerability scanners (Nessus, Qualys) – identify what to fix before attackers exploit it.
- Threat intelligence platforms (Recorded Future, MISP) – understand adversary TTPs, not just individual alerts.
- SOAR platforms (Palo Alto XSOAR) – automate the repetitive triage work that consumes analyst time.
- Digital forensics tools (Autopsy, Volatility) – reconstruct what happened after a breach.
- Penetration testing tools (Nmap, Burp Suite) – analysts who understand offensive tools write better detections.
- IAM tools (Okta, Azure AD, CyberArk) – identity is the primary attack surface. Analysts must read IAM logs fluently.
- Cloud security tools (AWS GuardDuty, Prisma Cloud) – cloud exposure is now unavoidable in every enterprise environment.
- Scripting and automation (Python, PowerShell) – analysts who cannot script are bottlenecked on manual tasks.
Cybersecurity analysts do not sit in one tool all day. On a typical shift, a Tier 1 analyst might triage 200 SIEM alerts, investigate an EDR alert showing suspicious process execution, pull a Wireshark capture to verify traffic patterns, enrich indicators through a threat intelligence platform, and write a Python script to automate a recurring lookup task.
Every tool on this list serves a distinct function. None of them overlap enough to be replaced by another. Understanding what each tool does, when to use it, and how proficient you need to be at each career stage is the difference between a candidate who looks good on paper and one who performs on the first day.
All 11 tools at a glance
| Tool | Category | Top product examples | Job posting frequency | Priority tier |
|---|---|---|---|---|
| SIEM | Detection | Splunk, Microsoft Sentinel, IBM QRadar | Very high (70%+ of postings) | Tier 1: learn first |
| EDR / XDR | Endpoint | CrowdStrike Falcon, SentinelOne, Defender XDR | Very high (65%+ of postings) | Tier 1: learn first |
| Network analysis | Network | Wireshark, Zeek, Suricata | High (50%+ of postings) | Tier 1: learn first |
| Vulnerability scanner | Prevention | Nessus, Qualys, Rapid7 | High (45%+ of postings) | Tier 1: learn first |
| Threat intelligence | Analysis | Recorded Future, MISP, OpenCTI | High (40%+ of postings) | Tier 2: build next |
| SOAR | Automation | Palo Alto XSOAR, Splunk SOAR, Sentinel playbooks | Medium (30%+ of postings) | Tier 2: build next |
| Digital forensics | Investigation | Autopsy, Volatility, FTK Imager | Medium (30%+ of postings) | Tier 2: build next |
| Pen testing tools | Offensive | Nmap, Metasploit, Burp Suite | Medium (25%+ of postings) | Tier 2: build next |
| IAM tools | Identity | Okta, Azure AD, CyberArk | High (35%+ of postings) | Tier 2: build next |
| Cloud security (CSPM) | Cloud | Prisma Cloud, AWS GuardDuty, Defender for Cloud | Very high (55%+ of postings) | Tier 2: build next |
| Scripting and automation | Operations | Python, PowerShell, Bash | High (40%+ of postings) | Tier 1: learn first |
Tier 1 tools are the ones that appear in interview questions at every level. Build these first. Tier 2 tools are expected at mid level and above. Cloud security proficiency has moved from Tier 2 to near-Tier 1 in 2026: analysts who cannot read cloud-native logs are increasingly uncompetitive for roles above entry level.
The 11 tools explained: what they do and how analysts use them
1 SIEM platforms: the operational centre of SOC work
Security Information and Event Management platforms ingest logs from every source in the environment: endpoints, firewalls, cloud platforms, identity providers, email gateways, and applications. They correlate events across those sources simultaneously, surface anomalies against baseline behaviour, and generate alerts for analysts to investigate.
A Tier 1 analyst’s primary workstation is the SIEM. Triaging alerts, writing SPL or KQL queries to investigate suspicious activity, building dashboards for key security metrics, and escalating confirmed threats all happen inside the SIEM. Proficiency in at least one SIEM platform is the single most universal expectation in cybersecurity analyst job postings.
- Primary platforms: Splunk Enterprise Security (dominant in large enterprise), Microsoft Sentinel (dominant in cloud-first organisations), IBM QRadar, Elastic SIEM
- Skills to build: SPL (Splunk’s query language), KQL (Kusto Query Language for Sentinel), log source normalisation, detection rule writing, dashboard creation
- Practice path: Splunk’s free training tier, TryHackMe Splunk rooms, LetsDefend SOC alert investigation scenarios
2 EDR and XDR platforms: endpoint visibility and automated response
Endpoint Detection and Response platforms monitor every device in the environment continuously for signs of compromise: suspicious process execution, unusual file modifications, abnormal outbound connections, and privilege escalation attempts. XDR extends this across endpoints, email, network, and cloud simultaneously, correlating signals that span multiple environments.
When a SIEM alert points to a specific endpoint, the analyst pivots to the EDR to investigate the process tree: what parent process spawned the suspicious activity, what files were touched, what network connections were made. The EDR is where endpoint forensics happen in real time, without the need to image the device.
- Primary platforms: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR
- Skills to build: Process tree analysis, threat hunting queries within the EDR, endpoint isolation procedures, behavioural detection rule creation
- 2026 context: AI-generated polymorphic malware rewrites itself to evade signature detection. Behavioural EDR platforms that flag what malware does rather than what it looks like are now the standard. Signature-only antivirus is not sufficient.
3 Network analysis tools: reading what moves across the wire
Network analysis tools capture, inspect, and interpret network traffic. Wireshark captures and decodes packets down to the byte level. Zeek transforms raw traffic into structured logs covering DNS lookups, HTTP requests, SSL certificates, and connection metadata. Suricata functions as a network IDS/IPS, matching traffic against signatures and anomaly rules and generating alerts.
Analysts use network tools to verify whether a suspicious endpoint is communicating with known malicious infrastructure, to identify unencrypted sensitive data in transit, and to reconstruct attack paths from packet-level evidence. The ability to read a packet capture and identify what is normal versus suspicious is a foundational skill that no tool automates away.
- Primary tools: Wireshark (packet analysis), Zeek (network logging), Suricata (IDS/IPS), tcpdump (command-line capture), Nmap (scanning)
- Skills to build: TCP handshake analysis, DNS query inspection, identifying C2 beacon patterns, reading Zeek logs, writing Suricata rules
- Practice resource: Malware Traffic Analysis (malware-traffic-analysis.net) provides real packet captures from documented attack scenarios for practice
4 Vulnerability scanners: finding weaknesses before attackers do
Vulnerability scanners systematically probe systems, networks, and applications to identify known vulnerabilities, misconfigurations, and missing patches. They match findings against CVE databases, assign CVSS severity scores, and generate prioritised remediation reports.
Analysts use vulnerability scan data to understand the organisation’s attack surface, to prioritise patching based on exploitability in the current threat context, and to verify that remediation was effective after a patch is applied. The most important skill here is prioritisation: a scan of a large environment generates thousands of findings. Knowing which critical CVEs are being actively exploited right now, using resources like the CISA Known Exploited Vulnerabilities catalogue, separates effective analysts from those who produce long lists without context.
- Primary tools: Nessus (Tenable), Qualys, Rapid7 InsightVM, OpenVAS
- Skills to build: Interpreting CVSS scores in context, using CISA KEV for prioritisation, comparing scan results over time to track remediation progress
5 Threat intelligence platforms: understanding the adversary
Threat intelligence platforms collect, analyse, and operationalise information about threat actors: their tactics, techniques, and procedures (TTPs), their infrastructure, their preferred targets, and their active campaigns. They enrich raw indicators of compromise (IP addresses, domains, file hashes) with contextual information about who is using them and what for.
The MITRE ATT&CK framework is the foundational reference for this work. It maps adversary behaviours to specific techniques and sub-techniques, providing a common vocabulary for describing what an attacker did and where in the kill chain they were. Analysts who can map a SIEM alert to a MITRE ATT&CK technique and then look up current threat actor use of that technique are operating at a fundamentally higher level than those who only respond to individual alerts.
- Primary platforms: Recorded Future, MISP (open-source), OpenCTI, ThreatConnect, VirusTotal (for quick IOC lookups)
- Framework: MITRE ATT&CK Navigator for mapping detections and identifying coverage gaps
- Skills to build: IOC enrichment, threat actor profiling, CTI report writing, MITRE ATT&CK mapping
6 SOAR platforms: automating the repetitive work
Security Orchestration, Automation and Response platforms execute predefined response playbooks automatically when alerts are triggered: isolating a compromised endpoint, disabling a breached account, blocking a malicious IP, enriching an alert with threat intelligence lookups, and creating a ticket in the incident management system. All without waiting for a human analyst to manually execute each step.
SOAR directly addresses the alert fatigue problem. An analyst who manually handles every step of every alert investigation burns out. An analyst whose SOAR platform handles the automatable steps, leaving only the judgment calls, investigates more incidents more thoroughly. Organisations with mature SOAR implementations reduce analyst triage time by more than 40% on average.
- Primary platforms: Palo Alto XSOAR, Splunk SOAR, Microsoft Sentinel playbooks, Tines
- Skills to build: Playbook design, Python scripting for custom SOAR integrations, understanding which tasks to automate versus which require human judgment
7 Digital forensics tools: reconstructing what happened
Digital forensics tools collect, preserve, and analyse evidence from compromised systems. They answer the questions that matter after a breach: how did the attacker get in, what did they access, what did they take, and how long were they there. Forensic evidence also determines legal liability and regulatory reporting obligations.
The critical principle is evidence integrity. Any action on a compromised system that modifies data can invalidate forensic evidence. Analysts must understand how to create forensic images, analyse artefacts without altering them, and reconstruct attacker timelines from log entries, registry data, file system metadata, and memory contents.
- Primary tools: Autopsy (disk forensics), Volatility (memory forensics), FTK Imager (forensic imaging), KAPE (artefact collection), Velociraptor (live response)
- Skills to build: Memory dump analysis, Windows registry forensics, timeline reconstruction, log correlation for incident chronology
8 Penetration testing tools: why defenders need to think like attackers
Cybersecurity analysts are not penetration testers. But analysts who understand offensive tools write significantly better detection rules. Knowing how Nmap scans a network helps you recognise what a real scan looks like in your SIEM logs. Understanding how Metasploit generates payloads helps you write EDR detection rules that catch similar behaviour. Knowing Burp Suite’s interception methods helps you identify what an active web application attack looks like in your WAF logs.
Nmap is relevant at every level. It appears in both offensive security and defensive security contexts and is one of the most commonly named tools in cybersecurity analyst job postings. Understanding what it does is not optional.
- Tools every analyst should understand: Nmap (network scanning), Metasploit (exploitation framework for understanding attack paths), Burp Suite (web application testing)
- Platforms for safe practice: TryHackMe, Hack The Box, home lab environments
9 Identity and access management tools: the attack surface analysts cannot ignore
Identity has become the primary attack surface in modern environments. The 2024 Change Healthcare breach exploited stolen credentials with no MFA. The 2024 Snowflake campaign compromised hundreds of organisations through credential stuffing against accounts without MFA. In both cases, attackers authenticated successfully using legitimate credentials. They did not trigger network-based detections because they looked like authorised users.
Analysts must be able to read IAM logs fluently: recognise abnormal access patterns, identify accounts accessing resources they never normally touch, detect MFA bypass attempts, and spot service accounts with excessive permissions being exploited. This requires familiarity with how IAM systems structure their logs and what normal versus anomalous authentication looks like.
- Primary tools: Microsoft Azure Active Directory, Okta, CyberArk (privileged access management), SailPoint (identity governance)
- Key concept: Detecting lateral movement through identity: the moment a compromised account starts accessing systems outside its normal pattern is the detection opportunity most organisations miss.
10 Cloud security tools: the environment most attacks now target
The majority of enterprise infrastructure now runs in cloud environments. Attack activity follows it. Cloud security tools monitor cloud configurations for misconfigurations, detect abnormal activity in cloud-native logs, and enforce security policies across AWS, Azure, and GCP environments simultaneously.
Cloud-native logs are different from on-premise logs. AWS CloudTrail logs API calls. Azure Monitor captures activity logs and diagnostic data. GCP Cloud Logging aggregates logs from all GCP services. Analysts who cannot read these log formats and write queries against them are blind to the majority of attack activity in cloud-native environments. ISC2 identifies cloud security as the second most demanded skill globally after AI/ML.
- Primary tools: AWS GuardDuty (threat detection), Microsoft Defender for Cloud (CSPM + workload protection), Prisma Cloud (multi-cloud CSPM), GCP Security Command Centre
- Skills to build: Reading CloudTrail logs, identifying IAM role abuse in cloud environments, detecting storage bucket exposure, understanding shared responsibility model boundaries
11 Scripting and automation: the skill that multiplies everything else
Every tool on this list generates data. The analyst who can write a Python script to automate a lookup, parse a log format, correlate events across sources, or generate a formatted report works at a fundamentally different level than one who performs the same tasks manually every time.
Python is one of the most important languages. It appears in 40% of cybersecurity analyst job postings as a hard requirement. PowerShell is essential for Windows environment analysis and Active Directory investigation. Bash covers Linux-based security tooling and log processing. The goal is not software development proficiency. It is functional automation: the ability to write scripts that make your detection and response faster and more consistent.
- Start here: Write a Python script that takes a list of IP addresses and queries VirusTotal’s API for each one, then formats the results as a CSV report. That single exercise covers API interaction, file parsing, loop logic, and output formatting relevant to real SOC work.
- Next step: Automate a SOAR playbook step that was previously manual. Document what it does and how long it saves per alert.
Which tools should you learn first?
Learning all 11 simultaneously produces surface-level familiarity with everything and genuine competence in nothing. The sequence matters.
- Months 1 to 3: SIEM fundamentals (Splunk free training, TryHackMe SOC Level 1), network analysis basics (Wireshark for Beginners, Malware Traffic Analysis practice), Python scripting fundamentals.
- Months 3 to 6: EDR investigation practice (LetsDefend alert triage, CrowdStrike or SentinelOne free content), vulnerability scanner operation (Nessus Essentials free tier), Nmap fundamentals.
- Months 6 to 9: Threat intelligence integration (MITRE ATT&CK Navigator, VirusTotal, MISP), forensics fundamentals (Autopsy, Volatility), cloud security basics (AWS Security or Azure SC-200 curriculum).
- Year 1 onward: SOAR automation, advanced cloud security, IAM log analysis, specialisation certifications (CySA+, GCIH, CDSA).
Tool familiarity from tutorials is not the same as operational competence. Employers know the difference. The analysts who get hired and perform well are the ones who have investigated real alerts in realistic environments, documented their findings, and built a portfolio that shows the work. Certifications confirm knowledge. Portfolio writeups demonstrate judgment.
How Metana’s Cybersecurity Bootcamp builds these skills
Metana’s Cybersecurity Bootcamp covers the core tool set an analyst needs to be job-ready: SIEM operation, network security, threat detection, ethical hacking methodology, incident response, and compliance frameworks including GDPR, HIPAA, and SOC 2. Live instruction, 1:1 mentorship, hands-on labs, and a job guarantee: land a role paying at least $50,000 per year within 180 days of graduating or get your full tuition back.
Explore the Metana Cybersecurity Bootcamp
See the curriculum, graduate outcomes, and guarantee terms.
Explore at metana.io/cybersecurity-bootcamp →FAQ
What tools do cybersecurity analysts use most?
SIEM platforms (Splunk, Microsoft Sentinel) appear in over 70% of cybersecurity analyst job postings and are the most universally required tool. EDR platforms (CrowdStrike, SentinelOne) appear in over 65% of postings. Wireshark for network analysis, Nessus for vulnerability scanning, and Python for automation are consistently listed across entry, mid, and senior-level roles.
Do cybersecurity analysts need to know all 11 tools?
Not at the same depth simultaneously. Tier 1 tools (SIEM, EDR, network analysis, vulnerability scanning, scripting) are expected at entry level. Tier 2 tools (threat intelligence, SOAR, forensics, cloud security) are expected at mid level and above. Cloud security has accelerated toward Tier 1 in 2026 as cloud environments become the dominant attack surface.
Is Python required for cybersecurity analysts?
Python appears in 40% of cybersecurity analyst job postings as a hard requirement. The expectation is functional automation ability, not software development proficiency. Analysts who can write scripts to automate alert enrichment, log parsing, and IOC lookups work significantly faster than those who perform the same tasks manually.
What SIEM platform should beginners learn first?
Splunk is the most widely deployed SIEM in enterprise environments and appears most frequently in job postings. Splunk offers a free training tier and free software for home lab use. Microsoft Sentinel is the dominant platform in cloud-first organisations and is equally important. Learning one deeply is more valuable than surface familiarity with both.
Do cybersecurity analysts need to know offensive security tools?
Not to the depth of a penetration tester. But analysts who understand how Nmap scans networks, how Metasploit generates payloads, and how Burp Suite intercepts web traffic write better detection rules because they understand what the attacks they are defending against actually look like. Basic familiarity with offensive tools makes defensive work significantly more effective.


