Security · Rapidly Growing
SOC Analyst: Skills, Projects & Interview Questions (2026)
Monitor security telemetry, triage alerts, and investigate and respond to threats from a Security Operations Center.
What a SOC Analyst actually does
Triaging SIEM alerts, investigating suspicious logins and phishing, and escalating or containing real incidents.
Top hiring companies: TCS, Wipro, Infosys, Accenture, IBM, HCLTech.
Top industries: IT Services, BFSI / Finance, Managed Security (MSSP), Healthcare, E-commerce.
Skills you need to become a SOC Analyst
| Skill | Importance | Learning hours | Interview weight |
|---|---|---|---|
| SIEM (Splunk / Sentinel) | 10/10 | ~50h | High |
| Networking Fundamentals | 9/10 | ~40h | High |
| Log Analysis | 9/10 | ~40h | High |
| Incident Response | 9/10 | ~40h | High |
| MITRE ATT&CK | 8/10 | ~25h | High |
| Windows & Linux Security | 8/10 | ~40h | Medium |
| Phishing Analysis | 8/10 | ~25h | High |
| EDR (CrowdStrike / Defender) | 8/10 | ~30h | Medium |
| Threat Intelligence | 7/10 | ~25h | Medium |
| Scripting (Python) | 6/10 | ~40h | Low |
Core tools: Splunk, Microsoft Sentinel, CrowdStrike Falcon, Wireshark, VirusTotal, TheHive, Suricata, Elastic (ELK).
SOC Analyst learning roadmap
Beginner · 2-3 months
Foundations & core tooling
Build: Stand up a home SIEM lab and write your first brute-force detection rules.
Intermediate · 3-4 months
Applied, real-world builds
Build: Build ATT&CK-mapped detections and a documented incident response playbook.
Advanced · 3-4 months
Production, scale & specialization
Build: Run a purple-team exercise validating detection coverage against real attacks.
9 SOC Analyst portfolio projects
Home SIEM Lab
BeginnerShip Windows and Linux logs into Splunk or ELK and build basic dashboards.
Skills: SIEM (Splunk / Sentinel), Log Analysis
Phishing Email Triage
BeginnerAnalyze real phishing samples with headers, URLs, and attachment sandboxing.
Skills: Phishing Analysis, Threat Intelligence
Brute-Force Detection Rules
BeginnerWrite SIEM detections for failed logins and account lockouts.
Skills: SIEM (Splunk / Sentinel), Log Analysis
Incident Response Playbook
IntermediateDocument a step-by-step playbook for a ransomware or malware incident.
Skills: Incident Response, MITRE ATT&CK
ATT&CK-Mapped Detection Set
IntermediateBuild detections mapped to specific MITRE ATT&CK techniques with test cases.
Skills: MITRE ATT&CK, SIEM (Splunk / Sentinel)
Malware Traffic Analysis
IntermediateInvestigate a captured PCAP to identify C2 and exfiltration.
Skills: Networking Fundamentals, Log Analysis
EDR Investigation Case Study
IntermediateTrace a simulated intrusion through EDR process trees and timelines.
Skills: EDR (CrowdStrike / Defender), Windows & Linux Security
Threat Intel Enrichment Bot
AdvancedPython tool that enriches indicators from VirusTotal and OTX automatically.
Skills: Scripting (Python), Threat Intelligence
Purple Team Detection Exercise
AdvancedRun attacks with Atomic Red Team and validate your detection coverage.
Skills: MITRE ATT&CK, Incident Response
Common SOC Analyst interview questions
Walk me through how you triage a security alert.Medium
What they're testing: Validate, gather context, check IOCs, assess scope and impact, escalate or close with notes
What is the difference between an event, an alert, and an incident?Easy
What they're testing: Raw log vs rule-matched signal vs confirmed harmful activity needing response
Explain the MITRE ATT&CK framework and how a SOC uses it.Medium
What they're testing: A matrix of adversary tactics and techniques used to map detections and coverage gaps
How do you analyze a suspicious email?Easy
What they're testing: Inspect headers/SPF-DKIM, hover URLs, detonate attachments, check reputation
What are the phases of the incident response lifecycle?Medium
What they're testing: Preparation, identification, containment, eradication, recovery, lessons learned
What Windows event IDs matter for detecting logins and lateral movement?Hard
What they're testing: 4624/4625 logons, 4672 privileges, 4688 process creation, 4768/4769 Kerberos
Difference between IDS and IPS.Easy
What they're testing: IDS detects and alerts; IPS sits inline and can block traffic
What is a false positive and how do you reduce them?Medium
What they're testing: A benign alert; tune rules, add allowlists, and enrich with context
How would you detect data exfiltration?Hard
What they're testing: Watch for large outbound transfers, unusual DNS, off-hours access, and new destinations
What are indicators of compromise (IOCs)?Easy
What they're testing: Artifacts like malicious hashes, IPs, domains, and registry keys signaling a breach
How does a SIEM correlation rule work?Medium
What they're testing: Combines events across sources by time/field to surface a higher-fidelity alert
What is the difference between the CIA triad elements?Easy
What they're testing: Confidentiality, integrity, and availability as the three security goals
Certifications for SOC Analysts
- CompTIA Security+CompTIA · Very High value
- Blue Team Level 1 (BTL1)Security Blue Team · High value
- Microsoft SC-200 (Security Operations Analyst)Microsoft · High value
- Splunk Core Certified UserSplunk · Medium value
- CompTIA CySA+CompTIA · High value
SOC Analyst career path
SOC Analyst (L1) -> SOC Analyst L2 / Incident Responder -> SOC Lead / Threat Hunter
Common moves into this role / from here:
- → Incident Responder (4-6 months) — close: Forensics, memory analysis, containment strategy, malware triage, chain of custody
- → Threat Hunter (6-9 months) — close: Hypothesis-driven hunting, advanced query languages, adversary TTPs, data pipelines
- → Detection Engineer (6-9 months) — close: Detection-as-code, Sigma rules, CI/CD for rules, scripting, test automation
Related roles: Incident Responder, Threat Hunter, Security Analyst, Detection Engineer
Frequently asked questions
What skills do you need to become a SOC Analyst?
Core skills include SIEM (Splunk / Sentinel), Networking Fundamentals, Log Analysis, Incident Response, MITRE ATT&CK. Investigate every alert to root cause and document it clearly, rather than just closing tickets.
What projects should a SOC Analyst build for a portfolio?
Strong starter projects: Home SIEM Lab; Phishing Email Triage; Brute-Force Detection Rules; Incident Response Playbook.
How long does it take to become job-ready as a SOC Analyst?
A focused plan runs roughly 2-3 months for fundamentals, then applied projects. Difficulty rating: 5/10.
What is the career path for a SOC Analyst?
SOC Analyst (L1) -> SOC Analyst L2 / Incident Responder -> SOC Lead / Threat Hunter
Ready to become a SOC Analyst?
PrepNPlaced turns this guide into action — a day-by-day roadmap, ATS-ready resume, and real interview practice.
Start free →