Quickstart — analyst training

Forge analyst instinct

BlueGrid Forge is an instructor-led cybersecurity analyst training academy in Seoul. Live SOC simulation, mentor feedback from working analysts, and curriculum we rewrite every cohort because retros tell us to.

Pick the package manager you already use and run a single line to get the lab CLI. The hello-world below ships you a redacted alert stream and the week-1 triage rubric on your machine in under two minutes.

Browse programs → or read the syllabus structure
Step 1 — install the lab CLI 
$ npm install -g @bluegridforge/lab-cli
 Step 2 — three-line hello-world
  1. 01 lab login --cohort sample-2026
  2. 02 lab fetch alerts --redacted
  3. 03 lab triage --rubric week-1
Upcoming webinar

Open SOC office hours: how to read your first incident replay

Once a month our lead instructor walks through a finished incident replay alongside the analyst who actually investigated it. Bring questions; we answer the ones the recorded talks usually skip.

What we will cover

A finished commodity-malware incident replayed in real-time at 4x speed, with the original investigating analyst pausing to talk through what they were thinking at each step.

Who this is for

Suitable for early-career analysts, career switchers reading their first replay, and anyone who has wondered what the gap is between a tutorial scenario and a real one.

Registration notes

Free to attend. We do not run sales pitches during the session and we do not require a phone number. We collect an email so we can send you the recording, then we forget you exist unless you opt in.

Replay of a commodity-malware incident — what the analyst noticed first, what they almost missed, and the handover ticket that closed the case.

We send the join link the day before. No phone number required, no sales follow-up.

Lab status

Lab platform is healthy. Here is the recent log.

Our lab platform reports real status. The replay engine is currently healthy. Last three incidents are below — durations include the post-mortem window, not just the outage. We post the resolution note within 24 hours of recovery.

  1. Resolved

    Replay engine queue stalled — peak hours

    Queue worker pool hit a memory ceiling under cohort load. Capacity raised; alarm threshold tightened.

    Duration: 47 minutes
  2. Resolved

    Auth provider intermittent — login retries needed

    Upstream identity provider regional incident. Failover validated; learners affected during evening session.

    Duration: 21 minutes
  3. Resolved

    Lab CLI version pin mismatch

    A deprecation slipped past pre-release testing. New CLI release pipeline added a regression check.

    Duration: 2 hours 14 minutes
Certified partners

Tiered partner badges, with the engagement behind each tier

A small set of partners we deliver corporate cohorts and lab integrations with. We refresh the list when an active engagement ends — we do not display logos for partnerships that no longer reflect ongoing work. Tiers reflect engagement depth, not payment level. Community-tier organisations contribute scenarios or peer review; we do not charge them.

Gold Multi-cohort corporate engagements with quarterly curriculum sync
  • Hangang Trust Group Enterprise-client cybersecurity uplift cohort
  • NoraSec Defenders Joint SOC simulation lab content
  • Mooro Risk Coverage Compliance-readiness workshop sponsor
Silver Active scenario contribution and recurring guest mentors
  • BlueRiver Group Mentor pool, cloud track
  • Daram Cyber Co-op Threat-intel scenario contribution
  • Pyo & Han Operational Advisors After-action template review
Community Volunteer reviewers, scenario donors, alumni cohorts
  • KR Alumni Defenders Circle Mock-interview volunteers
  • OpenIR Collective Open-source IR template feedback
  • Seoul SOC Meetup Hosted weekend lab debrief sessions
Security FAQ for builders

Auth, data, and quality-standards questions, answered straight

If you are integrating our lab CLI into your team's training pipeline, these are the questions we get most often about auth, data handling, and quality standards. We update this section when our auth model or data retention rules change.

  • Authentication. the lab CLI uses OAuth 2.0 device-code flow against our identity provider. No long-lived API keys are issued by default. If your team needs service-account access for batch enrolment, we issue scoped, expiring tokens on request.
  • Data handling. redacted alert streams shipped to the lab CLI never contain real production telemetry. We replay anonymised incidents from finished investigations under our partner programme.
  • Logs and audit. every lab action is logged with a learner identifier and timestamp. Audit logs are retained for 12 months and are available to the registered learner on request.
  • Quality standards (compliance). for cohort sponsors operating under ISO/IEC 27001 or SOC 2 we provide a control-mapping document on enrolment. We do not claim a certified posture beyond what is in that document.
  • Network surface. the CLI talks to two endpoints (api.lab.brand.kr and replay.lab.brand.kr) over TLS 1.3. There are no hidden third-party calls. A network policy snippet is published in the docs.
  • Local artefacts. on a learner machine, the CLI stores a config file under the user home directory. It contains a token reference, not the token itself. Token material lives in the OS keychain when available.
Search the catalog

Search the catalog. Type a topic.

Looking for something specific? Type a topic. Or pick one of the popular searches below.

Popular searches
SOC bootcamp for absolute beginnersStart with SOC Foundations BootcampDetection-as-code workflowThreat Detection Engineering TrackIncident response under pressureIncident Response Lab IntensiveThreat intelligence brief writingThreat Intelligence FundamentalsCompliance-aware industry analyst skillsCompliance Readiness WorkshopCareer change into SOCAnalyst Career LaunchpadCloud incident handlingCloud Incident Handling TrackOnboarding 6+ analysts at onceCorporate Analyst Onboarding Programme
Honest answers — buyer objections

Buyer objections, answered without the spin

These are the actual objections we hear during admissions calls. We answer them as we would in person — without sales spin and without disqualifying you for asking. If your objection is not here, write to us; if we hear it twice, it goes on the page.

It is not cheap. The bootcamps run between ₩980,000 and ₩3,800,000. We do not run loss-leader pricing because we pay our mentors and lab engineers properly and we do not want a teacher-attrition problem in eighteen months. If price is the blocker, the Analyst Career Launchpad at ₩450,000 is our smallest entry point — start there.