SOC ANALYST CERTIFICATION
PRACTICE TEST – 2026
EDITION|||questions and answers
with rationales/graded A+/2026
update/100% correct /instant
download
Total Questions: 80+ | Format: Multiple Choice | Answer Key +
Rationales provided
SECTION 1: SOC FUNDAMENTALS & OPERATIONS (Q1–15)
1. A SOC analyst receives an alert for multiple failed login attempts followed by
one successful login from a new geolocation. What is the first priority action?
A) Block the source IP permanently
B) Isolate the affected user’s endpoint
C) Validate if the user was traveling or using VPN
D) Escalate to incident response manager
Correct Answer: C
Rationale: Always verify false positives first – the user may have legitimate access
(e.g., business travel). Isolation is premature without confirmation.
2. Which SOC metric measures the time from alert creation to initial investigation
assignment?
A) MTTR
B) MTTD
C) MTTA
D) SLA adherence
Correct Answer: C (Mean Time to Acknowledge)
Rationale: MTTA tracks responsiveness; MTTD = detect, MTTR = resolve.
,3. A tier-1 analyst sees a known malicious hash in a SIEM alert. According to
NIST 800-61, what is the correct containment phase action?
A) Wipe and reimage immediately
B) Disable network interface of affected host
C) Document the hash in a ticket and close
D) Run a full anti-virus scan
Correct Answer: B
Rationale: Containment = stop spread (disconnect from network). Reimaging is
eradication.
4. Which playbook is most appropriate for a “Possible ransomware encryption
activity” alert?
A) Account compromise playbook
B) Data exfiltration playbook
C) Malware outbreak playbook
D) Privilege escalation playbook
Correct Answer: C
Rationale: Ransomware is a malware outbreak requiring rapid containment and
backup restoration.
5. A SIEM receives 10,000 events/sec, but analysts miss critical alerts due to noise.
Which should be improved?
A) Increase storage retention
B) Implement rule tuning & suppression
C) Add more raw logs
D) Disable low-severity rules
Correct Answer: B
Rationale: Tuning reduces false positives without disabling detection completely.
6. What is the primary purpose of a SOC runbook?
A) Legal evidence preservation
B) Step-by-step response for specific alert types
C) Employee vacation schedule
D) Vendor management list
Correct Answer: B
Rationale: Runbooks standardize response actions per alert type.
, 7. An analyst sees an alert: “Potential Pass-the-Hash (PtH) attack – NTLM hash
reuse”. Which log source is most critical?
A) Web proxy logs
B) Windows Security Event ID 4624 (logon)
C) DNS logs
D) Firewall logs
Correct Answer: B
Rationale: Event 4624 with logon type 3 (network) and elevated privileges
indicates PtH.
8. In a SOC maturity model (e.g., SSE-CMM), Level 3 indicates:
A) Ad-hoc response
B) Defined and documented processes
C) Automated containment
D) Predictive analytics
Correct Answer: B
*Rationale: Level 3 = processes defined across the organization.*
9. Which framework is best for mapping adversary behavior to defensive gaps?
A) ISO 27001
B) MITRE ATT&CK
C) NIST CSF
D) PCI DSS
Correct Answer: B
Rationale: ATT&CK provides TTPs (Tactics, Techniques, Procedures) mapping.
10. A SOC analyst receives a “cron job modified” alert on a Linux server at 3 AM.
What is the first question?
A) Was the change authorized via change management?
B) What is the server’s public IP?
C) Who owns the server hardware?
D) Is the server patched?
Correct Answer: A
Rationale: Unauthorized cron changes are common persistence; verify change
request first.
PRACTICE TEST – 2026
EDITION|||questions and answers
with rationales/graded A+/2026
update/100% correct /instant
download
Total Questions: 80+ | Format: Multiple Choice | Answer Key +
Rationales provided
SECTION 1: SOC FUNDAMENTALS & OPERATIONS (Q1–15)
1. A SOC analyst receives an alert for multiple failed login attempts followed by
one successful login from a new geolocation. What is the first priority action?
A) Block the source IP permanently
B) Isolate the affected user’s endpoint
C) Validate if the user was traveling or using VPN
D) Escalate to incident response manager
Correct Answer: C
Rationale: Always verify false positives first – the user may have legitimate access
(e.g., business travel). Isolation is premature without confirmation.
2. Which SOC metric measures the time from alert creation to initial investigation
assignment?
A) MTTR
B) MTTD
C) MTTA
D) SLA adherence
Correct Answer: C (Mean Time to Acknowledge)
Rationale: MTTA tracks responsiveness; MTTD = detect, MTTR = resolve.
,3. A tier-1 analyst sees a known malicious hash in a SIEM alert. According to
NIST 800-61, what is the correct containment phase action?
A) Wipe and reimage immediately
B) Disable network interface of affected host
C) Document the hash in a ticket and close
D) Run a full anti-virus scan
Correct Answer: B
Rationale: Containment = stop spread (disconnect from network). Reimaging is
eradication.
4. Which playbook is most appropriate for a “Possible ransomware encryption
activity” alert?
A) Account compromise playbook
B) Data exfiltration playbook
C) Malware outbreak playbook
D) Privilege escalation playbook
Correct Answer: C
Rationale: Ransomware is a malware outbreak requiring rapid containment and
backup restoration.
5. A SIEM receives 10,000 events/sec, but analysts miss critical alerts due to noise.
Which should be improved?
A) Increase storage retention
B) Implement rule tuning & suppression
C) Add more raw logs
D) Disable low-severity rules
Correct Answer: B
Rationale: Tuning reduces false positives without disabling detection completely.
6. What is the primary purpose of a SOC runbook?
A) Legal evidence preservation
B) Step-by-step response for specific alert types
C) Employee vacation schedule
D) Vendor management list
Correct Answer: B
Rationale: Runbooks standardize response actions per alert type.
, 7. An analyst sees an alert: “Potential Pass-the-Hash (PtH) attack – NTLM hash
reuse”. Which log source is most critical?
A) Web proxy logs
B) Windows Security Event ID 4624 (logon)
C) DNS logs
D) Firewall logs
Correct Answer: B
Rationale: Event 4624 with logon type 3 (network) and elevated privileges
indicates PtH.
8. In a SOC maturity model (e.g., SSE-CMM), Level 3 indicates:
A) Ad-hoc response
B) Defined and documented processes
C) Automated containment
D) Predictive analytics
Correct Answer: B
*Rationale: Level 3 = processes defined across the organization.*
9. Which framework is best for mapping adversary behavior to defensive gaps?
A) ISO 27001
B) MITRE ATT&CK
C) NIST CSF
D) PCI DSS
Correct Answer: B
Rationale: ATT&CK provides TTPs (Tactics, Techniques, Procedures) mapping.
10. A SOC analyst receives a “cron job modified” alert on a Linux server at 3 AM.
What is the first question?
A) Was the change authorized via change management?
B) What is the server’s public IP?
C) Who owns the server hardware?
D) Is the server patched?
Correct Answer: A
Rationale: Unauthorized cron changes are common persistence; verify change
request first.
