100 SOC Interview Questions

Vulnerability is the weakness, exploit is the tool or method to attack it.

OSI Model = A conceptual framework that standardizes how network communication works, divided into 7 layers.

From top to bottom:

7. Application – What the user interacts with (browser, email app).
Example: HTTP, SMTP

6. Presentation – Translates data formats, encryption, compression.
Example: SSL, JPEG

5. Session – Manages connections/sessions between devices.
Example: NetBIOS, RPC

4. Transport – Reliable data transfer, error checking, flow control.
Example: TCP, UDP

3. Network – Routing, logical addressing (IP addresses).
Example: IP, Routers

2. Data Link – Node-to-node transfer, MAC addresses.
Example: Ethernet, Switches

1. Physical – Raw bit transmission over hardware.
Example: Cables, Hubs, Electricity

Mnemonic (top to bottom):
All People Seem To Need Data Processing

IDS = Intrusion Detection System

• Monitors traffic, alerts you of threats
• Passive (doesn’t stop it)

IPS = Intrusion Prevention System

• Monitors traffic AND takes action to block threats
• Active (stops it in real time)

SIEM = Security Information and Event Management.

Purpose:
To collect, analyze, and correlate security data from across an organization’s systems in real time — to detect threats, generate alerts, and help with investigations/compliance.

How it works:

1. Collect – Gathers logs from firewalls, servers, endpoints, apps, etc.
2. Normalize – Converts different log formats into a common format.
3. Correlate – Looks for patterns or matches against rules (e.g., failed logins + privilege escalation = possible attack).
4. Alert – Sends alerts to security teams when threats are detected.
5. Store – Retains log data for forensics and compliance reporting.

Symmetric Encryption = Same key to lock and unlock.
Fast, but key must be shared securely.
Example: AES

Asymmetric Encryption = Different keys: Public key locks, Private key unlocks.
Slower, but no need to share secret key.
Example: RSA

True Positive – Malicious activity correctly identified as malicious.
True Negative – Legitimate activity correctly identified as legitimate.
False Positive – Legitimate activity incorrectly identified as malicious.
False Negative – Malicious activity incorrectly identified as legitimate.

TCP = Transmission Control Protocol

• Connection-based (handshake before sending)
• Reliable: guarantees delivery, retransmits lost data
• Ordered: packets arrive in order
• Slower, more overhead

UDP = User Datagram Protocol

• Connectionless (just sends)
• No guarantee of delivery or order
• Faster, less overhead

Three-way handshake = The process TCP uses to establish a reliable connection between client and server before data is sent.

Steps:

1. SYN – Client sends a synchronize packet to server.
   “Hey, let’s talk?”
2. SYN-ACK – Server responds with synchronize-acknowledgment.
   “Okay, I’m ready. You?”
3. ACK – Client sends acknowledgment.
   “Great, let’s go.”

→ Connection established. Data transfer begins.

DDoS (Distributed Denial of Service) = An attack that floods a target (server, network, application) with massive amounts of traffic from multiple sources, overwhelming it and causing service disruption.

Mitigation methods:

Blackholing / sinkholing – Redirect attack traffic to a null route.

Rate limiting – Restrict traffic volume per IP.

Traffic filtering – Block malicious traffic using firewalls or ACLs.

Anycast network – Distribute traffic across multiple data centers.

CDN (Content Delivery Network) – Absorb and absorb attack traffic at edge nodes.

DDoS protection services – Cloud-based scrubbing centers (e.g., Cloudflare, AWS Shield).

Authentication = Who you are.
Authorization = What you’re allowed to do.

Authentication verifies identity (login, password, fingerprint, etc.).

Authorization grants or denies access/permissions after identity is confirmed.

Phishing email red flags:

Requests for sensitive info – Legit companies never ask for passwords/credit cards via email.

Spoofed sender address – Looks legit but slightly off (e.g., amaz0n.com).

Generic greeting – “Dear Customer” instead of your name.

Urgency or threats – “Act now or account suspended!”

Suspicious links – Hover shows different URL than displayed.

Unexpected attachments – .exe, .zip, .docm, etc.

Poor grammar/spelling – Professional companies don’t send typos.

Vulnerability Assessment = Scans and identifies known weaknesses.
Penetration Testing = Exploits weaknesses to see how deep an attacker can go.

Vulnerability Assessment:

• Automated
• Broad coverage
• Finds flaws, no exploitation
• Tells you what is weak

Penetration Testing:

• Tells you how much damage an attacker could do

• Manual + tools

• Deep, goal-oriented

• Actively exploits

Defense in depth = A layered security strategy where multiple controls protect assets — if one layer fails, another catches it.

Layers (from outside to core):

Data security – Encryption, DLP

Policies & training – People, awareness

Physical security – Gates, guards, locks

Network security – Firewalls, IDS/IPS, segmentation

Endpoint security – Antivirus, EDR

Application security – Secure code, WAF

Threat = What you’re up against (bad actor, malware, natural disaster).
Vulnerability = Weakness that can be exploited (unpatched software, misconfiguration).
Risk = Likelihood × Impact of a threat exploiting a vulnerability.

Zero-day vulnerability = A security flaw that is unknown to the software vendor or has no patch available at the time it’s discovered or exploited.

Common ransomware infection vectors:

Software vulnerabilities – Unpatched systems exploited to install ransomware.

Phishing emails – Malicious attachments or links that download the payload.

Remote Desktop Protocol (RDP) – Weak or stolen credentials, brute force attacks.

Exploit kits – Drive-by downloads from compromised or malicious websites.

Malicious ads (malvertising) – Infected ads on legitimate sites.

USB drops – Infected devices left for employees to find and use.

Virus = Requires user action to spread (e.g., opening a file, running a program).
Worm = Self-propagates — spreads automatically without user interaction.

ARP spoofing (or ARP poisoning) = An attack where the attacker sends fake ARP messages over a local network. This links the attacker’s MAC address with the IP address of a legitimate device (like the default gateway).

Honeypot = A decoy system or resource designed to look like a legitimate target, but actually isolated and monitored to detect, deflect, or study attackers.

Stateful Firewall = Tracks the state of active connections. Makes decisions based on context (past and present packets).

Stateless Firewall = Filters each packet in isolation. No memory of past traffic.

Step-by-step incident response for malware outbreak:

Post-incident – Root cause analysis, improve detections, user training.

Isolate – Disconnect infected hosts from the network immediately (unplug cable, disable Wi-Fi, quarantine VLAN).

Contain – Block malicious domains/IPs at firewall, disable compromised accounts.

Identify – Determine malware type, infection vector, and scope.

Remediate – Remove malware, patch vulnerabilities, reset credentials.

Recover – Restore clean data from backups, monitor closely.

Principle of Least Privilege (PoLP) = Users, applications, and systems should only have the minimum access rights necessary to perform their job — nothing more.

Port scanning = The process of probing a system to identify which network ports are open, closed, or filtered.

HTTP = Hypertext Transfer Protocol
HTTPS = HTTP + Secure (encrypted via SSL/TLS)

Indicators of Compromise (IOCs) = Forensic artifacts that signal a potential breach or malicious activity on a system or network.

Step-by-step SIEM alert investigation:

Escalate or close – If malicious, notify incident response and contain. If benign, document why and tune if needed.

Triage – Confirm alert severity and age. Is it a known false positive? Check if others are seeing the same.

Review raw logs – Don’t just trust summary. Look at source IP, destination, user, process, timestamp.

Context enrichment – Geolocate IPs, check threat intel, asset criticality, user role.

Correlate – Search related events before/after (same host, same user, same timeframe).

Scope – Isolated incident or broader campaign? Pull in logs from firewalls, EDR, proxies.

Brute force attack = An attacker tries many username/password combinations repeatedly until they guess correctly.

Types:

• Simple brute force – Try all possible combinations
• Dictionary attack – Use common passwords/wordlists
• Credential stuffing – Leaked credentials from other breaches

Prevention:

Monitor logs – Detect and block repeated failures

Account lockout – Lock after X failed attempts

Rate limiting – Slow down login attempts

CAPTCHA – Block automated scripts

Multi-factor authentication (MFA) – Even if password is guessed, attacker can’t get in

Strong password policy – Complexity, length

DNS (Domain Name System)

Purpose:
DNS translates human-friendly domain names (like google.com) into machine-readable IP addresses (like 142.250.190.46). It’s the internet’s phonebook.

Common DNS Attacks:

DNS Spoofing / Cache Poisoning

• Injects fake DNS records into a resolver’s cache

• Redirects users to malicious sites

DNS Tunneling

• Encodes other protocols (like SSH or HTTP) inside DNS queries

• Used for data exfiltration or C2 communication

DNS Amplification

• DDoS attack using open DNS resolvers

• Small queries generate large responses, amplified and directed at victim

DNS Hijacking

• Attacker changes DNS settings (router, server, or endpoint)

• Redirects traffic without user knowledge

NXDOMAIN Attack

• Floods resolver with requests for nonexistent domain
• Consumes resources, causes denial of service

SAST = Static Application Security Testing (white-box testing)
DAST = Dynamic Application Security Testing (black-box testing)

SAST:

• Scans source code, bytecode, or binaries
• Done early in development (shift left)
• Finds issues like hardcoded secrets, SQL injection in code
• Language-specific, requires access to code

DAST:

• Technology-agnostic, no code access needed
• Scans running application (like an attacker)
• Done late in SDLC or in production
• Finds runtime issues like misconfigurations, authentication flaws

How to prioritize SOC alerts:

• Business impact – Is revenue, operations, or sensitive data at risk?
• Criticality of asset – Is it a domain controller, database, public-facing server, or executive’s workstation? High-value assets = higher priority.
• Alert severity – Based on rule/signature (e.g., critical, high, medium, low).
• Threat intelligence – Does the IOC (IP, hash, domain) have known malicious context? Is it tied to current campaigns?
• User/entity behavior – Unusual time, location, or activity patterns raise priority.
• Scope – Single host or spreading? Lateral movement escalates priority.
• Confidence level – High confidence rules (e.g., malware signature) beat low confidence (e.g., anomaly detection).

Man-in-the-Middle (MITM) attack = An attacker secretly intercepts and potentially alters communication between two parties who believe they are directly communicating with each other.

Encoding = Transforming data for usability (not security). Reversible with no key.
Encryption = Transforming data for confidentiality. Reversible with a key.
Hashing = Transforming data into a fixed-length fingerprint. One-way, irreversible.

Cross-Site Scripting (XSS) = An attack where malicious scripts are injected into trusted websites, then executed in victims’ browsers.

Patch management is the process of regularly updating software to fix vulnerabilities, improve performance, and add features. It is critical for security because unpatched software is a leading entry point for attackers.

Normal traffic spikes typically show gradual increases, consistent source diversity, and predictable patterns (time of day, business hours). Attacks often show sudden exponential jumps, traffic from botnets (unusual geographies, same device types), repetitive requests to a single endpoint, and symptoms like slow performance or service errors.

SQL injection = An attack where malicious SQL code is inserted into input fields to manipulate a database.

Prevention:

• Use parameterized queries (prepared statements)
• Input validation and sanitization
• Least privilege for database accounts
• Stored procedures
• Web application firewall (WAF)

Vulnerability Assessment (VA) = Automated scan to identify and list potential weaknesses.
Penetration Testing (PT) = Manual, goal-oriented exploitation to determine real-world impact and how deep an attacker can go.

Chain of custody = The documented, chronological record of evidence handling — showing who collected it, when, where, how, who secured it, and who accessed it — to ensure integrity and admissibility in legal proceedings.

Playbooks in a SOC are documented, step-by-step procedures that guide analysts on how to detect, investigate, contain, and remediate specific security incidents consistently and efficiently.

To stay updated with the latest cybersecurity threats, I follow these key sources and methods:

• Government alerts – CISA (U.S.), NCSC (UK), and national CERTs for timely vulnerability disclosures and actionable threat intelligence.
• Threat intelligence platforms – Recorded Future, Mandiant, and CrowdStrike for in-depth reports on attacker tactics and global trends.
• Vendor security bulletins – Microsoft Patch Tuesday updates and security advisories from major software and cloud providers.
• Cybersecurity news sites – SecurityWeek, The Hacker News, and BleepingComputer for daily coverage of incidents and research.
• Dark web monitoring – Leveraging threat intel feeds to track emerging ransomware groups, data leaks, and hacker forum discussions.
• Research reports – Annual outlooks like the Recorded Future State of Security Report to understand long-term shifts in the threat landscape .
• Professional communities – Following industry experts on X/Twitter and LinkedIn for real-time insights and peer analysis.
• Ongoing education – Completing continuous learning through courses, certifications, and security conferences.

Black hat = Malicious hackers who break into systems illegally for personal gain, theft, or damage.
White hat = Ethical hackers who find vulnerabilities with permission to improve security.
Grey hat = Hackers who may break laws or ethics but without malicious intent — often disclose vulnerabilities publicly without permission.

Logic bomb = Malicious code inserted into a system that lies dormant until triggered by a specific condition (date, user action, file deletion). Once triggered, it executes its payload — often deleting data, corrupting files, or disrupting systems.

Beaconing = Malware periodically communicating with an attacker’s command-and-control (C2) server to receive instructions or exfiltrate data, often using regular, low-and-slow traffic to evade detection.

Upload a file, hash, URL, or domain to check against 70+ antivirus engines and threat intel feeds. Analyze detection ratios, community comments, and behavior sandbox results to determine maliciousness and identify related indicators.

Active reconnaissance = Directly interacting with the target (port scans, vulnerability scans, network probes). Noisy, faster, easier to detect.
Passive reconnaissance = Gathering information without touching the target (OSINT, sniffing public traffic, social media, job postings). Stealthy, slower, harder to detect.

SOC (Security Operations Center) = A centralized team responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity incidents.

Primary functions:

• Monitor – 24/7 surveillance of networks, endpoints, and logs
• Detect – Identify threats via SIEM, EDR, and threat intelligence
• Triage – Prioritize and investigate alerts
• Respond – Contain, eradicate, and recover from incidents
• Report – Document findings and improve defenses

Stages of incident response:

• Preparation – Tools, playbooks, training in place
• Detection & Analysis – Identify and validate incident
• Containment – Stop the spread (short-term and long-term)
• Eradication – Remove threat, patch vulnerabilities
• Recovery – Restore systems, monitor for reinfection
• Lessons Learned – Post-incident review, improve processes

Two-factor authentication (2FA) improves security by requiring a second verification factor beyond just a password — something you know (password) plus something you have (phone, token) or something you are (biometric). This makes unauthorized access significantly harder even if passwords are stolen.

VPN (Virtual Private Network) = Encrypts all traffic from device to VPN server, tunneling the entire internet connection. Works system-wide.

Proxy = Forwards traffic for specific applications (usually web), may or may not encrypt. Doesn’t cover all traffic.

SOAR (Security Orchestration, Automation, and Response) platform automates and streamlines security operations by integrating tools, orchestrating workflows, and automating response actions to improve efficiency and consistency in incident handling.

Rootkit = Malicious software designed to hide its presence and maintain privileged access while concealing activities from security tools.

Detection methods:

• Behavioral analysis – Anomalies despite no visible signs
• Memory analysis – Examine RAM for hidden processes
• Boot-time scanning – Detect before rootkit activates
• Integrity checking – Compare files against known good versions
• Specialized rootkit scanners – Dedicated detection tools

IPv4 = 32-bit address, 4.3 billion addresses, written as four decimal numbers (192.168.1.1), uses NAT for conservation.
IPv6 = 128-bit address, 340 undecillion addresses, written as eight hexadecimal groups (2001:db8::1), built-in security, no NAT needed.

• Open in Wireshark or similar tool
• Filter traffic by IP, protocol, port, or conversation
• Follow streams to reassemble TCP or UDP conversations
• Extract files using export objects (HTTP, SMB, etc.)
• Identify anomalies – Suspicious IPs, unusual protocols, malformed packets
• Use statistics – Endpoints, conversations, protocol hierarchy for overview
• Check for IOCs – Known malicious IPs, domains, patterns

CIA Triad = The three core principles of information security:

• Confidentiality – Ensuring data is accessible only to authorized users (encryption, access controls).
• Integrity – Maintaining accuracy and trustworthiness of data (hashing, checksums).
• Availability – Ensuring systems and data are accessible when needed (redundancy, backups, DDoS protection).

Compliance = Meeting external requirements (laws, regulations, standards).
Security = Actually protecting assets from threats.

Key difference:
Compliance is a checkbox (what you must do).
Security is a continuous process (what you should do).

• Verify – Confirm it’s not a true positive by checking raw logs and context.
• Document – Note why it’s a false positive for future reference.
• Tune the rule – Adjust logic to reduce noise (whitelist benign sources, refine thresholds).
• Escalate if needed – If persistent, involve engineering for rule optimization.
• Close the alert – Mark as false positive in the ticketing system.

TOR (The Onion Router) = Routes traffic through multiple encrypted relays to hide your IP and activity. Designed for anonymity.

Regular browser = Connects directly to websites, revealing your real IP address. Faster, but less private.

Kerberos = A network authentication protocol that uses tickets and symmetric-key cryptography to prove identity securely without sending passwords over the network.

• Detect security incidents and anomalous behavior in real time
• Investigate by providing historical evidence for root cause analysis
• Comply with regulatory requirements (retention, audit trails)
• Improve system performance and availability through trend analysis
• Alert on critical events for immediate response

Fileless malware = Malicious code that runs in memory without writing files to disk, making it harder to detect with traditional antivirus.

• Unusual RDP, SMB, or PSExec connections
• Anomalous administrative logins
• Pass-the-hash or pass-the-ticket activity
• Unusual service creations or scheduled tasks
• Data access patterns (user accessing unrelated systems)
• Alerts from EDR on privilege escalation or remote execution
• Beaconing to C2 before internal scanning

Security policy = High-level rules and principles defining what must be done.
Procedure = Step-by-step instructions detailing how to implement the policy.