New · Cohort 3Engineering Analytics Cohort 3 goes live 25 July — only 30 seatsRegister Now

Security · Rapidly Growing

SOC Analyst: Skills, Projects & Interview Questions (2026)

Monitor security telemetry, triage alerts, and investigate and respond to threats from a Security Operations Center.

Demand 9/102026 outlook 8/10Difficulty 5/10Medium remote418 LPA (indicative)

What a SOC Analyst actually does

Triaging SIEM alerts, investigating suspicious logins and phishing, and escalating or containing real incidents.

Top hiring companies: TCS, Wipro, Infosys, Accenture, IBM, HCLTech.

Top industries: IT Services, BFSI / Finance, Managed Security (MSSP), Healthcare, E-commerce.

Skills you need to become a SOC Analyst

SkillImportance
SIEM (Splunk / Sentinel)10/10
Networking Fundamentals9/10
Log Analysis9/10
Incident Response9/10
MITRE ATT&CK8/10
Windows & Linux Security8/10
Phishing Analysis8/10
EDR (CrowdStrike / Defender)8/10
Threat Intelligence7/10
Scripting (Python)6/10

Core tools: Splunk, Microsoft Sentinel, CrowdStrike Falcon, Wireshark, VirusTotal, TheHive, Suricata, Elastic (ELK).

SOC Analyst learning roadmap

Beginner · 2-3 months

Foundations & core tooling

Build: Stand up a home SIEM lab and write your first brute-force detection rules.

Intermediate · 3-4 months

Applied, real-world builds

Build: Build ATT&CK-mapped detections and a documented incident response playbook.

Advanced · 3-4 months

Production, scale & specialization

Build: Run a purple-team exercise validating detection coverage against real attacks.

Get a day-by-day SOC Analyst study plan →

9 SOC Analyst portfolio projects

Home SIEM Lab

Beginner

Ship Windows and Linux logs into Splunk or ELK and build basic dashboards.

Skills: SIEM (Splunk / Sentinel), Log Analysis

Phishing Email Triage

Beginner

Analyze real phishing samples with headers, URLs, and attachment sandboxing.

Skills: Phishing Analysis, Threat Intelligence

Brute-Force Detection Rules

Beginner

Write SIEM detections for failed logins and account lockouts.

Skills: SIEM (Splunk / Sentinel), Log Analysis

Incident Response Playbook

Intermediate

Document a step-by-step playbook for a ransomware or malware incident.

Skills: Incident Response, MITRE ATT&CK

ATT&CK-Mapped Detection Set

Intermediate

Build detections mapped to specific MITRE ATT&CK techniques with test cases.

Skills: MITRE ATT&CK, SIEM (Splunk / Sentinel)

Malware Traffic Analysis

Intermediate

Investigate a captured PCAP to identify C2 and exfiltration.

Skills: Networking Fundamentals, Log Analysis

EDR Investigation Case Study

Intermediate

Trace a simulated intrusion through EDR process trees and timelines.

Skills: EDR (CrowdStrike / Defender), Windows & Linux Security

Threat Intel Enrichment Bot

Advanced

Python tool that enriches indicators from VirusTotal and OTX automatically.

Skills: Scripting (Python), Threat Intelligence

Purple Team Detection Exercise

Advanced

Run attacks with Atomic Red Team and validate your detection coverage.

Skills: MITRE ATT&CK, Incident Response

Common SOC Analyst interview questions

Walk me through how you triage a security alert.Medium

What they're testing: Validate, gather context, check IOCs, assess scope and impact, escalate or close with notes

What is the difference between an event, an alert, and an incident?Easy

What they're testing: Raw log vs rule-matched signal vs confirmed harmful activity needing response

Explain the MITRE ATT&CK framework and how a SOC uses it.Medium

What they're testing: A matrix of adversary tactics and techniques used to map detections and coverage gaps

How do you analyze a suspicious email?Easy

What they're testing: Inspect headers/SPF-DKIM, hover URLs, detonate attachments, check reputation

What are the phases of the incident response lifecycle?Medium

What they're testing: Preparation, identification, containment, eradication, recovery, lessons learned

What Windows event IDs matter for detecting logins and lateral movement?Hard

What they're testing: 4624/4625 logons, 4672 privileges, 4688 process creation, 4768/4769 Kerberos

Difference between IDS and IPS.Easy

What they're testing: IDS detects and alerts; IPS sits inline and can block traffic

What is a false positive and how do you reduce them?Medium

What they're testing: A benign alert; tune rules, add allowlists, and enrich with context

How would you detect data exfiltration?Hard

What they're testing: Watch for large outbound transfers, unusual DNS, off-hours access, and new destinations

What are indicators of compromise (IOCs)?Easy

What they're testing: Artifacts like malicious hashes, IPs, domains, and registry keys signaling a breach

How does a SIEM correlation rule work?Medium

What they're testing: Combines events across sources by time/field to surface a higher-fidelity alert

What is the difference between the CIA triad elements?Easy

What they're testing: Confidentiality, integrity, and availability as the three security goals

Practice the full SOC Analyst question bank →

Certifications for SOC Analysts

  • CompTIA Security+CompTIA · Very High value
  • Blue Team Level 1 (BTL1)Security Blue Team · High value
  • Microsoft SC-200 (Security Operations Analyst)Microsoft · High value
  • Splunk Core Certified UserSplunk · Medium value
  • CompTIA CySA+CompTIA · High value

SOC Analyst career path

SOC Analyst (L1) -> SOC Analyst L2 / Incident Responder -> SOC Lead / Threat Hunter

Common moves into this role / from here:

  • Incident Responder (4-6 months) — close: Forensics, memory analysis, containment strategy, malware triage, chain of custody
  • Threat Hunter (6-9 months) — close: Hypothesis-driven hunting, advanced query languages, adversary TTPs, data pipelines
  • Detection Engineer (6-9 months) — close: Detection-as-code, Sigma rules, CI/CD for rules, scripting, test automation

Related roles: Incident Responder, Threat Hunter, Security Analyst, Detection Engineer

Frequently asked questions

What skills do you need to become a SOC Analyst?

Core skills include SIEM (Splunk / Sentinel), Networking Fundamentals, Log Analysis, Incident Response, MITRE ATT&CK. Investigate every alert to root cause and document it clearly, rather than just closing tickets.

What projects should a SOC Analyst build for a portfolio?

Strong starter projects: Home SIEM Lab; Phishing Email Triage; Brute-Force Detection Rules; Incident Response Playbook.

How long does it take to become job-ready as a SOC Analyst?

A focused plan runs roughly 2-3 months for fundamentals, then applied projects. Difficulty rating: 5/10.

What is the career path for a SOC Analyst?

SOC Analyst (L1) -> SOC Analyst L2 / Incident Responder -> SOC Lead / Threat Hunter

Ready to become a SOC Analyst?

PrepNPlaced turns this guide into action — a day-by-day roadmap, ATS-ready resume, and real interview practice.

Start free →