Tuesday, April 7, 2026

My Entry Level Remote SOC Analyst Lab.

Danovis Pooler - SOC Analyst Journey

Danovis Maurice Pooler Jr

From Network Admin to SOC Analyst | Oakland, CA

20 Years IT Experience | Cybersecurity Blog | Home Lab Documented

About Me & My Security Journey

Hello, I'm Danovis Pooler.

For the past 20 years, I've been the person you call when your network goes down, your server won't boot, or your computer decides today is the day it retires. I've worked across the Oakland Bay Area — from Silicon Valley College maintaining student and staff networks, to running my own computer repair business serving hundreds of clients. I've configured routers, managed Windows and Linux servers, and troubleshot everything from TCP/IP issues to hardware failures.

Now, I'm channeling that experience into cybersecurity.

Here's what I've learned after two decades in IT: You can't secure what you don't understand. My infrastructure background isn't a weakness in this transition. It's my superpower.

What I'm Building Here

This blog documents my journey from traditional IT administration to Security Operations Center (SOC) analysis. I'm not starting from zero — I'm building on 20 years of foundation.

Home Lab Projects
Building a security operations lab using VirtualBox, ELK Stack, and open-source SIEM tools. Documented every step for other IT pros.
Infrastructure Security Analysis
Applying my network admin experience to threat detection. How do you spot malicious DNS traffic? What do failed authentication patterns look like?
Learning in Public
Studying for CompTIA Security+ and CySA+ certifications. Sharing study strategies and resources that actually help.
Career Transition Insights
For other IT veterans considering the security leap: what's transferable, what you need to learn fresh, and how to position your experience.

My Current Focus

Right now, I'm targeting remote Tier 1 SOC Analyst positions. My immediate learning priorities:

Skill Why It Matters My Status
SIEM Fundamentals The heart of SOC work — log aggregation and analysis Building ELK stack lab
Threat Intelligence Understanding IOCs and attacker TTPs Weekly research on MITRE ATT&CK framework
Incident Response From my IT troubleshooting background Documenting playbooks for common scenarios
Network Security Monitoring Leveraging my traffic analysis experience Practicing with Wireshark and Zeek
Let's Connect: danovispoolerjr@gmail.com | LinkedIn
Post #1: First Capture — 396 Packets and a Permission Lesson
Published: April 7, 2026 | Tools: Wireshark 4.2.2, Linux Mint

Kali is still downloading. But I just captured 396 packets of live network traffic — and finally understood why SOC analysts need both patience and curiosity.

From Error to Data

An hour ago: "Permission denied" trying to run Wireshark.
Now: 396 packets captured from interface enp0s31f6.

The fix was simple Linux permissions:

sudo usermod -a -G wireshark $USER
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

The result is a window into everything my machine is doing behind the scenes.

What 60 Seconds of Traffic Revealed

Without filtering: Chaos. MDNS broadcasts, TLS handshakes, TCP acknowledgments — hundreds of conversations happening simultaneously.

With filters: Patterns emerge.

Filter Result Insight
dns 12 queries My machine constantly looks up domains
tls 8 handshakes Every HTTPS site negotiates encryption
tcp.port == 443 23 connections Port 443 dominates modern traffic
ip.addr == 192.168.5.30 All my traffic Source IP verification
[INSERT SCREENSHOT: Wireshark capture showing 396 packets]

Key Observations

  • MDNS Traffic (Local Network): Constant chatter between devices. Hostnames visible. Security note: This is how attackers map your internal network.
  • Encrypted Traffic (TLS 1.2): Port 443 connections. Handshake visible, payload encrypted. Security note: Even "secure" traffic reveals metadata.
  • My IP Address: 192.168.5.30 — every packet ties back to this source. Security note: Source IP analysis is fundamental to threat hunting.

The SOC Analyst Mindset

Twenty years of network administration taught me to ask: "Is it working?"

Security analysis asks: "What is it actually doing?"

Same tools. Different questions. Better outcomes.

Next step: Once Kali Linux finishes installing, I'll generate "attack" traffic — port scans, brute force attempts — and compare it against this baseline.

— Danovis Pooler, Oakland, CA

Post #2: Attack in Progress — Detecting My First Nmap Scan in Real-Time
Published: April 7, 2026 | Tools: Nmap 7.98, Wireshark 4.2.2, VirtualBox

The screen split tells the whole story. Left: Kali Linux launching a port scan. Right: Wireshark capturing every packet. For the first time, I watched an "attack" happen from both sides simultaneously.

The Scenario

Attacker: Kali Linux VM (10.0.2.15)
Tool: Nmap 7.98 (nmap -sS 10.0.2.15)
Target: Self-scan (safe, legal, educational)
Detection: Wireshark on Linux Mint host
Result: 331 packets captured in real-time

What the Scan Looked Like

In Kali (The Offense):

Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-07 23:05 -0400
Nmap scan report for 10.0.2.15
Host is up (0.0000040s latency).
All 1000 scanned ports on 10.0.2.15 are in ignored states

Translation: 1000 ports probed in 203.68 seconds. All closed or filtered.

In Wireshark (The Defense):

  • 331 packets captured
  • Source IP 10.0.2.15 visible
  • Multiple destination ports
  • TCP SYN → RST patterns (stealth scan signature)
[INSERT SCREENSHOT: Split screen showing Kali terminal and Wireshark capture]

Key Detection Insights

Observation Technical Detail Security Meaning
Rapid sequential connections 1000 ports in ~200 seconds Automated, not human browsing
SYN-only packets No full handshakes "Stealth" scan trying to avoid logs
RST responses Target rejecting connections Host is alive but ports closed
Consistent source IP 10.0.2.15 throughout Clear attribution possible

The SOC Analyst Moment

Twenty years of network troubleshooting taught me to read packet traces. But this was different — I wasn't fixing a problem. I was witnessing an intentional probe.

Detection isn't about knowing every attack tool. It's about recognizing patterns that deviate from normal:
  • Normal browsing: Random ports, full handshakes, human timing
  • Port scanning: Sequential ports, SYN-only, machine speed
  • This scan: 1000 connection attempts in 3.5 minutes
Alert threshold: In a production environment, this pattern would trigger an IDS signature immediately.

Lab Environment

Component Specification
Virtualization VirtualBox on Linux Mint
Attacker VM Kali Linux 2026.1 (10.0.2.15)
Scan type SYN stealth scan (-sS)
Ports tested 1000 common TCP ports
Detection tool Wireshark 4.2.2
Packets captured 331
Analysis host Linux Mint (enp0s31f6 interface)

Next: External Scanning — Configuring cross-VM networking to scan from Kali toward my Mint host.

— Danovis Pooler

Coming Next: Crossing the Network — Cross-VM Scanning
Status: In Progress | Target: April 2026

Scanning yourself is educational. Scanning across a network is realistic.

This week, I'm configuring my first cross-VM attack scenario — adding a Host-Only network adapter to create a true segmented network between Kali and my Mint host.

What I'll Demonstrate

  • VirtualBox network segmentation (NAT vs. Host-Only)
  • Lateral movement simulation
  • Detection from the "target" perspective
  • Clear attacker attribution via distinct source IPs

Follow along as I build a complete virtual SOC lab from my apartment in Oakland — no server rack required.

Danovis Maurice Pooler Jr

Oakland, California 94611

Email: danovispoolerjr@gmail.com |

Documenting my transition from 20-year IT veteran to SOC Analyst.
Learning in public. Building in the open.

Blog built with HTML | Hosted on Blogger | Lab running on Linux Mint & VirtualBox

at No comments:
Subscribe to: Comments (Atom)

My Entry Level Remote SOC Analyst Lab.

Danovis Pooler - SOC Analyst Journey Danovis Maurice Pooler Jr From Network Admin to SO...