TryHackMe SEC1 Certification: A Honest, Detailed Review
SEC1 is one of the few beginner certifications that actually puts you inside a real environment and asks you to work. This is a first-hand account of what the exam looks like, where it tests you hard, where it falls short, and whether it deserves a place in your certification roadmap.
Background
I passed the TryHackMe SEC0 certification on April 24, 2026. After that, the natural instinct was to revise, consolidate, and prepare before moving forward. But the material was fresh, the momentum was there, and I made a deliberate decision to go straight into SEC1 without waiting.
Twelve days later, on May 6, 2026, I cleared SEC1 on the first attempt with a score of 550 out of 700.
This blog is not a walkthrough of exam answers. It is an honest, structured review of what SEC1 is, what it tests, where it does well, where it falls short, and whether it is worth your time.
What is SEC1?
SEC1 is TryHackMe's second-tier certification that follows SEC0. It is not a purely blue team or red team certification. It deliberately covers both sides of the field, from incident response and security operations to penetration testing and web application attacks.
The design philosophy behind this is intentional. At this stage, most learners have not yet decided which direction they want to pursue. SEC1 gives you a structured taste of both disciplines so that by the time you finish, you have enough hands-on exposure to make an informed decision about whether you want to go deeper into defensive security or offensive security.
Unlike SEC0, which is heavily theoretical and conceptual, SEC1 introduces hands-on practical components. You are placed inside live environments and asked to perform actual analysis tasks across both attack and defence scenarios.
The certification sits at the beginner-to-intermediate boundary. It is not entry-level in the traditional sense, but it does not assume deep expertise either.
Quick Reference:
| Detail | Information |
|---|---|
| Certification Name | SEC1 |
| Issuing Platform | TryHackMe |
| Level | Beginner to Intermediate |
| Format | Practical, scenario-based |
| Pass Mark | 455 / 700 |
| Total Marks | 700 |
| Duration | Up to 24 hours |
| Badge | Credly verified |
Who is SEC1 For?
SEC1 is suited for individuals who have completed the TryHackMe Cybersecurity 101 learning path or have equivalent foundational knowledge. It is a natural progression from SEC0.
You are ready for SEC1 if:
You have completed SEC0 or a comparable beginner certification
You are comfortable navigating Linux and Windows environments via the command line
You understand basic networking concepts including TCP/IP, DNS, and HTTP
You have done hands-on labs involving log analysis, basic enumeration, or malware investigation
You are exploring whether blue team or red team is the right path for you
You may want to wait if:
You have only studied theory and have no hands-on lab experience
You are not comfortable using the command line on both Linux and Windows
You have not worked with tools like Nmap, Hydra, Wireshark, or basic log analysis
Exam Structure and Format
SEC1 is divided into multiple scenario-based contracts. Each contract presents a real-world incident or investigation scenario and asks you to work through it using provided evidence or a live environment.
The exam is open-book in the sense that you have access to tools and resources, but the time pressure and practical nature of the questions mean that knowledge and hands-on experience matter significantly.
Each contract covers a specific domain and is scored independently. You need to reach the overall pass mark across all contracts combined.
The format rewards analytical thinking over memorization. You are expected to use tools, interpret outputs, and reach conclusions based on evidence, not recall.
Domain Breakdown and My Scores
Here is how the exam is structured by domain, along with my personal scores and an honest assessment of each:
| Domain | My Score | Difficulty | Notes |
|---|---|---|---|
| Windows Fundamentals | 100/100 | Moderate | Strong if you have worked in Windows environments |
| Linux Fundamentals | 90/100 | Moderate | Command line comfort is essential |
| Security Operations | 80/100 | Moderate | Scenario-based, realistic IR workflow |
| Bruteforcing and Cracking | 80/100 | Moderate | Tool familiarity carries you far here |
| Malware Analysis | 80/100 | Moderate | Static analysis, strings, PE headers |
| Network Traffic | 60/100 | Hard | Requires strong packet and log analysis skills |
| Web Pentesting | 60/100 | Hard | Tool speed and web attack knowledge critical |
Honest note: Network Traffic and Web Pentesting were the two sections that humbled me. If your background is primarily defensive or you have not spent time doing active enumeration and web attacks, allocate more preparation time to these two domains specifically.
What the Exam Actually Tests
SEC1 does not test whether you can memorize definitions. It tests whether you can operate.
Across the exam, you will be expected to perform tasks like the following:
Windows and Linux Environments
Navigate file systems and locate artifacts under time pressure
Query and filter Windows Event logs using PowerShell
Identify suspicious files, processes, and registry entries
Use command line tools efficiently without a GUI
# Example: Querying Windows Event Logs for process creation events
Get-WinEvent -Path 'C:\path\to\Security.evtx' | Where-Object {$_.Id -eq 4688} | Select-Object TimeCreated, Message
Security Operations
Triage an incident using provided log and artifact evidence
Identify indicators of compromise across host and network data
Map findings to MITRE ATT&CK techniques
Follow a structured incident response framework
Malware Analysis
Perform static analysis on a binary without executing it
Extract readable strings to identify embedded URLs, commands, and capabilities
Identify persistence mechanisms such as registry run keys
Understand file metadata including hashes, architecture, and compilation details
# Example: Extracting strings from a binary on Windows
strings.exe suspicious.exe | findstr /i "http"
Network Traffic Analysis
Parse and filter firewall logs for anomalous connections
Identify suspicious outbound traffic patterns
Differentiate between internal lateral movement and external C2 activity
Web Pentesting
Enumerate hidden web directories and endpoints
Identify and exploit authentication weaknesses
Perform credential-based attacks against login forms
Understand hash types and crack weak passwords
# Example: Directory enumeration
gobuster dir -u http://target:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Example: Credential brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt target http-post-form "/admin:username=^USER^&password=^PASS^:F=Incorrect" -s 8080 -t 64
Tools You Should Know
You do not need to be an expert in every tool listed here, but you should be comfortable enough to use them under time pressure before attempting SEC1.
| Tool | Category | Purpose |
|---|---|---|
| Nmap | Reconnaissance | Network scanning and service enumeration |
| Gobuster | Web | Directory and content discovery |
| Hydra | Exploitation | Credential brute forcing |
| Strings (Sysinternals) | Malware Analysis | Static string extraction from binaries |
| PowerShell / Get-WinEvent | Windows Forensics | Event log querying and analysis |
| Hashcat / CrackStation | Password Cracking | Hash identification and cracking |
| Wireshark | Network Analysis | Packet capture inspection |
| Findstr / Grep | Log Analysis | Pattern searching in logs and files |
SEC1 vs CompTIA Security+
This comparison comes up often. Both are beginner-level certifications but they serve fundamentally different purposes.
| Criteria | TryHackMe SEC1 | CompTIA Security+ |
|---|---|---|
| Format | Practical, scenario-based | Multiple choice and performance-based |
| Depth | Hands-on, narrower scope | Broad theoretical coverage |
| Industry Recognition | Growing, niche community | Widely recognized, DoD 8570 approved |
| Cost | Low (THM voucher or subscription) | High (~$400 USD exam voucher) |
| Validity | Check THM policy | 3 years, requires renewal |
| Prep Time | Weeks if path is completed | 2 to 4 months typically |
| Best For | Hands-on learners, portfolio building | Job requirements, HR screening |
| Credly Badge | Yes | Yes |
The honest answer: They are not direct competitors. Security+ is a hiring requirement at many organizations and carries more weight with HR teams and government-adjacent roles. SEC1 demonstrates that you can actually operate in a real environment, which Security+ alone does not always prove.
Ideally, you want both. SEC1 builds your practical capability. Security+ opens doors.
Honest Assessment: Strengths and Gaps
What SEC1 Does Well
The hands-on format is the right approach. Dropping candidates into real environments and asking them to work through actual scenarios is far more valuable than a multiple choice paper. This is how real security work functions and the exam reflects that philosophy well.
The scenario design for Security Operations, Malware Analysis, and Bruteforcing is solid. The scenarios felt realistic and required genuine analytical thinking rather than surface-level recall.
The Credly badge integration adds credibility and makes the certification shareable in a verifiable format.
Where SEC1 Falls Short
As a beginner-level certification, the coverage is uneven. Some domains go into meaningful depth while others feel like they only scratch the surface. A candidate who scores well on Windows and Linux but struggles with Network Traffic and Web Pentesting ends up with a pass that does not fully reflect their readiness across all domains.
The Network Traffic and Web Pentesting contracts could benefit from more guided structure at this level. For a beginner audience, the jump in difficulty compared to the other domains is noticeable and not always well signposted.
There is also limited official guidance on what tools and techniques are expected. Candidates coming from the Cybersecurity 101 path may find some contracts require knowledge that goes slightly beyond what the path explicitly covers.
Overall: SEC1 is a good certification. It is not a complete picture of what a junior security professional needs to know, but it is a meaningful and practical step in the right direction.
Should You Take SEC1?
| Your Profile | Recommendation |
|---|---|
| Completed TryHackMe Cybersecurity 101 path | Yes. Take it now while the material is fresh. |
| Passed SEC0 and want a practical follow-up | Yes. Strong recommendation. |
| Exploring blue team vs red team as a direction | Yes. This exam was designed for exactly this stage. |
| Targeting entry-level SOC or security roles | Yes, but manage expectations. The value is in the hands-on exposure, not resume weight. It tells you what to expect from the work before you commit to a path. |
| Only studied theory, no hands-on lab experience | Not yet. Build command line and tool comfort first. |
| Already hold Security+ or equivalent | Optional. Useful for validating practical skills. |
| Preparing for offensive security roles | Consider eJPT after SEC1 rather than stopping here. |
Final Verdict
SEC1 is worth taking if you have completed the foundational groundwork. It is practical, it is verifiable, and it tests skills that reflect what the work actually demands.
It is not perfect. The difficulty is inconsistent across domains and the certification alone will not make you job-ready. But as part of a broader skills and certification strategy, it adds real value.
If you have finished the Cybersecurity 101 path and passed SEC0, there is no reason to wait. The material is fresh, the momentum is there, and the exam is achievable.
Go straight in.
Tirthak Likhar
Final year B.Tech CSE, Symbiosis Institute of Technology
SOC Intern - Blue Team | LinkedIn
