HTB CDSA Exam Attempt and Success: A High‑Level Reflection

Back to the homepage
December, 2025 ~6 minute read Tags: htb, cdsa, certification, blue-team, experience

Why I went for CDSA

I (re)found Hack The Box Academy at a good moment in my career and worked through the Windows Attack and Defense module and later the SOC Analyst job role path. Those modules added real depth around Windows security, incident handling, and how to structure investigations. I was hooked, and it felt like the right time to aim for the Certified Defensive Security Analyst (CDSA).

Preparation: what actually helped

My prep was less about "new tricks" and more about building repeatable habits. The biggest gains came from practicing the same workflows until they felt natural.

  • Finishing the SOC Analyst path and revisiting the parts that felt weakest, especially incident handling.
  • Hands‑on malware analysis in VMs to get comfortable with obfuscation, scripting payloads, and quick triage.
  • Detection rule practice with YARA and SIGMA, plus a lot of log review in SIEMs.
  • Tool familiarity with x64dbg, Chainsaw, Splunk, Velociraptor, and the Windows event ecosystem.
  • Documentation habits in Obsidian so I could quickly reuse notes, queries, and templates.

Learning from the SOC Analyst Path

By the time I reached CDSA, I had completed the Windows Attack and Defense module and the SOC Analyst job role path. I kept my notes focused on what actually helped in practice: repeatable workflows, clear evidence trails, and a reporting structure I could reuse.

Windows Attack and Defense: patterns that stuck

This module sharpened my view of Active Directory abuse and weak configurations. We covered Kerberoasting, ASREPRoasting, GPP passwords, GPO permission abuse, credentials in shares/attributes, DCSync, Golden Tickets, constrained/unconstrained delegation, Print Spooler + NTLM relay, coercing attacks, Object ACLs, and AD CS misconfigurations (ESC1/ESC8).

What I leaned on most from the path

The backbone was incident handling and reporting. On the technical side, it was log analysis across Windows/Unix, SIEM searches, malware triage in VMs, and turning findings into YARA and Sigma detections. Tools that showed up the most in my notes were x64dbg, Chainsaw, Splunk, Velociraptor, and the Windows event ecosystem.

Module map (expanded)

  • Incident Handling Process: the Cyber Kill Chain and the full lifecycle (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident), with a scenario case study and MITRE ATT&CK mapping.
  • Security Monitoring & SIEM Fundamentals: SIEM architecture, log aggregation/normalization, alerting, contextualization, data flows, and use case design with a compliance mindset.
  • Windows Event Logs & Finding Evil: event log anatomy, custom XML queries, Sysmon, and ETW, plus detection examples like DLL hijacking and PowerShell/.NET injection, and bulk analysis via Get-WinEvent.
  • Threat Hunting & Hunting with Elastic: the hunting mindset, ties to risk assessment and incident handling, and hands-on hunting in Elastic with a named campaign case study.
  • Understanding Log Sources & Investigating with Splunk: SPL fundamentals, data onboarding, efficient search habits, and building alerts for known TTPs and intrusion patterns.
  • Windows Attacks & Defense: each attack follows Description, Attack, Prevention, Detection, and Honeypot, spanning Kerberos abuse, GPO/GPP misconfigurations, credential exposure, delegation pitfalls, and AD CS weaknesses.
  • Intro to Network Traffic Analysis: the analysis process, tcpdump, and Wireshark for validating what is actually on the wire.
  • Intermediate Network Traffic Analysis: link-layer attacks and anomaly detection based on traffic patterns like excessive SYN, ACK, and FIN flags.
  • Working with IDS/IPS: practical work with Suricata, Snort, and Zeek, including operation modes, PCAP replay, and rule development.
  • Introduction to Malware Analysis: static analysis, dynamic analysis, code analysis, and turning artifacts into detection rules.
  • JavaScript Deobfuscation: unpacking and deobfuscation techniques to recover logic and extract IOCs.
  • YARA & Sigma for SOC Analysts: writing YARA for file/memory hits and translating Sigma to SIEM queries with tools like Chainsaw and sigmac.
  • Introduction to Digital Forensics: foundations for disk and memory work, artifact timelines, and tooling like KAPE and Volatility.
  • Detecting Windows Attacks with Splunk: hands-on detection for Kerberos abuse, password spraying, pass-the-hash, and other Windows/AD behaviors using Sysmon and Security events.
  • Security Incident Reporting: how to translate evidence into a clear incident report aligned with the handling stages.

The mix of SOC process, SIEM operations (Elastic/Splunk), threat hunting, Active Directory attack analysis, network visibility, IDS/IPS work, malware analysis, and DFIR is what I kept returning to during the exam week.

Exam week (Attempt 1)

I originally planned a single weekend, but after reading advice from others, I switched to a full week of vacation days. That week had to wait because I started a new role at Splynter, so the exam was postponed for a couple of months.

When the week finally came, I leaned heavily on my Obsidian notes and the experience I had built up on the job. I cannot talk about the exam content due to the NDA, but the overall flow is very practical and focused on investigative discipline rather than trivia.

How I approached it

  • Started the report immediately (at least for the second incident, and I wished I'd done it for the first too!). I used the word file, but if I had to re-do it I would use SysReptor with HTB's official template!
  • Build a timeline early. It keeps you grounded when the data gets noisy.
  • Pivot across sources. I verified everything I could by utilizing multiple event IDs.
  • Utilize LLMs for finding the right event codes. Since it had been a while since I'd done the course, I struggled with finding the right event IDs. LLMs are great at this though!.
  • Take breaks. Short walks helped me reset and see patterns again.

Result and reflection

I passed and became a certified HTB Defensive Security Analyst. It was a year‑long effort with a few pauses along the way, and it reminded me how much I enjoy the investigative side of security.

Thanks again to Solita for supporting my growth, and to Splynter for being a great environment to sharpen defensive skills.

Advice for future candidates (high‑level)

  • Practice the workflow, not just the theory. The modules matter, but the exam rewards real investigative rhythm.
  • Get comfortable with logs. Knowing where to look and how to pivot is the real time saver.
  • Document as you go. A consistent template saves hours during the exam week.
  • Respect the NDA. Focus on the experience and the learning, not the scenario details.

Takeaways

  • Preparation is about repetition and consistency, not cramming
  • Incident handling feels natural when your documentation is solid
  • Hands‑on malware practice in VMs pays off under time pressure
  • Obsidian‑style notes make it easy to move fast without skipping steps
  • Taking breaks is a skill, not a luxury
Back to the homepage