SAL2 Review - Dragkob
Although I was provided with a voucher by TryHackMe to test and QA the certification, this review is not sponsored. It reflects my independent assessment and will remain objective, rigorous, and strictly unbiased.
My Background
Before diving into the SAL2 exam review, it's important to share some context about my background. Understanding my experience will help you gauge whether my perspective aligns with yours and whether the insights in this review are relevant to your situation.
"By the time I took the SAL2, I had already earned certifications like the CRTO and eCPPTv3. I also work full-time in cybersecurity. I do not bring prior professional experience in SOC operations, threat hunting, threat intelligence, or DFIR-my work has centered on IAM and VOC rather than blue-team functions. I have not completed TryHackMe's SOC Level 1 learning path, and hands-on SOC-style exposure has been limited to a small number of simulation exercises."
The exam
Exam Content
- The assessment is divided into twelve fully hands-on, scenario-based practical sections, organised as three shifts of four scenarios each. Each reflects a realistic SOC investigation and spans domains such as:
- Decision making: breaking intrusions into stages, response and hardening, customer communication, and SOC gaps.
- Report writing: clear business-focused summaries, next steps, structured timelines, IoCs, and attribution.
- SIEM, Windows AD, web logs, Entra ID & M365, AWS cloud, and host-based analysis (Linux and Windows).
- Network traffic, static malware, and email phishing.
- Broader SOC skills: threat intelligence, alert triage with EDR, and detection engineering.
- Each scenario includes technical investigation work plus either a decision-making task or a report-writing task, with evaluation of prioritisation and SLA awareness in context.
- You have a 72-hour exam window for the twelve scenarios. The exam is non-proctored; you need a valid ID or passport.
- The exam requires 65% to pass & one free retake is included.
Exam Structure
The exam is divided into three shifts, each consisting of four scenarios. You may complete the shifts in any order; however, you must finish all scenarios within a given shift before proceeding to the next one. Within each shift, you are free to complete the scenarios in any order. Please note that this certification is based on realism - prioritizing and triaging scenarios appropriately will impact your final grade.
Shifts overview
Shifts & scenario order
Each scenario includes both a total duration and an SLA duration. The total duration represents the full time allotted to complete the scenario, after which the session will automatically end. The SLA threshold indicates the time within which you must submit your solution to earn additional points. As in real-world environments, an SLA (Service Level Agreement) defines the expected timeframe for responding to or resolving tasks, reinforcing the exam's emphasis on realism.
SLA reminder
SLA timer & window
The main interface remains largely unchanged from previous exams. You will still have access to a well-structured workspace for taking notes, reviewing documentation and scope, and accessing tools such as the SIEM and other resources.
Main workspace
Attention to detail
All previous feedback provided to the TryHackMe team has been taken into consideration, and it clearly shows in this exam. The community's concerns have been heard, and meaningful improvements have been implemented.
- One common issue raised by users was slow machine deployment, which resulted in lost exam time. This has now been addressed. The timer only begins once the machine has been fully deployed. [Shown in IMG1]
IMG1
- The attention to detail also extends to realism.
- Much like in a real SOC environment, once a decision is made and acted upon, it cannot be reversed.
- This is reflected in the Decision-Making section of the exam: once a choice is submitted, it cannot be changed. [Shown in IMG2]
- Additionally, the Technical Analysis section remains locked until the Decision-Making phase has been completed.
- In some cases, this may provide indirect insight into whether the correct decisions were made earlier. [Shown in IMG3]
- Candidates should be prepared for moments of realization, recognizing that a different choice may have been more appropriate.
- This is intentional and mirrors real-world scenarios, where decisions carry consequences and accountability is essential. [Shown in IMG4]
- A member of the TryHackMe Content Engineering team has explained the thinking behind this design.
IMG2
IMG3 & IMG4
The Good
Beyond the UI/UX, attention to detail, and realism, there are several additional strengths worth highlighting:
Machine stability and launch times
Unlike previous TryHackMe exams, I did not encounter any stability issues related to infrastructure or virtual machines. Everything ran smoothly, likely due to expanded deployment regions; an improvement that is highly appreciated.
Question and Answer clarity
All questions and corresponding answers were presented clearly and without ambiguity. The expected answer formats were explicitly defined, leaving no room for misinterpretation. This structured approach contributes to a more consistent and reliable evaluation process, ensuring that candidates fully understand what is required.
Skill Matrix on results page
The inclusion of a skill matrix on the results page is a valuable addition. It provides meaningful insight into performance across different competencies, allowing candidates to better understand their strengths and areas for improvement.
Exam Difficulty
The exam is advertised as mid to senior level. In my assessment, it aligns more closely with a mid level standard; however, it remains appropriately challenging. It is clearly designed for individuals with a solid foundation in the subject matter rather than beginners. Overall, it stays true to its intended level, which is commendable.
Overall Quality
The exam feels like a well-polished, finished product. No major issues were encountered throughout the experience, reflecting a high level of preparation and quality assurance.
The Bad
Absence of AI-Based Feedback
The written communication component of the soft skills assessment is AI-graded. As such, it is somewhat unfortunate that the final results page does not include personalized feedback on areas for improvement.
I understand that this feature was withheld due to concerns about potential inaccuracies, which is entirely justified. While this functionality holds significant potential for a certification of this nature, it is preferable to omit feedback rather than risk providing misleading or unreliable outputs, as was previously observed with PT1.
Exam quality compared to training material
This exam sets a new benchmark on TryHackMe. While new Blue Team courses are gradually being introduced, one of the reasons I previously avoided engaging with Blue Team paths was their inconsistent quality.
In particular, the now-retired SOC Level 1 path felt unengaging and lacked depth, in my opinion. Although I have not yet explored the updated version, I strongly encourage alignment between the course content and the high standard established by this exam.
That said, recent improvements are promising, and it is clear that the platform is moving in the right direction. I hope this positive momentum continues.
Exam details page clarity
The exam details page states a total duration of 72 hours across 12 scenarios but does not clearly explain how this time is structured. Unlike the SEC1 certification, it omits whether the time is flexible or allocated per scenario.
In practice, each scenario is individually time-bound (typically 1-2 hours), meaning once started, it must be completed within that window. This lack of clarity can lead to poor time management decisions and potentially disadvantage candidates.
Improving transparency on this point would help candidates better plan their approach and avoid misunderstandings.
Concerns regarding unmet commitments
Marketing materials and website communications have outlined several incentives for the first 100 candidates to pass SAL2. However, based on the experience with PT1, many users are still awaiting clarity regarding their rewards.
While this may not be fully visible internally, from my perspective, interacting daily with a broad user base, there is a noticeable and growing skepticism toward TryHackMe's ambitious commitments and their delivery, particularly within community discussions (e.g., Reddit).
The Bugs
During the course of the exam, I encountered a few technical issues worth highlighting:
VM screen cropping issue
The virtual machine display did not consistently scale correctly when the browser zoom level was set below 100%.
Steps to reproduce:
- Navigate to another tab (e.g., "Documentation").
- Adjust the browser zoom level to 90% or lower.
- Return to the VM section.
In some cases, the VM rescaled correctly; however, this behavior was inconsistent (approximately 50% of the time). Observed issues included the taskbar being partially cut off and, at times, the right side of the VM extending beyond the visible screen area.
Antivirus blocking - /[REDACTED]/[REDACTED]/download API
While working on a challenge, certain strings within the challenge triggered my AV software. As a result, API requests made by TryHackMe were flagged and blocked, preventing submissions and effectively breaking part of the exam workflow.
Further investigation indicated that the flagged strings matched patterns commonly associated with malicious commands - which aligns with the intended purpose of the exercise.
This created a blocking issue where the submission functionality became unusable, ultimately requiring me to disable or uninstall my antivirus to proceed.
While this behavior is understandable from a security standpoint, it significantly impacts usability and may prevent candidates from completing the exam. It may be worth exploring mitigation strategies, such as sandboxing inputs or modifying submission handling, to reduce conflicts with endpoint security solutions.
Additional observations (undisclosed issues)
I also identified three additional bugs or inconsistencies that cannot be disclosed in detail at this time.
In summary, these included:
- Issues that could allow candidates to skip certain questions (counterproductive, as this will negatively impact grading)
- Unintended information exposure that could provide hints toward correct answers
- A separate issue with potential implications for exam integrity, which I will not elaborate on
I am currently awaiting clarification from the TryHackMe team regarding whether these behaviors are intentional or require remediation.
Grading
AI grading again?
AI-based grading has been reintroduced, albeit limited to a specific section of the exam. In my experience, it has significantly improved and did not negatively impact my grading in any way. Overall, this aspect of the exam should not be a cause for concern.
Instead of relying on full AI-driven feedback, TryHackMe has adopted a skill matrix approach on the results page.
Skill matrix
How grading works
| Category | Details |
|---|---|
| Exam structure | 12 scenarios total. |
| Tasks per scenario | 1) Report writing or decision making (40%)2) Technical analysis (60%) |
| Overall scoring | Total points across all scenarios, converted to a percentage. |
| Pass mark | 65% or higher. |
| Technical analysis scoring | Per question: correct answers earn full points; incorrect answers earn 0 (no partial credit). |
| Decision making scoring | Per question: correct = full points; incorrect = 0. |
| Report writing scoring | Based on set criteria with equal weighting; AI-assisted evaluation. |
| SLA bonus | +15% of a scenario's maximum points if completed within the allotted time. |
| Prioritisation bonus | +5% of a scenario's maximum points for the correct severity order (Critical → High → Medium → Low). |
| Bonus impact | Applied before the final percentage is calculated and can change the pass/fail outcome. |
| Skill matrix | Shows non-technical skill performance across scenarios. |
| Skill matrix impact | Informational only; does not affect the final score. |
How to get ready?
Training
- The training path provided by the TryHackMe team is sufficient to prepare for the exam. Notably, I approached this certification with very limited prior experience in SOC operations, threat hunting, and threat intelligence, having only a basic understanding of DFIR concepts and partial completion of the SOC Level 1 path. Despite this, I was able to successfully pass, which highlights the accessibility and relevance of the material.
- My background in offensive security proved to be a significant advantage, allowing me to approach scenarios with an attacker's mindset and better understand incident patterns. While I do not claim expert-level authority on the training content, I have also considered community feedback, which largely aligns with my observations and contributes to a more balanced evaluation.
- One improvement I would suggest is the inclusion of a small set of SOC simulation scenarios with the SAL2 voucher. Given the certification cost, providing candidates with hands-on practice would be both fair and beneficial.
Exam Tools & VPN
- The exam does not require or allow the use of a VPN, as all activities are conducted within the provided environment. Candidates operate through pre-configured SIEM platforms, analyst workstations, and Windows virtual machines.
- Tools such as Elastic, Splunk, and MISP, along with pre-installed DFIR utilities, are readily available. The environment proved stable and fully sufficient to complete all challenges.
Who is this exam for?
The exam is advertised as targeting mid to senior-level SOC roles, and I can confidently say this positioning is accurate.
Please note:
Although I was able to pass without prior experience in SOC, threat hunting, DFIR or threat intelligence, this should not be considered typical or advisable. This certification is not beginner-friendly.
- The exam is relatively expensive, which is appropriate for its level.
- My success was largely due to a strong background in offensive security and multiple prior certifications, allowing me to approach scenarios with an attacker's mindset.
- A solid foundation in blue team concepts is strongly recommended before attempting this exam.
Final thoughts
- Overall, this exam represents a significant milestone for TryHackMe and, more broadly, for practical cybersecurity certifications. SAL2 does not simply improve on previous offerings; it sets a new benchmark in terms of realism, structure, and candidate experience.
- From a design and execution standpoint, it is the first certification on the platform that feels truly complete, cohesive, and production-ready. The level of detail across UI/UX, scenario design, infrastructure stability, and assessment clarity reflects a clear maturation, with community feedback meaningfully implemented.
- That said, some surrounding elements, such as training content alignment, communication clarity, and minor platform issues, still have room for improvement. These gaps do not detract from the exam itself but highlight areas where the broader ecosystem can better match the certification's high standard.
- Despite a few bugs and edge cases, the overall quality remains strong, and these issues appear solvable through iteration rather than fundamental redesign.
Final rating
| Certification | Rating |
|---|---|
| SAL2 | |
| SAL1 | |
| PT1 | |
| SEC1 | |
| SEC0 |
