๐ค SOC Interview Readiness Guide
Interviewing for a SOC role is not about knowing everything โ it is about demonstrating a systematic investigative mindset. You must prove you can follow a process, document your logic, and prioritize alerts correctly.
๐ฆ Three Types of Interview Questions
| Category | Goal | Example Question |
|---|---|---|
| Fundamental Knowledge | Test your grasp of the basics. | "What is the difference between TCP and UDP?" |
| Scenario-Based | Test your investigation process. | "We see 50 failed logins from an internal IP. What do you do?" |
| Cultural/Behavioral | Test your fit within a high-pressure team. | "Explain a time you were wrong about a security alert." |
๐งช The "Investigation Framework"
When asked a "What do you do?" question, NEVER start with containment. Always follow the Triage โ Investigation โ Action flow: 1. Verify (Triage): Check the source, destination, and severity. Is this a false positive or true positive? 2. Contextualize (Investigation): What is the source reputation? What is the user's role? What other alerts are firing around the same time? 3. Analyze (Mechanism): Look for patterns โ PowerShell encoded strings, large data transfers, or connections to unauthorized IPs. 4. Respond (Containment): Isolate the host, disable the account, or block the IP only after verifying.
๐ผ Core Interview Questions (Quick Answers)
Use the SOCAtlas Pattern: Define, Mechanism, Example, Control
- "What happens when you type google.com?"
DNSresolution โTCP 3-way handshakeโTLS/SSL handshakeโHTTP GETrequest.
- "What is a SIEM?"
- A centralized platform for
Security Information(log storage) andEvent Management(real-time correlation and alerting). Example: Splunk, Microsoft Sentinel.
- A centralized platform for
- "Explain the OSI Model to a 5-year-old."
- It is like the levels of building a toy house โ you need a
Foundation(cables),Frames(switches),Address(IPs), andFinal Paint(the app you see).
- It is like the levels of building a toy house โ you need a
๐ If You Don't Know an Answer
- Don't Guess: Say "I haven't encountered that specific protocol/technique yet."
- Show Your Methodology: "However, I would investigate it by checking [Documentation/Google/PCAP] and looking for [Indicators]." This shows you can solve unknown problems.