Skip to main content
>_ Nullpoint

CDSA

·1205 words·6 mins
HTB Certs
Table of Contents

This page is giving you a summary about my experience in obtaining CDSA. In the end I list some tips and tricks, if you want to go through the course yourself.

Overview
#

Hack The Box’s CDSA is currently their only blue team certification and is adverted for upskilling security analysis, SOC operations, and incident handling. It’s material spans over 15 modules, mostly with an skill assessment, which is needed to be passed, before attempting the final exam. The exam tests you on handling two separate incidents, where you are given two SIEM systems (elastic & splunk) and some collected forensics artefacts (memory / disk). You need to apply learned threat hunting methods to understand the full scope of the attack, what systems where compromised and what data was stolen. The exam contains a specific set of questions, which has to be answered, given the evidence. Finally you have to hand in a full report over both incidents, and only based on your report you either pass or fail the exam.

Key topics:

  • SOC Processes & Methodologies
  • SIEM Operations (ELK/Splunk) & Tactical Analytics
  • Log Analysis
  • Threat Hunting
  • Active Directory Attack Analysis
  • Network Traffic Analysis (incl. IDS/IPS)
  • Malware Analysis
  • DFIR Operations

Prerequisites
#

Even tough CDSA is easier than CPTS in my opinion, there are also a lot of threads on Reddit and other platforms people mentioning failing their exam. Especially the report portion of the exam is more critical than on CPTS, as only writing up your findings shows if you have fully understood the incidents. You should be well settled for the course if you fulfill following points:

  • Basic technical knowledge in the domains of
    • Operating System (Windows)
    • Active Directory (Windows)
    • Networking (OSI-Layers)
  • Having a investigative mind and being able to think outside the box.
  • Being able to write a professional report in English.
  • Wanting to invest a lot of time, depending on your previous skills (official path length is 23 days)

Working full-time in a IT with very related fields, I completed the course and exam in 1,5 month. I do not recommend doing it as fast, if you have no experience on listed key topics. Take your time, no need to rush.

Review
#

I successfully passed the exam in my first attempt in autumn 2025. I have to admit, that I rushed the course. Not because I didn’t like it, but because I was familiar with many topics and concepts either through work or because previous certifications. The exam was a lot easier than CPTS, mostly due to given questions on the first incident, which you had to answer correctly (flags). Trough those questions you are given a hint where to search the answer. There is also no penalty for submitting a wrong answer, so you can try as many times as you want, until the system accepts your answer. Even tough the second incident has no such flags, I found it not very hard and had collected all needed answers on my third day (time limit is 7 days). The real exam in opinion lies on report writing, as only if you write about the two incidents you possible find gaps and new questions (how the attacker got from X two Y). And being curious, I tried to answer my own questions as well and searched in the limited evidence for an answer (even tough it was completly unnecessary to do so for passing). That’s why it took me until day 6 for submitting the report to HTB. The report was not as long as in CPTS (53 pages). Interestingly I benefited enormously in taking CRTO in summer 2025. As some artefacts and behaviours I learned as an attacker were coming up on blue side now, which helped me catching those immediately.

Overall I liked the experience and the skill set it taught throughout the course and the exam. If you like doing Sherlocks on HTB, you will enjoy the course / exam. Tough I think the exam scope could be widened by also including other topics taught:

  • Malware Analysis
  • Collecting Evidence (Network, Disk, Memory)

The modules I really liked the most were:

  • Windows Attack & Defense / Detecting Windows Attacks With Splunk: Both those modules are the best on the course by far. They teach you what artefacts are generated on different evidence by well known attacks like Kerberoasting, Passwordspraying, Delegation Attacks, ADCS Attacks, Credential Attacks (f.e. PTH, PTT or Golden / Silver tickets) and much more. It even includes some tips for setting up honey pots in the environment for detection (f.e. a kerberoastable user, which is unused, so if any login occurs you get notified and the account gets locked). These modules are also giving you insights as an attacker what you need to avoid, where you are easily caught (useful for red team engagements).
  • Malware Analysis (beginner level only)
  • Digital Forensics: Goes in detail for a lot of windows artefacts, where to find them, how to collect them and what evidence they bring you.

There were also some modules I feel, they could improve:

  • Windows Event Logs & Finding Evil: You analyze event logs manually. It also dives in the topic of ETW (Event Tracing for Windows). As the module is the first practical one (after two theory ones), it’s quiet steep. It felt out of place and should be taught later. I guess it overwhelms some beginners.
  • JavaScript Deobfuscation: This module felt completely out of place, as it was also taught in CPTS, it’s from the perspective of an attacker deobfuscating JavaScript to gain access. If they wan’t to teach you deobfuscation on blue team, they should completely write a new module (also including PowerShell deobfuscation).

Tips & Tricks
#

On Path
#

  • Take good notes in a structured way, which you can always resort to (personally I use Obsidian)
  • Don’t rush the path, it’s more like a marathon.
  • Apply your skill set on HTB Sherlocks. Shortly after my completion, they even released a Sherlocks path for CDSA preparation.
  • Make the use of BOTS from splunk to have some practice (for BOTS 2 and 3 you need to setup your own instance). I highly recommend to do at least BOTS 1.

On Exam
#

  • For solely solving the exam you need those modules / skills the most:
    • Threat Hunting with elastic
    • Threat Hunting with splunk
    • Ramdump analyzing with volatility
    • Having an understanding of common attack patterns and the skill to recognise them in elastic, splunk and volatility.
  • You will not answer every part of the incident chain (especially important for incident 2), as there was not enough evidence collected (as can be in real life). Some traces are lost and you have to connect the dots otherwise or make assumptions (also write those in your report).
  • Make use of your free second attempt, if you get in a time hassle or wasn’t able to finish. Know that your second attempt comes with the same environment. So you can insert all previously gathered answers. To get a second attempt you at least have to submit an empty report.
  • Have fun. It felt rewarding finding the answers to the incidents. Even tough I think in real life you would be lucky having so much evidence on attacks.