Jeffrey Bencteux
Author Image

Rubrique-à-brac

© 2019 - 2025 Jeffrey Bencteux
Built with Hugo ❤️ hyde-hyde.

Hack The Box Certified Defensive Security Analyst (HTB CDSA) review

Dec 18, 2025 in CERTIFICATIONSHACKING
hackthebox
6 min read
cdsa

Context

Hack The Box’s academy was pointed back to me recently and I had little interest in attempting their Certified Penetration Testing Specialist (CPTS) certification as the syllabus of the course covers knowledge I already acquired with other certifications such as the OSCP. However, their blue team certification Certified Defensive Security Analyst was offered to me and I decided to give it a go.

My background is that I have worked in detection and incident response in my career and most of the concepts and techniques presented in CDSA course were familiar to me.

Course

The course and its syllabus can be found on HTB’s website. According to HTB, this is an entry-level blue team course and certification and I can only agree, it is accessible to anyone wanting to discover methodology and techniques behind the job of a SOC analyst or an incident responder.

HTB associates “job paths” with certifications and the one behind CDSA is called SOC Analyst Job-Role Path. The cost to get certified is the one of an annual silver subscription at the price of $490. This subscription opens access to different job paths, including the SOC Analyst one and one certification voucher for either CDSA, CWES or CPTS. I actually got it cheaper when HTB made a discount last summer for $430 for a Silver annual subscription + a free voucher for their Certified Junior Cybersecurity Associate (CJCA).

The course value for that money is good, especially when you also can work on other courses such as the CPTS one. HTB definitely has a significant market share in the certification business with such a strategy.

The course is divided in 15 different modules. These does not need to be studied sequentially and have progression status which helps knowing how much study time left is needed. These also have a difficulty level deemed by HTB between Easy, Medium or Hard, with only one Hard for the CDSA course.

course_overview

The modules alternate between text lessons and practical labs. A VPN gives you access to the labs and you have unlimited time (well, as long as your subscription runs) to complete these. I found the course flow easy to follow, with a good switch between theory and practice.

On a technical point of view, everything was running pretty well, I had issues with the VPN from time to time, had to switch location. For one of the exercises I had to use a SSH local forward port to be able to complete the lab and I am pretty sure this was not intended.

The course content is a bit heterogenous, sometimes a module will be excessively easy, and sometimes you will spend multiple hours on another, making the progression percentage not so realistic as HTB estimates all modules to be almost equally long to complete.

The articulation of it is often quite strange. For example, a section put at the same level subjects that are of different granularity such as AD Security Assessment next to Purple Team Exercises, User Awareness Training or DMARC. This is confusing to the reader as sometimes the subject could be considered a “category” and for others it could be a “chapter” of such a category.

Overall, the course content is pretty good. It gives the reader concepts and keys to perform a day-to-day SOC analyst job, as advertised. However I found multiple errors and shortcuts in explanations that I did not found acceptable. Below are a few examples:

  • In SIEM and SOC fundamentals, false positive rate is used to give the alert level (high, medium or low), that’s not how things should be done and not how it is done in a professional context anyways
  • In Network Analysis, a network tap should be considered a passive device, not an active one and there are errors in the OSI model examples

I also found parts of different modules to be the same, such as the one on static analysis for Windows and Linux. Others have dummy questions at the end such as “how many packets is there in XXX or YYY type of network protocol”.

On another hand though, I found the practical labs realistic. The Skill assessment sections are close to reality and the ones making the student manipulates SIEMs like ELK and Splunk are very good. Also, the course includes modules where the student performs the attacker role such as Active Directory Attack & Defense and that is nice knowledge for a blue team job.

I particularly appreciated the ELK and Splunk queries of the course. Examples are amongst the ones an analyst can find on the field. I took quite a bit of notes including these queries and studying the given resources to make my own as well.

The course took me approximately forty hours to complete but this is quite biased by the fact I already knew most of the content. I went straight into the exam when I was done with the course.

Exam

The exam consist in two different incidents, for which you are provided different sources of traces. For the first one, there are twenty flags that you need to provide (and only 16/20 are needed to pass). For both incidents, you must provide a report including different mandatory sections such as an executive summary, business impact and a detailed timeline. Duration of the exam is seven calendar days, without the possibility to stop.

I felt the exam was pretty realistic, the paths the attackers followed are some that I have seen on real incidents and the associated methods used too.

It took me around five days to complete, working most of the day on it but taking a lot of breaks and sleeping normally. I found 19/20 flags, the one missing probably because I did not understand well enough the technique needed to retrieve it, even if I knew what it was about. I spent more time than I was planning on this exam, I advise to not underestimate the time needed to complete it. I got a response from HTB after nine calendar days saying I passed, with a positive feedback.

Below is some advice I would give myself if I had to take it again:

  • have a more time-efficient method on how to write a timeline with commands and screenshots
  • prepare a report template before the exam
  • have more ready-like requests and commands for tools

And below you can found some stuff I planned and that were useful during the exam:

  • write the report while taking the exam
  • have a ready-like requests and commands cheat sheet
  • a note-taking application (Obsidian) with an “export to PDF” feature
  • write flags for incident 1 in a separate file, just in case
  • do not focus on flags, but rather on what happened in incident 1
  • take half a day after incident 1 to redact it completely before starting incident 2

Conclusion

Pros:

  • correct pricing for both training and exam
  • overall good course content
  • nice exam challenge

Cons:

  • few mistakes and repetitions in the course
  • no HR will know what this certification is, probably only technical people in the field

I would recommend that course and certification to either someone new in the field that wants to become a SOC analyst or an Incident responder or someone in a more offensive role such as pentester that wants to broaden his knowledge in blue team methodology and techniques.

It definitely changed my point of view on HTB Academy and I will probably take future courses from them.

Manual Configuration Manager (SCCM) credential harvesting