Top 50 Common Questions asked in SOC Interview

CyberDefender 7 mins0

1. What is a SOC and its purpose?

A SOC (Security Operations Center) is a centralized team responsible for monitoring, detecting, investigating, and responding to cybersecurity threats to protect an organization’s systems, networks, and data.

2. Roles and responsibilities of a SOC analyst

A SOC analyst monitors alerts, analyzes logs, investigates incidents, escalates threats, documents findings, and helps improve security posture.

3. Difference between SOC Tier 1, 2, and 3

  • Tier 1: Alert monitoring and initial triage
  • Tier 2: Deep investigation and response
  • Tier 3: Threat hunting, malware analysis, and advanced response

4. What is the CIA triad?

  • Confidentiality: Protect data from unauthorized access
  • Integrity: Ensure data is accurate and unchanged
  • Availability: Ensure systems and data are accessible

5. Difference between vulnerability, threat, and risk

  • Vulnerability: A weakness
  • Threat: Something that can exploit the weakness
  • Risk: The potential impact if the threat exploits the vulnerability

6. What is defense in depth?

Using multiple layers of security controls so if one fails, others still protect the system.

7. What is least privilege?

Users and systems should only have the minimum access needed to perform their tasks.

8. IDS vs IPS

  • IDS: Detects and alerts
  • IPS: Detects and actively blocks traffic

9. What is SIEM?

SIEM collects, correlates, and analyzes logs from multiple sources to detect security incidents.

10. What is SOAR?

SOAR automates security workflows, incident response, and alert handling.

11. What is TCP/IP?

A set of networking protocols that define how data is transmitted across networks.

12. TCP vs UDP

  • TCP: Reliable, connection-oriented
  • UDP: Faster, connectionless, less reliable

13. What is a firewall?

A security device that allows or blocks traffic based on predefined rules.

14. What is a proxy server?

An intermediary that forwards requests between users and the internet, often for security or filtering.

15. What is DNS?

DNS translates domain names into IP addresses.

16. What is DHCP?

Automatically assigns IP addresses to devices on a network.

17. What is a port?

A communication endpoint.
Examples: 80 (HTTP), 443 (HTTPS), 22 (SSH), 25 (SMTP)

18. What is NAT?

Translates private IP addresses to public IP addresses.

19. What is a VPN?

A secure tunnel that encrypts traffic between a user and a network.

20. What happens during HTTPS?

Traffic is encrypted using TLS after certificate validation.

21. Types of logs monitored in SOC

Firewall, endpoint, authentication, server, DNS, proxy, and application logs.

22. What is log correlation?

Combining logs from multiple sources to identify suspicious activity.

23. What is a false positive?

An alert that looks malicious but is actually benign.

24. How do you prioritize alerts?

Based on severity, asset value, impact, and confidence level.

25. Incident response lifecycle

Preparation → Detection → Containment → Eradication → Recovery → Lessons learned

26. Steps for a malware alert

Validate alert, isolate endpoint, collect evidence, remove malware, and document.

27. Investigating a phishing email

Check sender, headers, links, attachments, and user impact.

28. What is IOC?

Indicators like IPs, hashes, domains that show malicious activity.

29. MITRE ATT&CK

A framework that maps attacker tactics and techniques.

30. What is threat intelligence?

Information about threats used to improve detection and response.

31. Windows vs Linux security

Windows relies on AD and group policies; Linux focuses on permissions and services.

32. Windows Event Logs

Security, System, and Application logs used for auditing and investigations.

33. What is EDR/XDR?

Tools that detect and respond to threats on endpoints and across environments.

34. What is malware?

Malicious software such as viruses, worms, trojans, spyware.

35. What is ransomware?

Malware that encrypts data and demands payment.

36. How do attackers maintain persistence?

Scheduled tasks, registry keys, startup services.

37. What is privilege escalation?

Gaining higher access than authorized.

38. Patch management

Keeping systems updated to fix vulnerabilities.

39. What is hardening?

Reducing attack surface by disabling unnecessary services.

40. Endpoint isolation

Disconnecting a device from the network to stop spread.

41. What is cloud security?

Protecting cloud environments, data, and workloads.

42. IaaS vs PaaS vs SaaS

  • IaaS: Infrastructure
  • PaaS: Platform
  • SaaS: Software

43. Shared responsibility model

Cloud provider secures infrastructure; customer secures data and access.

44. Compliance vs security

Compliance meets standards; security reduces risk.

45. What is DLP?

Prevents sensitive data from leaving the organization.

46. Handling insider threats

Monitor behavior, investigate alerts, follow HR/legal processes.

47. If SIEM goes down

Notify stakeholders, use backup logs, restore service.

48. Staying updated

Blogs, threat feeds, labs, certifications, and practice.

49. Explain an incident you handled

Describe detection, investigation, response, and lessons learned (labs are acceptable).

50. Why do you want to work in a SOC?

To gain hands-on security experience, learn incident response, and protect organizations.

CyberDefender