Skip to content

SOC Analyst interview questions

Detection, triage, SIEM, alert handling and the day-to-day of a security operations centre.

100 questions questions in this setStart a quiz
A full antivirus scan came back clean — does that prove the machine isn't compromised?

No. Antivirus is one signal, not proof. It misses fileless and in-memory attacks, brand-new or obfuscated samples, living-off-the-land abuse of legitimate tools, and rootkits built to hide from it. Absence of evidence is not evidence of absence — real assurance comes from EDR telemetry, memory forensics, behavioral analysis, and IOC hunting. Treating a clean AV scan as proof of a clean system is a classic incident-response mistake.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Your antivirus flagged the EICAR file — does that mean you're infected with a virus?

No. The EICAR test file is a deliberately harmless 68-byte ASCII string that every AV vendor agrees to detect, so you can safely verify detection and alerting without touching real malware. A hit means your AV is working — not that you are infected. It is not a virus and does nothing if executed. Mistaking an EICAR test detection for a real infection is a common early-career gotcha.

JuniorMalware
The full answer
Does HTTPS hide which website you're visiting from your ISP or network?

Mostly no. The destination hostname is sent in the clear in the TLS ClientHello's SNI extension, and your DNS query usually reveals it too, so an ISP or network can see WHICH site you visit even over HTTPS — they just can't read the path or content. Encrypted ClientHello (ECH) and DNS-over-HTTPS can close this gap, but they aren't universal. 'HTTPS hides everything' is the misconception.

Mid-levelNetworkingWeb Security
The full answer
Is a device's MAC address permanent and globally unique?

No. A MAC is assigned by the vendor (OUI plus device id) and is 'burned in,' but essentially every OS lets you override it in software (macchanger, ip link set address). So MAC addresses are spoofable and must not be relied on for authentication — MAC filtering is weak, and phones now randomize MACs for privacy. 'Permanent and unique' is the misconception.

JuniorNetworking
The full answer
Does enabling MFA make an account impossible to phish?

No. MFA raises the bar a lot, but OTP and push factors are phishable: adversary-in-the-middle kits (e.g. Evilginx) proxy the login and relay the code in real time, and MFA-fatigue/push-bombing tricks users into approving. Captured codes are reusable within their short window. The misconception is 'MFA = unphishable'; the factor type is what matters. Phishing-resistant MFA — FIDO2/WebAuthn passkeys bound to the site's origin — is what actually defeats this.

Mid-levelIdentity & Access ManagementThreat Intelligence
The full answer
Your account was breached — does simply changing the password kick the attacker out?

Not by itself. Many systems keep existing sessions and previously issued tokens valid after a password change — OAuth refresh tokens, 'app passwords', API keys, and persistent cookies — so an attacker with a live session can stay in. The correct response is to change the password AND invalidate all sessions and tokens, revoke app credentials, and audit MFA devices and recovery settings. Assuming a password reset alone evicts the attacker is a classic incident-response mistake.

Mid-levelIdentity & Access ManagementDFIR (Forensics & Incident Response)
The full answer
A server looks compromised — does rebooting or shutting it down fix the problem?

No. Most real intrusions establish persistence (services, scheduled tasks, run keys, implants) that survives a reboot, so the attacker simply returns. Worse, powering off wipes volatile evidence — running processes, network connections, in-memory malware, and encryption keys — that you need to scope the incident. The right move is to contain by isolating the host while preserving memory, then investigate. Rebooting or shutting down as a 'fix' is a damaging instinct.

Mid-levelDFIR (Forensics & Incident Response)Malware
The full answer
What port does traceroute use?

Trick question — there's no single traceroute port. Classic Unix traceroute sends UDP datagrams to high, unlikely ports starting around 33434 with an increasing TTL; Windows tracert uses ICMP Echo instead. It works by reading the ICMP Time Exceeded messages routers return as the TTL expires, not by hitting a reserved port. And ICMP itself has no ports at all.

JuniorNetworking
The full answer
You must reconstruct what an attacker did across three days. What's the right approach?

Reliable incident reconstruction comes from correlating independent telemetry into one timeline: auth logs, EDR process/exec data, filesystem MAC timestamps, network flows and SIEM events, so you can order actions and bound the scope. A single log or the latest event alone misses the chain and can be misleading or tampered with. Guessing from one source or asking the attacker are not investigative methods. Correlation across independent sources is what reveals the full attacker activity and survives an attacker who edited one of them.

SeniorDFIR (Forensics & Incident Response)
The full answer
The help desk gets an urgent call demanding an immediate password reset for an executive, with no identity verification and lots of time pressure. What should the agent do?

Urgency, authority, and skipping verification are textbook social-engineering pressure aimed at a high-value account. The agent must follow the defined identity-verification process before resetting anything, and escalate if it can't be satisfied. Resetting on demand, using a guessable 'security question' like a favorite color, or emailing the new password to the caller all hand an attacker control of the executive's account.

JuniorIdentity & Access ManagementThreat Intelligence
The full answer
EDR flags a process reading LSASS memory. Why does it matter and what do you do?

LSASS stores cached credentials and secrets, so an unexpected process reading its memory is a hallmark of credential theft (e.g., mimikatz-style dumping). Triage the offending process and parent, isolate the host to stop lateral movement, and rotate the credentials that could have been captured — including privileged and service accounts. It has nothing to do with graphics rendering or disk space, and ignoring it as normal can lead to domain-wide compromise. The benign-sounding distractors are exactly how analysts miss an active intrusion.

Mid-levelWindows InternalsIdentity & Access Management
The full answer
A user opened an Office document and enabled macros; EDR then shows a child process spawned by Word. What's your first action?

Word spawning a child process right after macros were enabled is a classic malicious-document initial-access pattern. Isolate the host to limit spread, capture volatile evidence, and investigate the spawned process, its network activity, and any persistence. Asking the user to close the file or repairing Office doesn't address an executing payload that may already have run. Doing nothing because the file came by email is backwards — email is exactly how this attack is delivered. Contain first, then investigate.

JuniorWindows InternalsDFIR (Forensics & Incident Response)
The full answer
On Windows, an alert shows a new scheduled task launching PowerShell from %TEMP%. What is this likely to be and your move?

Legitimate software rarely runs PowerShell out of %TEMP% via a freshly created scheduled task — it's a common persistence and execution technique. Examine the task definition, the invoked script, the creating process and the timeline, contain the host, and sweep the environment for the same pattern. Updates don't look like this, blanket-trusting scheduled tasks ignores a known TTP, and deleting System32 breaks the OS while doing nothing about the threat. The first three options all reflect dangerously weak judgment.

Mid-levelWindows InternalsDFIR (Forensics & Incident Response)
The full answer
Ransomware is actively encrypting file shares across the network right now. What is your first priority?

Containment beats premature recovery: stop the spread by isolating affected segments and killing the propagation path — disable the abused service account, block SMB between segments, pull the staging host — while preserving evidence, then eradicate and recover. Restoring into a network that's still encrypting just re-loses the restored data. Paying the ransom doesn't stop active encryption and carries legal and sanctions risk. Cutting power to every machine destroys volatile evidence and can corrupt files mid-write, making clean recovery harder.

SeniorDFIR (Forensics & Incident Response)Malware
The full answer
You've confirmed one compromised host. The business demands it be wiped and back online in 10 minutes. What do you push for?

Eradicating before you understand scope lets the attacker persist on systems you haven't found and simply return. Quickly hunt the IOCs and stolen credentials across the estate, identify every affected host and persistence mechanism, then eradicate everywhere at once. Wiping one host is whack-a-mole that tips off the attacker while leaving their other footholds intact. A week-long full internet blackout is disproportionate and harms the business. Deleting just the malware file ignores persistence, lateral movement, and the credentials already stolen.

SeniorDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Your SIEM fires 500 'failed login' alerts a day, almost all noise, and analysts now ignore the rule. What's the right move?

Cut false positives through detection engineering, not by blinding yourself. Re-tune so alerts fire only on patterns that matter — many accounts hit with one password (spraying), one account hit many times (stuffing/brute force), impossible travel — while keeping the raw failed-login events searchable on a dashboard. Then measure alert precision over time. Disabling the rule removes a real signal, blanket suppression creates a permanent blind spot, and hiring people to triage pure noise doesn't scale and burns them out.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
You notice a single host making thousands of unusual, long TXT-record DNS queries to one domain. What's the most likely explanation and action?

High-volume, high-entropy TXT or long-subdomain queries to a single domain is a classic DNS tunneling / C2-and-exfil signature: data is being smuggled inside DNS to evade egress filtering. Capture a query sample for analysis, sinkhole or block the domain to cut the channel, and pivot to the host to find the responsible process. Dismissing it as normal caching or a slow website misses live exfiltration. Restarting the DNS server does nothing about the compromised endpoint and just disrupts name resolution.

Mid-levelNetworkingThreat Intelligence
The full answer
An alert shows a user logging in from Paris and, five minutes later, from Singapore. Before declaring an incident, what do you check FIRST?

Validate before escalating. Corporate VPNs, cloud proxies (like CASB or M365 service IPs) and mobile carriers routinely produce false 'impossible travel,' so check the egress IPs, the MFA result, and the device/user-agent before pulling the trigger. Auto-locking on every hit causes alert fatigue and erodes user trust in the SOC. Assuming it's always a false positive misses real account takeover. Emailing the manager is slow and isn't a security control — the logs answer the question faster and more reliably.

JuniorDFIR (Forensics & Incident Response)Identity & Access Management
The full answer
A user reports they clicked a link in a suspicious email and typed their password into the page. What is your FIRST action?

Assume the password is already compromised: force a reset AND invalidate the account's active sessions and tokens, because a reset alone won't evict an attacker who already holds a live session or refresh token. Then hunt for anomalous logins, MFA prompts, mailbox rules and OAuth grants from the exposure window. Deleting the email or telling the user to change it "next time" leaves the account wide open. An antivirus scan addresses malware on the endpoint, not stolen credentials in the cloud.

Mid-levelDFIR (Forensics & Incident Response)Identity & Access Management
The full answer
Monday 9am, four alerts are open. Which do you work FIRST?

Triage by impact and reachability: credential dumping (a mimikatz signature) on a domain controller is a crown-jewel event that can lead to full domain compromise, so work it first. The external port scan was already blocked by the IDS, the unapproved browser extension is low severity, and an expired TLS cert on an internal test box is informational. The core SOC skill is prioritizing by blast radius and likelihood of escalation, not by alert age or how loud the alert is.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
What are the benefits and risks of using AI in the SOC?

AI helps the SOC by triaging and de-duplicating alerts, summarizing incidents, enriching context, drafting detections, and accelerating analyst onboarding — reducing fatigue and dwell time. The risks: hallucinated or confidently wrong conclusions, automation bias where analysts stop verifying, prompt injection through attacker-controlled log or alert data, sensitive data leaking into third-party models, and adversaries using the same tools. Keep a human in the loop, verify outputs, and isolate untrusted inputs.

Mid-levelAI & LLM SecurityThreat Intelligence
The full answer
What is insecure output handling in LLM apps, and how does it cause XSS or SSRF?

Insecure output handling is trusting what the model returns and passing it to a downstream system without validation or encoding. Because model output is attacker-influenceable, rendering it as raw HTML causes XSS, feeding it to a URL fetcher causes SSRF, and passing it to a shell or SQL query causes command or SQL injection. The fix is to treat model output exactly like untrusted user input: context-aware output encoding, allowlisting, sanitization, and parameterization before it reaches any sink.

Mid-levelAI & LLM SecurityWeb Security
The full answer
How is a jailbreak different from a prompt injection?

A jailbreak targets the model's safety alignment — it tricks the model into producing content the provider tried to prohibit, like instructions for harm. Prompt injection targets the application's instruction hierarchy — it overrides the developer's system prompt or hijacks the model's behavior within an app, often via untrusted data. Jailbreaks attack the model; prompt injection attacks the surrounding system. They overlap, but the goal and the trust boundary they cross are different.

JuniorAI & LLM Security
The full answer
What is the NIST AI Risk Management Framework and how does it structure AI governance?

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary, risk-based framework for governing trustworthy AI across its lifecycle. Its core is four functions: Govern (culture, policy, accountability — and it runs through the others), Map (context and risk identification), Measure (assess and track risks), and Manage (prioritize and respond). It also defines trustworthiness characteristics — valid and reliable, safe, secure and resilient, accountable and transparent, explainable, privacy-enhanced, and fair. It complements technical lists like the OWASP LLM Top 10 at the program level.

SeniorAI & LLM SecurityGovernance, Risk & Compliance
The full answer
Distinguish credential stuffing from password spraying, including how each appears in logs.

Credential stuffing replays known username:password pairs from third-party breaches, betting on password reuse — high success rate per attempt, often distributed across many IPs and devices to look human. Password spraying tries one or two common passwords (like Winter2026!) across many accounts to stay under lockout thresholds. Stuffing exploits reuse; spraying exploits weak shared passwords. MFA defeats both.

Mid-levelIdentity & Access ManagementDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Explain the Lockheed Martin Cyber Kill Chain and how a blue team uses it.

The Cyber Kill Chain models an intrusion as seven sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Defenders map detections and controls to each stage; because the stages are sequential, breaking any single link — blocking the phishing email, killing C2 — disrupts the whole attack. It pushes you to detect early rather than only at the final breach.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)Networking
The full answer
Explain DNS data exfiltration and how a blue team would detect it.

DNS exfiltration encodes stolen data into DNS queries (e.g. long subdomain labels sent to an attacker-controlled authoritative server), abusing the fact that DNS is almost always allowed outbound and often unmonitored. Detect it with anomalies: unusually high query volume to one domain, long/high-entropy subdomains, many unique subdomains per parent domain, TXT/NULL record abuse, and queries to newly registered or rare domains.

SeniorNetworkingDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
What is the difference between EDR and traditional signature-based antivirus?

Traditional antivirus matches files against signatures of known malware and blocks or quarantines them — great for known threats, weak against novel or fileless attacks. EDR continuously records endpoint behavior (processes, network, registry, memory), uses behavioral analytics to detect suspicious activity, and lets responders investigate, hunt, and remotely contain or roll back. AV is prevention by signature; EDR adds visibility, detection, and response.

JuniorMalwareDFIR (Forensics & Incident Response)Windows Internals
The full answer
What are the phases of the incident response lifecycle, and why does the order matter?

The classic model is PICERL: Preparation, Identification (detection), Containment, Eradication, Recovery, and Lessons Learned. NIST groups it as Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. The order matters because you must scope and contain before you eradicate, and you only recover once the threat is removed — otherwise you reinfect. It is a loop, not a line: lessons learned feed back into preparation.

JuniorDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Explain the difference between Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).

An IOC is a forensic artifact that something bad already happened — a malicious file hash, a C2 IP or domain, a known-bad registry key. An IOA is a behavioral signal of an attack unfolding regardless of the specific tools — e.g. a Word document spawning PowerShell, then reaching out to the internet. IOCs are reactive and easy to evade by changing a hash; IOAs catch intent and survive tool changes.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
Name the common ways malware persists on a Windows host across reboots, and how you would hunt for them.

Persistence is how malware survives reboots and logoffs. The staples on Windows are registry Run/RunOnce keys (HKLM and HKCU), scheduled tasks, and Windows services, plus startup folders, WMI event subscriptions, and DLL hijacks. You hunt them with autoruns/Sysinternals, Sysmon, and event logs — looking for unsigned binaries, odd paths like %AppData%, and entries created right after initial compromise.

Mid-levelWindows InternalsMalwareDFIR (Forensics & Incident Response)
The full answer
Explain the order of volatility and why it drives the sequence of evidence collection in DFIR.

Order of volatility ranks evidence by how fast it vanishes, so you collect the most fragile first. Roughly: CPU registers/cache, then RAM and running state (processes, network connections, ARP), then temporary/swap files, then disk, then remote logging and monitoring data, and finally archival media and backups. You also work on forensic copies, hash them, and keep a chain of custody so evidence stays admissible.

Mid-levelDFIR (Forensics & Incident Response)Windows InternalsLinux Internals
The full answer
Where are user password hashes stored on Windows and on Linux, and why do attackers target those files?

On Windows, local account hashes (NTLM) live in the SAM hive under C:\Windows\System32\config\SAM, protected while the OS runs; live credentials sit in LSASS memory, and domain hashes are in NTDS.dit on a domain controller. On Linux, hashes are in /etc/shadow (readable only by root), while /etc/passwd holds account metadata. Attackers steal these to crack passwords offline or pass-the-hash.

JuniorWindows InternalsLinux InternalsIdentity & Access Management
The full answer
Explain process injection, give a couple of techniques, and say how a blue team detects it.

Process injection runs attacker code inside the memory space of a legitimate process so the activity blends in and inherits that process's trust. Classic techniques include DLL injection (CreateRemoteThread + LoadLibrary), process hollowing (start a benign process suspended, unmap it, write malicious code), and APC injection. Defenders detect it via EDR API hooks, anomalous parent/child or memory regions (RWX, unbacked executable memory), and Sysmon CreateRemoteThread events.

SeniorWindows InternalsMalwareDFIR (Forensics & Incident Response)
The full answer
What is ransomware, and walk me through how you respond once it is actively encrypting systems.

Ransomware is malware that encrypts (and increasingly exfiltrates) data, then demands payment. In an active case: isolate affected hosts from the network without powering them off if you can preserve memory, identify scope, patient zero, and the strain, preserve evidence, find and evict the foothold and any backdoors, then restore from known-clean offline backups. Paying is a last resort and never guarantees recovery.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Explain how SPF, DKIM, and DMARC work together to prevent email spoofing.

SPF publishes which IPs may send mail for a domain. DKIM adds a cryptographic signature so the receiver can verify the message was not altered and came from the domain. DMARC ties SPF/DKIM results to the visible From: header via 'alignment', tells receivers what to do on failure (none/quarantine/reject), and sends reports. SPF and DKIM alone do not protect the From a user sees — DMARC is what enforces that.

Mid-levelNetworkingWeb SecurityIdentity & Access Management
The full answer
Compare static and dynamic malware analysis, including the strengths and limits of each.

Static analysis examines a sample without executing it — hashes, strings, imports, headers, and disassembly — so it is safe and complete in coverage but defeated by packing and obfuscation. Dynamic analysis detonates the sample in an isolated sandbox and observes real behavior — files, registry, processes, network — which cuts through obfuscation but only reveals what runs in that session and can be evaded by sandbox-aware malware. Analysts combine both.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
What is a honeypot, what types exist, and what value does it give a blue team?

A honeypot is a decoy system or service with no legitimate business use, deliberately exposed to attract attackers. Because nothing benign should ever touch it, any interaction is a high-confidence alert. Low-interaction honeypots emulate services cheaply; high-interaction ones are real systems that yield richer intel but carry more risk. Honeytokens are the same idea applied to fake credentials, files, or records. Value: early detection, low false positives, and threat intelligence.

JuniorThreat IntelligenceNetworkingDFIR (Forensics & Incident Response)
The full answer
Which Windows event IDs and logs would you pull first during an intrusion investigation?

The Security log is primary: 4624 successful logon (with logon type), 4625 failed logon, 4634/4647 logoff, 4672 special privileges assigned, 4720 account created, 4688 process creation (with command line if enabled), and 4768/4769 Kerberos. Add 7045 service install (System log), 4698 scheduled task created, and PowerShell script-block logging (4104). Logon type and command-line auditing are what make these logs useful.

Mid-levelWindows InternalsDFIR (Forensics & Incident Response)
The full answer
How do CloudTrail and GuardDuty fit into cloud logging and monitoring?

CloudTrail records every API call in the account — who did what, when, from where — giving you the authoritative audit trail for investigations and compliance. GuardDuty is a managed threat-detection service that analyzes CloudTrail, VPC flow, and DNS logs to surface findings like credential exfiltration or crypto-mining. CloudTrail is the source of truth you must protect; GuardDuty turns that telemetry into actionable alerts.

Mid-levelCloudNetworking
The full answer
What's the difference between security groups and network ACLs?

Security groups are stateful firewalls attached to instances/ENIs: they allow rules only, and return traffic for an allowed flow is automatically permitted. Network ACLs are stateless filters at the subnet boundary: they have ordered allow and deny rules and you must explicitly allow return traffic on ephemeral ports. Security groups are the primary control; NACLs add coarse subnet-level guardrails like blocking an IP range.

Mid-levelNetworkingCloud
The full answer
What's the difference between Diffie-Hellman and RSA?

RSA is an asymmetric algorithm used to encrypt data or create digital signatures using a key pair. Diffie-Hellman is a key-agreement protocol that lets two parties derive a shared secret over a public channel without ever transmitting it. They solve different problems: RSA proves identity and can wrap keys; DH negotiates a session key — and its ephemeral variant gives forward secrecy.

Mid-levelCryptography
The full answer
Explain how Kerberos authentication works with TGTs and service tickets.

Kerberos relies on a trusted Key Distribution Center (KDC). The client authenticates once to the Authentication Server and gets a Ticket-Granting Ticket (TGT) encrypted with the KDC's key. To reach a service, it presents the TGT to the Ticket-Granting Service and receives a service ticket encrypted with that service's key. The service decrypts and trusts it. Passwords never traverse the network, and tickets are time-limited.

SeniorIdentity & Access ManagementWindows Internals
The full answer
What is Perfect Forward Secrecy and why does it matter?

Perfect Forward Secrecy (PFS) means each session derives a unique key from an ephemeral key exchange that is thrown away afterward. If an attacker later steals the server's long-term private key, they still cannot decrypt previously captured traffic, because that key was never used to derive the session keys. It's achieved with ephemeral Diffie-Hellman (DHE/ECDHE).

Mid-levelCryptographyNetworking
The full answer
How does a client validate a certificate chain back to a trusted root?

The client builds a chain from the server (leaf) certificate up through one or more intermediate CAs to a root CA in its trust store. It verifies each certificate's signature using the next issuer's public key, checks validity dates, name/hostname match, key usage, and revocation (CRL/OCSP). Trust terminates at a self-signed root that is pre-trusted; the chain is valid only if every link checks out.

SeniorCryptographyIdentity & Access Management
The full answer
Walk me through the TLS 1.3 handshake.

Client and server agree on a shared secret in a single round trip using ephemeral Diffie-Hellman (ECDHE). The ClientHello carries the supported groups and a key share; the server replies with its key share and certificate, both sides derive the same keys, and application data flows immediately — with forward secrecy by default.

Mid-levelNetworkingCryptography
The full answer
Explain the difference between an IDS and an IPS.

An IDS (intrusion detection system) monitors traffic and raises alerts but does not block — it's typically out-of-band. An IPS (intrusion prevention system) sits inline in the traffic path and can actively drop or block malicious traffic. IPS prevents, but a false positive can break legitimate traffic.

JuniorNetworkingThreat Intelligence
The full answer
What is phishing, and what controls would you put in place to reduce it?

Phishing is social engineering that tricks people into revealing credentials, sending money, or running malware, usually via fake emails or sites. Defense is layered: email filtering and authentication (SPF/DKIM/DMARC), MFA to limit stolen-credential damage, user awareness training, and an easy way to report suspicious messages.

JuniorThreat IntelligenceIdentity & Access Management
The full answer
Explain the difference between TCP and UDP and when you'd use each.

TCP is connection-oriented and reliable: it uses a three-way handshake, guarantees ordered delivery, and retransmits lost packets. UDP is connectionless and fast with no delivery, ordering, or congestion guarantees. Use TCP for accuracy (web, email, file transfer) and UDP for speed-sensitive traffic (DNS, VoIP, streaming, gaming).

JuniorNetworking
The full answer
What is a zero-day, and how do you defend against something with no patch?

A zero-day is a vulnerability the vendor doesn't yet know about (or hasn't patched), so defenders have had 'zero days' to fix it. Since no patch exists, defense relies on layered controls, behavior-based detection, segmentation, least privilege, and fast incident response rather than a signature.

Mid-levelThreat IntelligenceMalware
The full answer
Is ARP a TCP or UDP protocol?

Neither. ARP is a Layer-2 (link-layer) protocol that is encapsulated directly in an Ethernet frame, not inside an IP packet. Because it never rides on IP, it cannot use TCP or UDP — those are Layer-4 transports that require IP underneath. ARP's job is to resolve a known IP address to the MAC address on the same local network segment.

JuniorNetworking
The full answer
Why is 'deleted' data often still recoverable?

Because 'delete' normally does not erase the data. It removes the filesystem metadata — the pointer/directory entry — and marks the blocks as free, but the original bytes stay on disk until the OS happens to reuse those blocks for new data. Until that overwrite occurs, forensic tools can carve the content straight back out.

JuniorDFIR (Forensics & Incident Response)
The full answer
What's the difference between encoding, encryption, and hashing?

Encoding transforms data into another format for compatibility and is fully reversible by anyone with no key (e.g. Base64, URL encoding) — it provides no confidentiality. Encryption is reversible only with a key and is what provides confidentiality. Hashing is a one-way function: you cannot recover the input from the output, which is why it suits integrity checks and password storage (with a salt and slow KDF).

JuniorCryptography
The full answer
Which is worse in security detection: a false positive or a false negative?

Generally a false negative is worse from a pure security standpoint: it means a real attack went undetected, so there is no response, no containment, and the breach can dwell undiscovered. But false positives are not harmless — high volumes cause alert fatigue, where analysts start ignoring alerts and miss the real one. The right answer names the trade-off, not just a winner.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
If a site shows the padlock / HTTPS, is it safe?

No. The padlock means the transport is encrypted and the certificate is valid for that domain — it says nothing about whether the operator is honest or the content is malicious. Free, automated certificates mean phishing and malware sites almost always have a perfectly valid padlock too. HTTPS protects the channel, not the destination.

JuniorWeb Security
The full answer
Is HTTPS the same as SSL? And what's the difference between SSL and TLS?

HTTPS is not a protocol of its own — it is plain HTTP running inside an encrypted TLS tunnel. SSL is the old name: SSL 2.0/3.0 are the deprecated, insecure predecessors of TLS, which superseded them (TLS 1.0 through 1.3). When people say 'SSL certificate' or 'SSL', they almost always actually mean TLS.

JuniorNetworkingCryptography
The full answer
What port does ping use?

Trick question — ping uses no port. It runs on ICMP, which is a Layer-3 protocol that sits directly on top of IP. Ports only exist in Layer-4 protocols like TCP and UDP, so ICMP (and therefore ping) has none. ICMP uses type and code fields instead, e.g. Echo Request type 8 and Echo Reply type 0.

JuniorNetworking
The full answer
How many packets are exchanged in the TCP three-way handshake?

Three. The client sends a SYN, the server replies with a combined SYN-ACK (one packet that both acknowledges the client's SYN and sends the server's own SYN), and the client finishes with an ACK. The trick is that SYN-ACK is a single packet, not two, so the total is three — exactly what 'three-way' names.

JuniorNetworking
The full answer
How do you establish a baseline of normal, and how does it help you detect anomalies?

A baseline is a model of normal behaviour for a host, user, account, or network segment — what processes run, who logs in from where and when, typical data volumes, normal beaconing intervals. Once you know normal, anomalies (rare parent-child process pairs, first-seen binaries, logons at odd hours, unusual data egress) become detectable as deviations. Baselining is the foundation of anomaly detection, but it requires enough clean history and careful handling of legitimate change so you do not drown in false positives.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
How would you hunt for C2 beaconing in network telemetry?

C2 beaconing is the periodic check-in an implant makes to its controller. Hunt for it in network/proxy/DNS telemetry by looking for regularity: connections to a destination at near-fixed intervals (even with jitter), small uniform request sizes, low data-in/data-out ratios, long-lived rare destinations, and suspicious TLS/JA3 fingerprints or odd user-agents. The signal is the rhythm and the rarity of the destination, not the payload — which is usually encrypted.

SeniorThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
How do you decide which log sources and telemetry you need to hunt effectively?

Start from the techniques you want to detect, then work backwards to the telemetry that reveals them — ATT&CK's data sources mapping helps. In practice the highest-value sources are endpoint process/command-line and module-load telemetry (EDR/Sysmon), authentication and identity logs, DNS and proxy/network flow, and cloud control-plane logs. You then audit what you actually collect and retain versus what each technique needs, exposing visibility gaps. A technique you cannot see in any log is not huntable yet.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
Walk me through the lifecycle of a detection, from idea to maintained rule.

Detection engineering treats detections as a software product with a lifecycle: identify a threat or technique to cover, research the telemetry and behaviour, develop the rule, test it against true-positive and benign data, deploy it (often staged), validate with adversary emulation, then continuously tune for false positives and retire rules that no longer earn their keep. Each stage is documented and version-controlled, and coverage is tracked against a framework like ATT&CK.

SeniorThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What are living-off-the-land binaries (LOLBins), and how would you hunt for their abuse?

LOLBins (living-off-the-land binaries) are legitimate, signed, pre-installed system tools — like certutil, bitsadmin, mshta, rundll32, regsvr32, wmic, powershell — that attackers abuse to download, execute, or persist while blending in with normal admin activity. Because the binary itself is trusted, you cannot detect on the file; you detect on context: anomalous command-line arguments, unusual parent processes, unexpected network connections from these tools, and execution from odd paths or by odd users.

SeniorThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
Explain the Pyramid of Pain and how it shapes where you invest detection effort.

The Pyramid of Pain ranks indicator types by how costly it is for an attacker to change them once you detect on them. Hashes are trivial to alter (bottom), then IP addresses, domain names, network/host artifacts, tools, and finally TTPs at the top — which an attacker can only change by fundamentally re-tooling their behaviour. Detecting on higher levels causes more 'pain' and is more durable, so mature programs invest detection effort toward behaviours and TTPs rather than just IOCs.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
How would you structure a TTP-based threat hunt using MITRE ATT&CK, and what makes a good hunt?

TTP-based hunting uses MITRE ATT&CK as the map: pick a technique relevant to your threat model (ideally one with weak coverage), form a concrete hypothesis about how it would appear in your telemetry, identify the data sources that reveal it, query for it, and analyze hits. A good hunt is scoped, hypothesis-driven, tied to a real adversary behaviour, repeatable, and produces a durable output — a new detection, a documented coverage gap, or evidence the technique is absent — regardless of whether it finds a compromise.

SeniorThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What is User and Entity Behaviour Analytics (UEBA), and what threats does it catch?

UEBA (User and Entity Behaviour Analytics) builds behavioural baselines for users and entities (hosts, service accounts, devices) and uses statistics or machine learning to score deviations as risk. It excels at threats that have no clean signature: compromised credentials, insider misuse, and lateral movement — e.g. a user suddenly accessing systems they never touch, at unusual hours, or moving abnormal data volumes. It complements rule-based detection rather than replacing it, and needs tuning to avoid false positives from legitimate behaviour change.

Mid-levelThreat IntelligenceIdentity & Access Management
The full answer
What is threat hunting, and how does it differ from waiting for alerts?

Threat hunting is the proactive, hypothesis-driven practice of searching telemetry for adversary activity that existing detections missed. Unlike alert triage — which is reactive and waits for a tool to fire — hunting starts from a question ('if an attacker did X, what evidence would I see?'), tests it against data, and either finds something or produces a new detection. It assumes prevention and alerting are imperfect and that a determined adversary may already be inside.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What is Sigma, and how would you turn a hunt finding into a portable detection rule?

Sigma is an open, vendor-neutral YAML format for describing SIEM detections. You define a logsource (product/category, e.g. Windows process_creation), a detection block with named selections of field/value matches, and a condition that combines them. A converter (like sigma-cli/pySigma) translates the rule into the query language of your actual backend — Splunk, Sentinel, Elastic — so one rule is portable. It also carries metadata: title, level, status, false positives, and ATT&CK tags.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
Define the common malware categories and explain how you classify a sample by behavior.

You classify by what the sample is built to do, observed from its behavior and capabilities. A dropper carries and writes a payload to disk; a loader fetches or injects the next stage, often only in memory; a RAT gives an operator interactive remote control; a wiper destroys data or boot records with no recovery intent; ransomware encrypts files and demands payment. Real samples often combine roles — a loader that deploys a RAT — so you describe the capability chain rather than forcing one label, and you map each behavior to ATT&CK techniques.

JuniorMalwareDFIR (Forensics & Incident Response)
The full answer
What are the signs of command-and-control beaconing, and how do you extract C2 indicators from a sample?

Command-and-control beaconing is the implant periodically calling home for instructions. You recognize it by regular, low-volume outbound callbacks at a roughly fixed interval — often with jitter to avoid looking mechanical — to a small set of destinations, frequently over HTTP/HTTPS or DNS with encoded or encrypted payloads and a distinctive User-Agent or URI pattern. You extract indicators statically by pulling domains, IPs, URIs and keys from strings and config blocks, and dynamically by detonating the sample against a faked network and capturing the actual callbacks, then map the behavior to ATT&CK and feed the IOCs into detection.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
What are packers and obfuscation, and how do you detect them in a binary?

Packing compresses or encrypts the real payload and prepends a stub that unpacks it into memory at runtime; obfuscation transforms the code or data to resist reading and signatures. You detect packing from high section entropy near 8.0, a tiny or stub-only import table, unusual or writable-executable section names like UPX0, an entry point that sits outside .text, a large virtual size versus small raw size, and detectors like Detect It Easy or PEiD. None of these is conclusive alone, so analysts weigh several signals together and confirm by observing the unpack at runtime.

Mid-levelMalwareWindows Internals
The full answer
Describe how you build an isolated lab to analyze live malware safely.

A safe lab isolates the malware from anything it could harm. You run samples in disposable VMs on a hypervisor, take clean snapshots so you can revert after each detonation, and cut off real network access using a host-only network with a simulated internet (INetSim or FakeNet) or an air-gapped segment. You separate the analysis machine from a controlled gateway, never analyze on your daily-driver host, harden against VM-escape, handle samples as password-protected zips, and keep tooling and indicators off the detonation VM. The goal is to observe real behavior while guaranteeing the sample cannot reach production or the internet.

JuniorMalwareDFIR (Forensics & Incident Response)
The full answer
How does malware detect and evade analysis sandboxes, and how do you counter it?

Sandbox-aware malware checks whether it is being watched before it misbehaves. It looks for VM and hypervisor artifacts (drivers, MAC prefixes, registry keys, CPUID), analysis tools and debuggers (process names, IsDebuggerPresent, timing of single-stepping), and signs of a real user (few processes, no recent documents, no mouse movement, low uptime, small disk). It may stall with long sleeps or only fire on a specific date, language, or domain. Analysts counter by hardening the VM to look real, patching out the checks, fast-forwarding sleeps, simulating user activity, and confirming behavior with static disassembly.

SeniorMalwareDFIR (Forensics & Incident Response)
The full answer
Walk me through your core tooling for static versus dynamic malware analysis and when you use each.

Static tooling reads the sample at rest: PEStudio, CFF Explorer and pefile for headers and imports, FLOSS and strings for embedded text, capa for capability mapping, and Ghidra or IDA for disassembly. Dynamic tooling watches it run inside an isolated VM: Procmon and Process Hacker for host activity, Wireshark and INetSim or FakeNet for faked network, Regshot for before/after diffs, and x64dbg for controlled stepping. The workflow is triage statically, detonate dynamically, then return to the disassembler to fill behavioral gaps.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Explain how YARA rules work and what makes a rule effective rather than brittle or noisy.

A YARA rule has a meta block, a strings section (text, hex, or regex patterns, including wildcards and jumps), and a condition that combines those matches with boolean and count logic. An effective rule keys on something durable and distinctive — a unique code stub, a mutex name, a config marker, or an unusual import combination — rather than on values an attacker trivially changes like a single hash or a generic string. You balance specificity against false positives, test against a clean corpus, and document the rule so others trust and maintain it.

Mid-levelMalwareThreat Intelligence
The full answer
How do you use MITRE ATT&CK for threat-informed defense?

ATT&CK is a knowledge base of real adversary tactics (the why), techniques (the how), and procedures. You use it to map your existing detections onto the matrix, identify coverage gaps, and prioritize the techniques used by threat actors that actually target your sector. It gives a common language across CTI, detection engineering, and IR, turning 'are we secure?' into a concrete, measurable coverage map driven by real-world adversary behavior.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What is purple teaming and how do you run a purple team exercise?

Purple teaming is collaborative rather than adversarial: the red side executes specific, agreed TTPs (often mapped to MITRE ATT&CK) while the blue side watches their telemetry in real time to confirm whether each technique is logged, alerted, and detectable. You measure detection coverage technique-by-technique, tune detections and close gaps immediately, then re-test. The deliverable is improved, measurable detection — not a list of who 'won.'

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What ports do SSH, HTTP, HTTPS, DNS, RDP, and SMB use, and why do they matter?

SSH is TCP 22, HTTP is TCP 80, HTTPS is TCP 443, DNS is 53 (UDP and TCP), RDP is TCP 3389, and SMB is TCP 445. Knowing the well-known ports lets you read scan output, write firewall rules, and triage alerts quickly — a service on its expected port versus an unexpected one is an immediate signal.

JuniorNetworking
The full answer
How does DNS resolution work — recursive vs authoritative?

A stub resolver asks a recursive resolver for a name. If it isn't cached, the recursive resolver walks the hierarchy: it queries a root server (which points to the TLD), the TLD server (which points to the domain's authoritative servers), and finally the authoritative server, which holds the actual record. The answer is cached along the way per its TTL. DNS uses port 53 — UDP for most queries, TCP for large ones.

JuniorNetworking
The full answer
How does traceroute work, and what role does the TTL field play?

Traceroute discovers the routers between you and a destination by exploiting the TTL field. It sends packets with TTL=1, then 2, then 3, and so on. Each router decrements TTL; when TTL hits zero, that router drops the packet and returns an ICMP Time Exceeded message, revealing its address. By stepping the TTL up, traceroute maps each hop in order until the destination is reached.

Mid-levelNetworking
The full answer
Explain the OSI model and what each layer adds.

The OSI model splits networking into seven layers, each adding one responsibility: Physical (bits on the wire), Data Link (frames and MAC addressing), Network (IP routing), Transport (TCP/UDP, ports, reliability), Session (managing connections), Presentation (encoding, encryption, compression), and Application (protocols like HTTP). Each layer wraps the one above it as data goes down the stack.

JuniorNetworking
The full answer
What is a subnet, and what does a subnet mask do?

A subnet is a logical subdivision of an IP network. The subnet mask marks which bits of an IP address are the network portion and which are the host portion — for example, /24 (255.255.255.0) means the first 24 bits identify the network and the last 8 identify hosts. Subnetting controls how traffic is routed and lets you segment a network into smaller broadcast domains.

JuniorNetworking
The full answer
Walk me through the TCP three-way handshake.

TCP opens a connection in three steps. The client sends a SYN with an initial sequence number, the server replies with SYN-ACK (acknowledging the client's number and sending its own), and the client returns an ACK. After this exchange both sides have agreed on starting sequence numbers and the connection is established for reliable, ordered byte delivery.

JuniorNetworking
The full answer
TCP vs UDP — how do they differ and when would you choose each?

TCP is connection-oriented: it handshakes, numbers bytes, retransmits losses, and controls congestion, giving reliable ordered delivery at the cost of latency and overhead. UDP is connectionless and fire-and-forget — no handshake, no retransmission, no ordering. Use TCP when correctness matters (web, email, file transfer) and UDP when speed matters more than perfection (DNS, VoIP, gaming, video).

JuniorNetworking
The full answer
How does the TCP/IP model compare to the OSI model?

The TCP/IP model has four layers — Link, Internet, Transport, and Application — and describes how the real internet works. OSI has seven. They map closely: TCP/IP's Application layer absorbs OSI's Application, Presentation, and Session; its Link layer combines OSI's Physical and Data Link. OSI is the better teaching and troubleshooting reference; TCP/IP is the implemented protocol suite.

JuniorNetworking
The full answer
What is a VLAN, and what is its security value?

A VLAN (Virtual LAN) logically partitions a physical switch into separate Layer 2 broadcast domains, so devices on different VLANs can't reach each other directly even on the same hardware. It's labeled with an 802.1Q tag on trunk links. The security value is segmentation: isolating user, server, guest, and IoT traffic limits broadcast scope and lateral movement, with inter-VLAN traffic forced through a router or firewall where policy is applied.

Mid-levelNetworking
The full answer
What is the difference between a VPN and a proxy?

A VPN creates an encrypted tunnel at the network/OS level, so all of a device's traffic is routed through it and protected end to end — used for secure remote access. A proxy operates at the application level, relaying traffic for specific apps or protocols and not necessarily encrypting it. The big differences are scope (whole-device vs per-application) and that a VPN encrypts by design while many proxies do not.

JuniorNetworking
The full answer
What is the difference between symmetric and asymmetric encryption, and when would you use each?

Symmetric encryption uses one shared key for both encrypt and decrypt — it's fast but the key must be shared securely. Asymmetric encryption uses a public/private key pair, solving key distribution but slowly. Real systems use asymmetric crypto to exchange a symmetric session key, then use the fast symmetric cipher for bulk data.

JuniorCryptography
The full answer
What is a PKI, and walk me through how a client validates a server's certificate.

A PKI is the system of CAs, certificates, and policies that binds public keys to identities. To validate a server cert a client builds a chain to a trusted root, verifies each signature, checks validity dates and the hostname, confirms key usage, and checks revocation via CRL or OCSP.

Mid-levelCryptographyNetworking
The full answer
Your analysts are drowning in alerts. What is alert fatigue and what would you do about it?

Alert fatigue is the desensitization that sets in when analysts face too many low-value or false-positive alerts, causing them to miss or rush real ones. You fight it by tuning noisy rules, prioritizing by risk, deduplicating and grouping related alerts, automating repetitive enrichment with SOAR, and measuring alert quality, not just volume.

JuniorDFIR (Forensics & Incident Response)
The full answer
Both involve failed logins. How would you distinguish a brute-force attack from a password spray in your logs?

Brute force targets a single account with many password guesses, so you see many failures concentrated on one username. Password spray flips it: one or a few common passwords tried across many accounts, low and slow, so each account sees only a couple of failures. The detection signal is the ratio of accounts to failures and the timing, not raw failure counts.

Mid-levelIdentity & Access ManagementDFIR (Forensics & Incident Response)Windows Internals
The full answer
Why are DNS logs useful for detection, and what threats can you find in them?

Almost everything touches DNS, so DNS logs reveal threats other sources miss: command-and-control beaconing (regular callbacks to a domain), DNS tunneling and exfiltration (high volume of long, encoded subdomains), and algorithmically generated (DGA) domains. You detect these through patterns like query regularity, entropy, record types, and volume rather than single bad lookups.

SeniorNetworkingDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Can you explain how EDR, XDR, and SIEM differ and where each one fits?

EDR is endpoint-focused: it records and responds to process, file, and network activity on hosts. XDR extends that correlation across multiple domains — endpoint, network, identity, email, cloud — as one vendor-integrated stack. SIEM is the broad log-aggregation layer that ingests data from anything, including non-security sources, for detection, search, and compliance.

JuniorDFIR (Forensics & Incident Response)Windows Internals
The full answer
A rule is generating hundreds of false positives a day. How do you tune it down safely?

First understand why the rule is firing so much — find the common benign pattern behind the noise. Then write the narrowest possible exclusion (specific host, account, or behavior), document the rationale, and validate that a true positive would still fire. Avoid broad suppressions that quietly create blind spots.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
An attacker has a foothold on one host. What signs of lateral movement would you hunt for?

Lateral movement is an attacker using a foothold to reach other systems. Signs include unexpected network logons (type 3) and RDP (type 10), access to admin shares like C$ and ADMIN$, remote-execution tools such as PsExec, WMI, and WinRM, pass-the-hash patterns, and a normally local account suddenly authenticating to many hosts.

SeniorWindows InternalsDFIR (Forensics & Incident Response)Identity & Access Management
The full answer
How would you use the MITRE ATT&CK framework to improve your detection coverage?

ATT&CK is a knowledge base of real-world adversary tactics and techniques. In a SOC you map each detection rule to the techniques it covers, build a coverage map (often with the ATT&CK Navigator), then prioritize closing gaps based on which techniques are most relevant to your threat model and which you have no visibility into.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
A user reports a suspicious email. Walk me through how you triage it safely.

Examine the email safely without clicking: check the headers and sender authentication (SPF/DKIM/DMARC), inspect URLs and attachments in a sandbox or with reputation tools, then scope it — who else received it, did anyone click or enter credentials. Based on findings, remediate by purging the email, blocking indicators, and resetting any exposed credentials.

JuniorDFIR (Forensics & Incident Response)Threat IntelligenceWeb Security
The full answer
We run both a SIEM and a SOAR. What does each one do, and how do they work together?

A SIEM ingests and correlates logs from across the estate to generate alerts — it is your detection and search layer. A SOAR sits downstream and automates the response: it runs playbooks, enriches alerts via integrations, and handles case management so analysts spend less time on repetitive steps.

JuniorDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
A SIEM alert fires for a suspicious login. Walk me through how you triage it.

Confirm the alert is real before acting: read what fired and why, then enrich it — who is the user, is the source IP/geo/device expected, is this impossible travel, were there prior failures? Classify true vs false positive, escalate or contain if real (disable session, force MFA reset), and document everything so the next analyst can follow your reasoning.

JuniorDFIR (Forensics & Incident Response)Threat IntelligenceIdentity & Access Management
The full answer
Walk me through what Windows event IDs 4624, 4625, and 4688 mean and how you would use them in an investigation.

4624 is a successful logon, 4625 is a failed logon, and 4688 is a process creation. In an investigation you use 4625 to spot credential attacks, 4624 (with its logon type and source) to confirm a successful access and how it happened, and 4688 to see what was actually executed, ideally with command-line auditing enabled.

JuniorWindows InternalsDFIR (Forensics & Incident Response)
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.