I’m very pleased to say I’ve passed the Hack The Box Certified Defensive Security Analyst (CDSA) exam. This one was a proper challenge.

Unlike the GFACT and GSEC, which are largely theory-based with multiple choice questions, the CDSA is entirely hands-on. There are no multiple choice questions at all. You’re dropped into a live environment with two real security incidents to investigate, and you’ve got seven days to figure out what happened, how it happened, and write a professional incident report covering the lot.

What Made It Hard

Seven days sounds generous until you’re actually in it. The technical investigation — hunting through SIEM logs in both Elastic and Splunk, analysing network captures, digging through Windows event logs, tracing lateral movement across an Active Directory environment — is only half the battle. The other half is the report.

And the report is where most people come unstuck. HTB are very clear that a CTF-style writeup won’t cut it. They want a proper, commercial-grade security incident report — executive summary, root cause analysis, full technical timeline with evidence, indicators of compromise, MITRE ATT&CK mappings, the works. The kind of document you’d actually hand to a client or present to management after a real incident. I can see why they weight it so heavily in the grading — in the real world, the investigation only matters if you can communicate what you found.

The breadth of skills needed caught me off guard a bit too. You need to be comfortable across two different SIEM platforms, network traffic analysis, Windows forensics, Active Directory attack detection, and at least basic malware analysis. It’s a lot of ground to cover, and you can’t really blag any of it because the scenarios are realistic enough that you need to genuinely understand the tools and queries you’re using.

What I Enjoyed

Honestly, despite the stress, I really enjoyed it. The scenarios felt like real investigations, not contrived puzzles. There’s something satisfying about tracing an attacker’s path from initial access through to domain compromise, piecing it together from log entries and packet captures. It’s the closest thing to a real incident response engagement you can get without an actual breach.

I also got some genuinely lovely feedback from the examiner, which made the whole thing worthwhile:

“Congratulations! You have been awarded the HTB CDSA certification. The way you documented the detection activities was commendable and easy to follow. Your report was nicely structured as well. Well done!”

Coming from an exam that specifically tests your ability to write a professional report, that feedback meant a lot.

Advice If You’re Thinking About It

The SOC Analyst path on HTB Academy is mandatory and it’s genuinely good preparation. Take proper notes as you work through it — you’ll need them during the exam. I’d also strongly recommend preparing a report template before you start. You don’t want to be faffing about with formatting when the clock is ticking.

Build yourself cheat sheets for the SIEM query languages too. You need to be comfortable in both Elastic’s KQL and Splunk’s SPL, and under exam pressure is not the time to be Googling syntax. And screenshot everything as you go. Your future self writing the report at 11pm on day six will thank you.

If you’ve done the GFACT and GSEC like I have, this is a completely different experience. Those are knowledge tests. This is a skills test. Much harder, much more rewarding, and honestly much more relevant to what you’d actually do in a security role.

You can verify the certification on Credly.