SOC analyst interviews are scenario interviews. Certifications get you in the room, but the offer goes to the candidate who can talk through an investigation out loud - what you would look at first, what would change your mind, when you would escalate. This guide covers the questions that actually come up for Tier 1 and Tier 2 seats, what the interviewer is listening for in each, and the questions you should ask back before accepting a shift seat.
The triage scenarios (the core of the interview)
- "An alert fires for a suspicious PowerShell execution on a workstation. Walk me through what you do." They want a structured loop, not tool names: read the alert and the exact command line, establish context (which user, which host, what is normal for both), enrich (parent process, network connections, recent logons), form a hypothesis, decide - benign, suspicious and needs escalation, or confirmed malicious and needs containment - and document as you go. Saying "I would check if the command is encoded or downloads content" shows you have actually looked at one.
- "How do you tell a false positive from a true positive?" The trap is answering "experience." The strong answer is method: compare against the baseline for that user/host, corroborate across a second data source (an EDR alert plus the proxy logs beats either alone), and check whether the behavior fits a known-benign pattern like an admin script or a patch cycle. Bonus: mention that recurring false positives are tuning work, not just closing work.
- "You see 200 failed logins on one account followed by a success. What now?" Password spray / brute force triage: source IPs and geography, legacy-auth vs MFA-protected protocol, what the successful session did afterwards, then containment (reset, revoke sessions, block source) and scoping - was this one account or one of fifty.
- "A user reports a phishing email. Take me through your analysis." Headers first (authentication results, return path, reply-to mismatch), then URLs and attachments in a safe environment, then blast-radius: who else received it, did anyone click, are credentials in play. Ending with "and I would pull the same sender across the mail logs" is the Tier 2 signal.
Knowledge questions
- "What log sources would you want for investigating a compromised endpoint?" Endpoint/EDR telemetry, authentication logs, DNS and proxy, and - increasingly the differentiator - cloud audit logs (M365/Google Workspace sign-ins, AWS CloudTrail). Naming why each matters beats naming many.
- "Explain the incident response lifecycle." Preparation, detection and analysis, containment, eradication, recovery, lessons learned - and one sentence on where the SOC sits in it (detection/analysis plus first containment).
- "What is lateral movement and how would you spot it?" Attacker moving host-to-host after the initial foothold: unusual admin-share access, remote execution tooling, new service creation, authentication from workstation to workstation rather than workstation to server.
- SIEM query logic: some interviews include a practical - filter these logs, find the anomaly. If you have genuinely worked queries in one SIEM (Splunk, Sentinel, Elastic), say which and offer to talk through syntax; see live SIEM-tagged roles → for how central this is.
The judgment questions
- "When do you escalate?" The answer they want: earlier than your ego prefers. Escalate on confirmed malicious activity, on anything touching crown-jewel systems, and whenever the investigation exceeds your access or your confidence - with everything you have already established written down, so Tier 2 starts from your notes rather than from zero.
- "An executive's laptop triggers a detection during a board meeting. What do you do?" Process under pressure: follow the runbook, communicate through the right channel, do not sit on it because the user is senior - and do not isolate the CEO's machine mid-presentation without approval unless the evidence is unambiguous. They are testing composure and communication, not heroics.
- "Tell me about a time you were wrong about an alert." Have one ready from labs or work. The point is whether you update your process - "I now always check X first" - not whether you have never missed.
Questions you should ask them
- "What does the shift model look like, and how are nights and weekends rotated?" (The single biggest quality-of-life variable in SOC work.)
- "How many alerts does a Tier 1 analyst work per shift, and who owns tuning?" (A queue of thousands with no tuning ownership is the burnout profile.)
- "What does the path from Tier 1 to Tier 2 and into detection engineering or IR look like here - and has anyone actually made it recently?"
- "Which log sources do you NOT have today?" (An honest answer tells you the maturity; a defensive one tells you more.)
Before you interview
Know your market worth: US SOC analysts band roughly $58k to $92k by tier - the full tier-by-tier and country breakdown is in our SOC analyst salary guide →. If you are still building toward the interview, start with how to become a SOC analyst →, and when you are ready, the live openings are on our SOC analyst jobs board → - updated hourly, every listing applying direct to the employer.
Live SOC & detection roles
Related guides
GRC Analyst Salary in 2026: US Bands, 21 Countries & What Moves the Number
What GRC analysts actually earn in 2026 - US pay by level, benchmark ranges across 21 countries including Indi…
9 min read
How to Transition into GRC in 2026: From Project Management, Audit, IT, or DevOps
A career-changer's guide to breaking into GRC in 2026 - what transfers from project management, audit, IT supp…
10 min read
GRC Interview Questions in 2026: What Hiring Managers Actually Ask
The GRC analyst interview, decoded - the framework, risk, and scenario questions that actually come up (SOC 2 …
9 min read