This piece will cover strategies for finding a SOC analyst job, including common job titles, what job boards to use, resume tips, networking with other professionals, and common interview questions. How Do I Get a SOC Analyst Job?

Find yourself at the crossroads of your old life and considering a new career in cybersecurity. This article will give you tips and tools to find a job in the cybersecurity industry. This might mean that you are graduating from college and looking to start your career, or you might have been in IT for a while. You are looking to dive into cybersecurity, or maybe it means you are an honored vet looking to transition into civilian space. Whatever the case may be, there are a few things you should know.

Networking

Conferences & Meetups

Word of mouth is your friend! It is essential to grow your network. Having a broad network of people you can talk to professionally opens you up to new opportunities and gives you people to discuss your new ideas with. Professional connections help you stay on top of the latest trends, such as news or technical techniques that greatly benefit you. There are many opportunities to get involved in projects or communities that are local to your area. Some of these include:

2600: 2600 is an organization with deep roots in hacker culture. Today, it exists as a website, meetup space, conference, and magazine, to name a few. The history of hacking is fascinating, and its name comes from 2600 Hz, which is the frequency at which a plastic whistle found inside a Captain Crunch box sounded when blown. Blown into a payphone, it allowed the hacker to make free phone calls.

DEF CON: The crown jewel of hacking conferences. The DEF CON conference is traditionally held annually in the summer in Las Vegas, NV. It is considered a pilgrimage for anyone in infosec! There is so much to do, so many knobs to twist, bells to ding, and big red buttons to push; you will never have time to do it all. What makes this conference great for your career is that recruiters love it! I have heard so many stories of people getting job offers on the spot at DEF CON. DEF CON is even better if you volunteer at the events. You will meet more people and at a deeper level. Additionally, DEF CON has “DEF CON groups,” which are smaller DEF CON meetings in your local areas, usually every month. This is also a great way to network with your regional infosec peers to see what is happening in your local infosec industry and hopefully pick up a lead!

BSides: BSides is a popular conference held locally in many cities and during the same time frame as Defcon in Las Vegas. It is relatively popular and offers a lot of value. Tickets are cheap (and free if you volunteer), giving you access to what is going on and the people in your area.

OWASP: The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the Web.

Hackerspaces and Makerspaces: These meetups in your local areas are a great way to meet people, tinker, pull knobs, and push buttons. Sometimes these meetings will allow their members to give presentations in a show-and-tell format, which is a great way to build your presentation skills.

If you have been attending meetings in your surrounding areas, don’t forget to take a pencil and notepad to write down emails and contact info of the people you meet. It is not weird and doesn’t feel uncomfortable; everyone there is there for the same reason, and you’d be lucky to have a notepad. Most people would feel flattered if you cared enough to write their information on a notepad. Tell your new friends you want to keep in contact and be on the lookout for them. Follow up with everyone the day after, and send them your resume to share with others.

Competitions

This article wouldn’t be complete if we didn’t take a minute to talk about capture-the-flag (CTF) competitions. Capture the Flag has been around since the beginning, and it started with vulnerable applications and systems with a text string hidden inside them. The participant finds the text string and submits it to the judges, and they get points for every proof they’ve hacked. It started in 1996 at DEF CON (mentioned above), and today, it has evolved into various capture-the-flag challenges inside and outside of conferences. Tyler’s favorite challenge is the DEF CON Blue Team Village capture-the-flag, but he has competed in Ghost in the Shellcode, SANS Netwars, Holiday Hack, CSAW, and was a mentor for high schoolers for the CyberPatriot program. Tyler was never really fantastic at them, but always competed on a team, which was the fun. Most bigger conferences other than DEF CON will have their capture-the-flag competitions. For instance, the Splunk conference, Splunk.conf, hosts a popular capture-the-flag called BOTS, for Boss of the SOC, that is very challenging and popular (congrats, VMware, for taking 3rd in 2023!). If you are in college, there are many student-oriented capture-the-flag competitions, and perhaps the biggest one that should be on your radar is the Collegiate Cyber Defense Competition (CCDC).

In addition to these, there are many online CTF competitions and challenges that not only have communities that you can join and participate in to enhance your networking by finding common ground with new people, but also provide awards, credentials, and overall bragging rights.

Medium

If you want to start building a brand as a cybersecurity expert, then Medium is where you need to go to start doing it. Creating a blog can be one of the most rewarding things any professional can do. Not only does Medium have a huge built-in audience of technology professionals, but teaching and writing about a topic also improve the retention of information. You’ll find out sooner or later that you lose the information if you don’t use it. Teaching something to someone else helps you retain that knowledge for longer. Choose a few topics on the SOC and cybersecurity, maybe about your latest project or something you’ve studied that you’ve found interesting, and teach them. One of your audience members might be your new manager! Please write at least two weekly articles and share them on all your social media outlets, including LinkedIn. And always remember to learn, do, and teach to retain. And it helps others.

A blog will establish you as someone who knows something about cybersecurity. Leave a banner at the end of every Medium article connecting to your LinkedIn profile. This way, any person interested in you can reach out and connect! Blog on Medium 2x a week.

Where to Search for Jobs

The information security world has embraced social media to locate and recruit top talent, and LinkedIn stands out as a clear place to start. Not only can you find job postings, but you can also get connected with headhunters and recruiters looking to find top talent. LinkedIn offers a premium subscription that can be used to find and connect with recruiters. They offer free trials of LinkedIn Premium, and I highly recommend using it when searching for a job.

If your LinkedIn profile is uninteresting, you will not attract the attention you need, no matter how good your cybersecurity knowledge. Other than putting your certifications and credentials in the headline, there are a few tips to keep in mind.

LinkedIn is not the only website to consolidate job postings; Indeed and Monster are worth investigating, too. Once you’ve accumulated a few technical certifications, sites like Credly.com have job boards that are looking for talented people with those certifications.

Finally, you can’t go wrong by looking at the careers section of a company’s website. This will show you what open positions are available and provide insight into what they are looking for in an applicant.

Applying for Jobs

We would like to explain to you how to perform a job hunt. First off, you need to get your resume together. It takes a lot of trial and error to perfect a resume, but a professional can also help you build a good one. A resume can take form in many styles, but it will have the same basic information:

Keep your resume to under three pages to prevent over-skimming by the readers.

Once your resume is together, you can search for a job. Several job posting websites have proven successful for us; however, I have had the most success with LinkedIn. When searching for a job, I usually purchase their premium membership to see the statistics for each job I am applying for, send InMail messages to hiring managers or recruiters for a company I am interested in, and see who is looking at my profile. Also, Google has a good aggregation of jobs to search through. Using Google, you are able to set up and configure job alerts specifically for cybersecurity jobs.

The security analyst position is the job that will allow you to land the easiest first step into information security. There is a revolving door in most SOCs, and the position for a security analyst opens frequently. The titles that you want to look for first are:

If you are mobile and can move anywhere, your odds of finding a good fit quickly are pretty good. If you live far outside of a big city, your options may be more limited. Most SOCs require you to be on-site for security purposes. During COVID, everyone moved remote, and now more companies are returning to a hybrid work model.

Common Interview Questions

The following is a list of common interview questions that might be asked during an interview for a junior SOC analyst. Some are very basic, and some are harder, but we feel if you can answer these questions, you have the required knowledge to become a SOC analyst:

• What is an RFC 1918 address?

Do you know them?

• Define a Class A, B, or C network.

• What are the seven phases of the cyber kill chain?

• What is the purpose of the MITRE ATT&CK Framework?

• What is the difference between TCP and UDP?

• What are ports 80, 443, 22, 23, 25, and 53?

• What is data exfiltration?

• What Windows protocol is commonly used for data exfiltration?

• Do you have a home lab?

Explain it.

• What is AWS? Azure?

Explain how you’ve used it.

• What is a DMZ, and why is it a common cyberattack target?

The importance of having technical knowledge cannot be overstated. The above questions are straightforward, but you might be surprised that seven out of ten candidates don’t know modern services' standard TCP/UDP ports. I highly suggest using a common study guide to prepare for your interview. An example of this is the website Quizlet.com. They provide a flashcard-style learning platform for information technology certifications like Network+ or Security+. Also, Udemy has a few SOC Analyst interview question courses you can take.

Despite the need for a basic understanding of information technology, that only covers half the requirements to be a SOC analyst. An analyst should be a critical thinker and possess the acumen for problem-solving. Interviewers will usually test a candidate’s problem-solving ability with scenario-based questions. Let’s cover some scenarios I’ve seen and used to conduct interviews:

“You are a tier 1 SOC analyst, monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating they can’t access their cloud drive. The VP knows this is against company policy, but the VP is adamant that this is required for legitimate business requirements.”

Do you process the access request for the VP?

What is your response to the VP?

Who else should you include in the reply email?

“You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating. You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same internal destination IP address. Some quick Googling shows that the Simple Network Management Protocol uses UDP port 161, and the byte count of the traffic is minuscule.”

Do you think this is data exfiltration?

If this is not data exfiltration, what legitimate services could cause this alert?

What team could provide an explanation for the traffic?

The first scenario exemplifies what you might be asked when applying for an entry-level analyst role, while the second is a little more advanced. Let’s go over what the interviewer is looking for.

Scenario 1 is designed to identify if the applicant can be easily intimidated by senior leadership in your organization. Information security is the responsibility of all organization members; it should not be waived for the convenience of one senior leader. The larger lesson here is about making risk-based decisions. A junior analyst should never assume the risk of policy exceptions.

The interviewer will ask how the applicant will respond to the VP, as it will showcase their experience with customer service. Customer service is another critical task of a SOC analyst. Whether working for an MSSP or a company's internal SOC, there will be times when interfacing with other teams will require the analyst to show a certain level of tact and professionalism. The third question helps the interviewer understand the analyst's prioritization skills. If an analyst is working with a VP, there is a high probability that there is a procedure around communicating with senior leadership within the organization.

Scenario 2 tests the applicant’s critical thinking and technical knowledge while providing the interviewer insight into the applicant’s investigative reasoning. This scenario also gives insight into the most essential quality of a SOC analyst: if you don’t know the answer, admit it. The SOC team's last need is a “know-it-all”; they are dangerous and toxic to the workplace. If this article teaches you one thing, let it be this lesson. There will be questions you can’t answer, and that’s fine. The worst thing you can do is give a wrong answer with the confidence that you are 100% correct.

Remember that the above scenarios are examples; each interviewer will use their own questions. The goal remains the same: to locate and select the best applicant for the position. Our goal is to assist you in becoming that applicant. The following are a few tricks and tips to help you become the “best applicant” for the position:

Summary

The most important thing we want you to take away from this article is that you have the tools to help you find a job. Use job boards, network with others in your area and online, and study to understand the answers to the typical interview questions. The job market is growing fast, but in the future, the skills for analysts will change as SOC automation and the cloud begin to mature. As you move forward, the resources I’ve explained will be even more valuable to you.

Get a Security+; blog on Medium 2x a week; go to in-person meetings 2x a month; stay involved in Discord and social media daily. The application process is broken. Networking will be how you find your next job.

One last thing to end this article. You are entering the world of “cybersecurity”. Cybersecurity is defined as, “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack” This is always correctly spelled as one word to denote a profession, a practice, even an industry.

ARTICLE QUIZ (ANSWERS FOLLOW)

For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______.

Ⓐ 2600.org

Ⓑ DEF CON

Ⓒ Bsides

Ⓓ OWASP

This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity.

Ⓐ Bsides

Ⓑ OWASP

Ⓒ DEF CON

Ⓓ Hackerspaces

_______ is a nonprofit foundation that strives to improve the security of software.

Ⓐ DEF CON

Ⓑ OWASP

Ⓒ BSides

Ⓓ 2600

All the following items should be included on your resume for a SOC analyst position except:

Ⓐ Unrelated certifications

Ⓑ Experience related to IT

Ⓒ Skills that line up to the job listing

Ⓓ Phone and email address

When searching for open analyst positions, use all the following titles except:

Ⓐ Information Security Analyst

Ⓑ Security Operations Center Analyst

Ⓒ Security Analyst

Ⓓ Software Analyst

Which of the following is not a reason to include your LinkedIn profile on your resume?

Ⓐ LinkedIn provides an overview of you as a professional

Ⓑ LinkedIn enables you to upload multiple pictures of yourself

Ⓒ LinkedIn gives personalized information about yourself

Ⓓ LinkedIn allows you to provide more information about yourself

All the following are questions you might be asked in an interview except:

Ⓐ What’s the difference between TCPand UDP?

Ⓑ What are the ports 80,443,22,23,25, and 53?

Ⓒ What’s an RFC1928 address?

Ⓓ What is a DMZ, and why is it a common target for cyberattacks?

Which of the following was not on the list of questions you might be asked in a SOC Analyst interview?

Ⓐ What is ASW?

Ⓑ Define a Class A, B, or C network?

Ⓒ What are the seven phases of the cyber kill chain?

Ⓓ What’s the purpose of the MITREATT&CK Framework?

In an interview, you should do all the following when it comes to body language except:

Ⓐ Use brief affirmations like “I see.”

Ⓑ Make eye contact.

Ⓒ Maintain good posture.

Ⓓ Show signs of restlessness or boredom.

ARTICLE QUIZ SOLUTIONS

For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______.

Ⓐ 2600

A bit of “hacker history,” but 2600 meetings are alive and well in some cities.

This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity.

Ⓒ DEF CON

DEF CON is held in the summer in Las Vegas every year. A great place to get involved!

_______ is a nonprofit foundation that strives to improve the security of software.

Ⓑ OWASP

The Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies related to web application security.

All the following items should be included on your resume for a SOC analyst position except:

Ⓐ Unrelated certifications

Do not include unrelated certifications on your resume.

When searching for open analyst positions, use all the following titles except:

Ⓐ Software Analyst

Software Analyst isn’t a typical cybersecurity job title.

Which of the following is not a reason to include your LinkedIn profile on your resume?

Ⓑ LinkedIn enables you to upload multiple pictures of yourself

Uploading multiple pictures of yourself shouldn’t be a reason to use LinkedIn in cybersecurity.

All the following are questions you might be asked in an interview except:

Ⓒ What’s an RFC1928 address?

RFC1918 is the standard, not RFC1928.

Which of the following was not on the list of questions you might be asked in a SOC Analyst interview?

Ⓐ What is ASW?

ASW isn’t a common acronym in cybersecurity.

In an interview, you should do all the following when it comes to body language except:

Ⓓ Show signs of restlessness or boredom.

The answer to this question should be very obvious but should spark your research, “What are signs of restlessness or boredom?”