Passed SAL1 on first attempt — 850/1000. Here’s what caught me off guard.
Just finished the SAL1 exam. 850/1000, first attempt, 3h 50m.
Three sections. Two passed, one didn’t — Section 2 (Fowl Play B1 v2). Incident classification was 150/150, which means I correctly identified everything. What cost me the section was escalation and the case report. The feedback was specific: missing precise timestamps, insufficient justification for escalation decisions, not enough context on the attacker — not just what happened, but who and why.
Section 3 (Red Alert: Command and Control) went better. 150/150 on both classification and escalation, 91/100 on the report.
What surprised me most about the exam format: there’s no hint about where to look. You get a scenario, logs, tools — and the question is what happened here. That’s closer to real work than anything else I’ve done on TryHackMe so far.
Background: I started learning security in November 2025, self-studying alongside freelance work and family. 228 rooms, 164-day streak. The SOC L1 path took about six months to complete.
Happy to answer questions about the exam format or the path.
My THM profile: tryhackme.com/p/duathron