This course is intended for professionals responsible for establishing, managing, or enhancing organizational cybersecurity operations, including:

• Security managers and directors.
• Incident response team leads and members.
• IT and network security administrators transitioning to SOC/CSIRT management roles.
• Organizational leaders and decision-makers involved in cybersecurity governance.

Qualifications or experience needed to participate in this training course:

• At least 5 years of IT technical or management experience.
• At least 2 years of Cybersecurity experience.
• At least 2 years of responsibility for handling projects or changes, including planning, procurement and implementation..
• Participants must have a foundational understanding of cybersecurity principles and best practices.
• Practical awareness of SOC workflows and procedures. 
• Experience or knowledge of commonly used SOC technologies.

Selection criteria: 

• Applicants must hold a managerial or leadership position in IT, cybersecurity, or risk management in the organization.
• Must be actively involved in designing, implementing, or modernizing SOC capabilities. Organizations should either be in the process of establishing SOC or modernizing an existing SOC.
• Have the authority to approve SOC technologies and tools, make decisions about staffing and skill development, and influence in SOC policy and procedures development.   
• Industry and sector relevance for the organization, i.e. from CI or CII in their country. 
• Preference for organizations with a clear mandate to improve national or sectorial cybersecurity resilience.
• Complete the application questionnaire and attach an up-to-date CV, a recommendation letter from their employer, or a motivation letter. 

Government officials and policymakers from developing countries, particularly women, are encouraged to apply. Selection will be conducted by the course organizers, who will consider the above entry requirements along with an analysis of the application questionnaire and the recommendation/motivation letter of each applicant. 

Number of available places for the cohort:  35

Upon completion of this course, participants will be able to: 

• Integrate CSIRT and SOC functions into the overall security strategy of their organization, while establishing governance models and operational frameworks that align with industry standards and best practices.
• Develop a clear CSIRT/SOC design, define the scope of operations, and craft a mission statement for their cybersecurity operations.
• Design and implement roadmaps for setting up or modernizing CSIRTs and SOCs, including resource planning, staffing, budgeting, and defining critical success factors.
• Foster a culture of proactive security and collaboration with internal stakeholders and external entities by promoting knowledge sharing across teams, ensuring continuous resilience and adaptability in the face of evolving challenges.
• Evaluate the effectiveness of existing CSIRT and SOC capabilities to identify areas for improvement and enhance overall cybersecurity operations.

The training course utilises integrates theoretical knowledge with practical application to ensure an engaging and effective learning experience. The course consists of 10 sessions, each consisting of a structured presentation by an experienced practitioner followed by group discussion or practical exercises. Some exercises will be done in groups, others individually. At the end of each day, a review will be conducted to reinforce the key takeaways.

The methodology is structured around the following key components:

• Lectures: Each session includes expert-led discussions that provide foundational knowledge and real-world insights, supported by visual aids, case studies, and structured explanations to help participants grasp complex concepts.
• Hands-On Exercises: Participants will engage in practical activities such as simulations, scenario-based tasks, and group exercises to reinforce their learning and develop applicable skills. These exercises are designed to mimic real-world challenges and provide immediate feedback.
• Case Studies: Real-world examples and success stories are integrated to demonstrate best practices and offer a practical understanding of how theoretical concepts are applied in operational environments.
• Team Activities: Group discussions and exercises assignments encourage collaboration and foster problem-solving skills, especially in team dynamics and decision-making contexts.
• Discussion and Q&A Sessions: Dedicated time is provided for interactive discussions and questions to ensure participants can clarify doubts and engage directly with instructors and peers.

Participants will be graded based on their engagement in practical exercises and their performance on the final exam. The final exam involves a group assignment (up to 5 participants per group) to analyze case studies and simulate scenarios related to CSIRT/SOC resource management. Attendance at all sessions is mandatory.

Grading criteria:

• Active participation in sessions: 10%
• Contribution to practical exercises: 40%
• Final exam (group work assignment): 50%

A minimum total score of 70% is required to earn the ITU certificate.

Monday, 22 September 2025 

Session 1: Official Opening – AFRALTI/NRD/ITU/EU (TBC), Group Photo (09:00-10:00)

• Learning Outcomes:
  • Introduction to the training, trainers, and participants.
  • Set expectations.

Session 2: Introduction to Different Cybersecurity Teams (10:30-11:30)

• Learning Outcomes:
  • Identify specific functions of cybersecurity teams (CSIRT, SOC, PSIRT, ISAC, etc.) and their roles in cybersecurity.
  • Differentiate between team responsibilities and determine organizational needs.
  • Analyze centralized and decentralized models for managing incidents.

Session 3: Preparation for Cybersecurity Team Establishment and Enhancement (11:30-12:00)

• Learning Outcomes:
  • Articulate the goals of cybersecurity initiatives.
  • Develop and interpret a cybersecurity team establishment roadmap.
  • Recognize critical actions for implementing and operationalizing the roadmap.

Session 4: Continuation of Cybersecurity Team Establishment and Enhancement (13:00-14:00)

Session 5: Defining CSIRT/SOC Mandate and Services (14:00-14:30)

• Learning Outcomes:
  • Summarize the purpose and importance of a CSIRT/SOC mandate.
  • Define scope, authority, and operational models for cybersecurity teams.

Session 6: Continuation of Defining CSIRT/SOC Mandate and Services (15:00-17:00)

Tuesday, 23 September 2025 

Session 7: Mastering Incident Management (08:30-10:00)

• Learning Outcomes:
  • Understand the incident management process, classification, and prioritization.
  • Demonstrate the use of ticketing tools during incident management.

Session 8: Continuation of Mastering Incident Management (10:30-12:00)

Session 9: Automation Tools for Enhanced Cybersecurity Operations (13:00-14:30)

• Learning Outcomes:
  • Explain the automation capabilities for CSIRT-related processes.
  • Utilize open-source tools to automate cybersecurity tasks.

Session 10: Continuation of Automation Tools for Enhanced Cybersecurity Operations (15:00-16:30)

Wednesday, 24 September 2025 

Session 11: Network Monitoring and Cyber Threat Intelligence (08:30-10:00)

• Learning Outcomes:
  • Illustrate the value of Cyber Threat Intelligence.
  • Apply methodologies for optimizing SOC operations and improving cybersecurity defenses.

Session 12: Continuation of Network Monitoring and Cyber Threat Intelligence (10:30-12:00)

Session 13: Building Strong Cybersecurity Collaborations (13:00-14:30)

• Learning Outcomes:
  • Demonstrate the importance of partnerships and information sharing.
  • Develop strategies to sustain collaborations within and across cybersecurity ecosystems.

Session 14: Building a High-Performing Cybersecurity Team: The Human Factor (15:00-16:30)

• Learning Outcomes:
  • Identify competencies required for effective CSIRT/SOC operations.
  • Build a training plan for CSIRT/SOC staff.

Thursday, 25 September 2025 

Session 15: Enhancing Visibility and Value for Constituents and Stakeholders (08:30-10:00)

• Learning Outcomes:
  • Identify types of CSIRT reports and their purposes.
  • Tailor reports to different audiences.
  • Enhance advisory and editorial skills.

Session 16: Continuation of Enhancing Visibility and Value for Constituents and Stakeholders (10:30-12:00)

Session 17: Measuring Cybersecurity Team Maturity (13:00-14:30)

• Learning Outcomes:
  • Evaluate team maturity using SIM3 and SOC-CMM models.
  • Plan improvements and align team capabilities with reference models.

Session 18: Continuation of Measuring Cybersecurity Team Maturity (15:00-16:30)

Friday, 26 September 2025 

Session 19: Finalization of Training (08:30-09:00)

• Learning Outcomes:
  • Overview of training and expectations review.
  • Q&A session.

Session 20: Final Exam (Group Work Assignment) and Course Evaluation (09:00-12:00)

Session 21: Closing Ceremony and Certificate Handover (12:00)