Detect breaches in network security, understand alerts and inform incident response team about system breaches.
Apprentices learn to monitor networks for security breaches, analyse alerts, and support incident response processes. The training covers threat detection techniques, log analysis, understanding of attack vectors, and how to interpret and triage security events. Apprentices also develop knowledge of network protocols, intrusion detection systems, and the procedures used to escalate and document incidents. The programme builds the analytical skills needed to distinguish genuine threats from false positives and to communicate findings clearly to response teams.
Working within a security operations centre or similar team, apprentices monitor network traffic and security alerts, investigate potential intrusions, and record findings accurately. They use tools such as SIEM platforms, intrusion detection systems, and packet analysis software to examine suspicious activity. Regular tasks include reviewing logs, triaging alerts by severity, escalating confirmed incidents to the appropriate response team, and contributing to post-incident documentation. Communication with colleagues across IT and security functions is a regular part of the role.
Completing this apprenticeship opens pathways into roles such as junior cyber analyst, SOC analyst, threat intelligence analyst, or incident responder. With experience, progression typically leads to senior analyst positions, SOC team lead, or specialisms in penetration testing, digital forensics, or threat hunting. Employers span a wide range of sectors, including financial services, central and local government, defence, telecoms, and managed security service providers. Demand for qualified analysts remains strong across both in-house security teams and third-party security operations services.
Sorted by achievement rate.
No training providers currently listed for this standard.
Completing this apprenticeship typically leads to roles such as Cyber Intrusion Analyst, Security Operations Centre (SOC) Analyst, Threat Detection Analyst, or Junior Incident Responder. Some completers move into Network Security Analyst positions, particularly where their employer operates its own SOC function. The role sits at a technical, operational level, focused on monitoring systems, triaging alerts, and feeding findings into incident response workflows rather than managing those processes end to end.
Within three to five years, analysts typically advance to Mid-level SOC Analyst, Senior Threat Detection Analyst, or Incident Response Analyst, taking on more complex triage work and mentoring junior colleagues. Two distinct tracks tend to emerge beyond that point. A technical specialism route leads toward roles such as Threat Intelligence Analyst, Digital Forensics Investigator, or Penetration Tester, often supported by certifications such as CompTIA CySA+ or CREST qualifications. A leadership route leads toward SOC Team Lead or Security Operations Manager.
Demand for this role spans financial services, central and local government, defence, healthcare, utilities, and managed security service providers (MSSPs). Employers range from large enterprise organisations running in-house SOC teams to specialist cyber security consultancies contracted to monitor client environments. The public sector, including GCHQ-affiliated bodies and NHS digital functions, recruits at this level, as do banks, insurers, and telecoms operators with significant network infrastructure to protect.
Throughout the apprenticeship, learning happens in a real workplace, with the apprentice building knowledge and practical skill in detecting security breaches, analysing alerts, and supporting incident response. Before final assessment can begin, the apprentice and employer must confirm readiness through a gateway review, which checks that the required knowledge, skills, and behaviours have been developed to a sufficient standard. Final assessment then confirms whether the apprentice can perform the role competently. Assessment models across many standards are currently being updated as part of ongoing reforms, so check the standard's gov.uk page for the current specification.
Building a strong record of real workplace activity from early in the apprenticeship makes the final stages considerably less pressured. Apprentices should document their work on live security monitoring tasks, alert triage, and incident support as they go, rather than reconstructing evidence later. Keeping an ongoing log also helps identify any gaps in the knowledge or behaviours the standard requires. Working closely with both the employer and the training provider throughout, rather than treating assessment as a separate event at the end, gives the best chance of a smooth gateway review.
Look for providers with an achievement rate above 65% on their FATP profile, ideally above 75% for a technical standard at this level. Beyond the headline numbers, a strong provider will deliver hands-on threat detection practice using current tooling: SIEM platforms such as Splunk or Microsoft Sentinel, network traffic analysis tools, and realistic attack-and-defend lab environments. Apprentice satisfaction scores and reviews should mention practical scenarios, not just classroom theory. Check that tutors hold current industry certifications (CySA+, SC-200, or equivalent) and that the provider has placed alumni in SOC analyst or incident response roles.
Be cautious of providers with high learner volumes but declining achievement rates, or those who cannot point to recent alumni working in security operations centre roles. If the curriculum materials reference outdated tooling or the provider cannot explain how off-the-job training maps to real threat detection workflows, that is a concern. Vague answers about how end-point assessment preparation works, or cohort structures that mix this standard with unrelated digital apprenticeships in generic classroom sessions, suggest the provision lacks the specialist depth this standard requires.
Employers set their own entry criteria, but most look for a good grounding in IT fundamentals, an interest in cybersecurity, and the ability to analyse technical information. Some require GCSEs in maths and English, or equivalent qualifications. Prior experience with networking or IT support is useful but not always mandatory. Apprentices must be employed in a relevant role for the full duration and, if they lack Level 2 English and maths, will need to achieve those before gateway.
The typical duration is 24 months, during which the apprentice remains employed throughout. Learning happens alongside the day job, with a proportion of working hours dedicated to off-the-job training. Exact minimum durations and off-the-job requirements are subject to revision under current Skills England reforms. Check the current specification on the Institute for Apprenticeships and Technical Education website at gov.uk for the latest requirements before designing a training plan.
Assessment models for many apprenticeship standards are currently being updated. In general, the apprentice must reach a gateway point where their employer and training provider confirm they have met the required knowledge, skills, and behaviours. From gateway, they proceed to an end-point assessment conducted by an independent organisation. The assessment typically tests the ability to detect intrusions, interpret alerts, and support incident response. Confirm the current assessment approach in the live standard on gov.uk before enrolling.
The funding band for this standard is £18,000, which is the maximum government contribution towards training costs. Levy-paying employers (those with a payroll above £3 million) pay through their digital apprenticeship service account. Smaller employers co-invest, contributing 5% of the training cost while the government covers the remaining 95%. Employers with fewer than 50 staff who take on an apprentice aged 16 to 18 pay nothing; the government funds the full amount.
The apprentice monitors network traffic and security tooling for signs of malicious activity, investigates alerts to distinguish genuine threats from false positives, and documents findings for the incident response team. They may also analyse logs, review threat intelligence feeds, and support colleagues responding to active incidents. The role sits within a security operations or monitoring function, so the apprentice is working in a live environment with real consequences, not just in a classroom setting.
Completing the apprenticeship opens routes into specialist cybersecurity roles such as incident responder, threat intelligence analyst, or penetration tester. Some employers offer internal progression to senior analyst or team lead positions. Others move into related Level 6 or Level 7 degree apprenticeships in cybersecurity or digital technology. Industry certifications such as CompTIA CySA+ or GIAC qualifications are commonly pursued alongside or after completion to strengthen technical credibility with employers.
Tell us a bit about your team and we'll send a shortlist.
Tell us your requirements and we'll match you with the right training providers.
Curated by Alex Lockey, FATP founder and editor. Last reviewed: .
Sources include the apprenticeship's official specification on apprenticeships.gov.uk, Skills England guidance, IfATE archive records, DWP funding bands, and provider data sourced directly from the public Apprenticeship Provider and Assessment Register (APAR). Standard reference: 79.
Some sections on this page were drafted with AI assistance from published source data and reviewed by a human editor before publication. See our editorial methodology for how we maintain this content. Spotted something out of date? Tell us.