SOC ANALYST CERTIFICATION PRACTICE
TEST – 2026 EDITION|||questions and answers
with rationales/graded A+/2026 update/100%
correct /instant download
DOMAIN I: SECURITY MONITORING & THREAT
DETECTION (Questions 1-13)
Question 1
A SOC analyst observes multiple failed login attempts from a single IP
address across different user accounts within 5 minutes. This activity is BEST
classified as:
A) Brute force attack
B) Password spraying attack
C) Credential stuffing attack
D) Man-in-the-middle attack
Correct Answer: A – Brute force attack
Rationale: Multiple failed attempts from the same IP against multiple
usernames is characteristic of a brute force attack, where an attacker
systematically tries passwords across many accounts. Password spraying
uses a single password across many accounts; credential stuffing uses
previously leaked credentials; MITM intercepts communications.
Question 2
What is the primary purpose of the MITRE ATT&CK framework?
A) To classify vulnerabilities by severity
B) To provide a common taxonomy of adversary behavior and tactics
C) To replace traditional SIEM solutions
D) To encrypt sensitive security logs
,Correct Answer: B – To provide a common taxonomy of adversary
behavior and tactics
Rationale: MITRE ATT&CK (Adversarial Tactics, Techniques, and Common
Knowledge) provides a structured framework describing attacker behaviors
across the attack lifecycle (Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation, Defense Evasion,
Credential Access, Discovery, Lateral Movement, Collection, Command and
Control, Exfiltration, Impact). It enables SOC teams to standardize detection
and response procedures.
Question 3
Which of the following is a key indicator of a potential ransomware attack?
A) Unusual outbound data transfers at 3 AM
B) Rapid encryption of multiple files with .encrypted extensions
C) Single failed login attempt
D) Decreased CPU usage across servers
Correct Answer: B – Rapid encryption of multiple files
with .encrypted extensions
Rationale: Ransomware typically renames encrypted files with specific
extensions (.encrypted, .locked, .crypt, or a ransom note extension) and rapidly
encrypts large numbers of files. Unusual outbound transfers may indicate
data exfiltration (prior to ransomware deployment). Single failed login is
common; decreased CPU usage is not associated.
Question 4
A SOC analyst sees the following Windows Event ID 4625 multiple times.
What does this event indicate?
A) Successful logon
B) Failed logon attempt
C) Account lockout
D) Logon with explicit credentials
Correct Answer: B – Failed logon attempt
, Rationale: Windows Security Event ID 4625 is specifically logged for failed
logon attempts, providing information about source IP address, account
name, and reason for failure (bad password, account disabled, etc.). Event ID
4624 indicates successful logon; 4740 indicates account lockout.
Question 5
What is the difference between a false positive and a false negative in
security monitoring?
A) False positive is a missed threat; false negative is an incorrectly flagged
benign event
B) False positive is an incorrectly flagged benign event; false negative is a
missed threat
C) Both indicate correct detections
D) Both indicate missed threats
Correct Answer: B – False positive incorrectly flags benign event;
false negative misses real threat
Rationale: False positives waste analyst time and erode trust in detection
systems. False negatives (missed threats) represent security gaps where
actual attacks go undetected. SOC metrics aim to minimize both, balancing
detection sensitivity and specificity.
Question 6
Which detection technique uses statistical baselines to identify anomalous
behavior?
A) Signature-based detection
B) Behavioral analytics
C) IOC matching
D) Static file analysis
Correct Answer: B – Behavioral analytics
Rationale: Behavioral analytics establishes normal patterns of user, network,
or system behavior (baselines) and flags deviations as potentially malicious.
Examples: unusual login times, unexpected data transfers, atypical process
TEST – 2026 EDITION|||questions and answers
with rationales/graded A+/2026 update/100%
correct /instant download
DOMAIN I: SECURITY MONITORING & THREAT
DETECTION (Questions 1-13)
Question 1
A SOC analyst observes multiple failed login attempts from a single IP
address across different user accounts within 5 minutes. This activity is BEST
classified as:
A) Brute force attack
B) Password spraying attack
C) Credential stuffing attack
D) Man-in-the-middle attack
Correct Answer: A – Brute force attack
Rationale: Multiple failed attempts from the same IP against multiple
usernames is characteristic of a brute force attack, where an attacker
systematically tries passwords across many accounts. Password spraying
uses a single password across many accounts; credential stuffing uses
previously leaked credentials; MITM intercepts communications.
Question 2
What is the primary purpose of the MITRE ATT&CK framework?
A) To classify vulnerabilities by severity
B) To provide a common taxonomy of adversary behavior and tactics
C) To replace traditional SIEM solutions
D) To encrypt sensitive security logs
,Correct Answer: B – To provide a common taxonomy of adversary
behavior and tactics
Rationale: MITRE ATT&CK (Adversarial Tactics, Techniques, and Common
Knowledge) provides a structured framework describing attacker behaviors
across the attack lifecycle (Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation, Defense Evasion,
Credential Access, Discovery, Lateral Movement, Collection, Command and
Control, Exfiltration, Impact). It enables SOC teams to standardize detection
and response procedures.
Question 3
Which of the following is a key indicator of a potential ransomware attack?
A) Unusual outbound data transfers at 3 AM
B) Rapid encryption of multiple files with .encrypted extensions
C) Single failed login attempt
D) Decreased CPU usage across servers
Correct Answer: B – Rapid encryption of multiple files
with .encrypted extensions
Rationale: Ransomware typically renames encrypted files with specific
extensions (.encrypted, .locked, .crypt, or a ransom note extension) and rapidly
encrypts large numbers of files. Unusual outbound transfers may indicate
data exfiltration (prior to ransomware deployment). Single failed login is
common; decreased CPU usage is not associated.
Question 4
A SOC analyst sees the following Windows Event ID 4625 multiple times.
What does this event indicate?
A) Successful logon
B) Failed logon attempt
C) Account lockout
D) Logon with explicit credentials
Correct Answer: B – Failed logon attempt
, Rationale: Windows Security Event ID 4625 is specifically logged for failed
logon attempts, providing information about source IP address, account
name, and reason for failure (bad password, account disabled, etc.). Event ID
4624 indicates successful logon; 4740 indicates account lockout.
Question 5
What is the difference between a false positive and a false negative in
security monitoring?
A) False positive is a missed threat; false negative is an incorrectly flagged
benign event
B) False positive is an incorrectly flagged benign event; false negative is a
missed threat
C) Both indicate correct detections
D) Both indicate missed threats
Correct Answer: B – False positive incorrectly flags benign event;
false negative misses real threat
Rationale: False positives waste analyst time and erode trust in detection
systems. False negatives (missed threats) represent security gaps where
actual attacks go undetected. SOC metrics aim to minimize both, balancing
detection sensitivity and specificity.
Question 6
Which detection technique uses statistical baselines to identify anomalous
behavior?
A) Signature-based detection
B) Behavioral analytics
C) IOC matching
D) Static file analysis
Correct Answer: B – Behavioral analytics
Rationale: Behavioral analytics establishes normal patterns of user, network,
or system behavior (baselines) and flags deviations as potentially malicious.
Examples: unusual login times, unexpected data transfers, atypical process
