This piece will cover the strategies on how to find a SOC analyst job including common job titles, what job boards to use, resume tips, networking with other professionals, and common interview questions. This is How to Get a SOC Analyst Job?
If you find yourself at the crossroads of your old life and finding a new career in cybersecurity, then this article will give you tips and tools to find a job in the cybersecurity industry. This might mean that you are graduating from college and looking to start your career, or this might mean that you have been in IT for a while and you are looking to dive into cybersecurity, or maybe it means you are an honored vet looking to transition into civilian space. Whatever the case may be, there are a few things you should know.
Networking
Conferences & Meetups
Word of mouth is your friend! It is important to grow your network. Having a broad network of people that you can talk to professionally not only opens you up to new opportunities but gives you people to discuss your new ideas with. Professional connections help you stay on top of the latest trends such as news or technical techniques that will benefit you greatly. There are many opportunities to get involved in projects or communities local to your area. Some of these include:
2600: 2600 is an organization that has deep roots in hacker culture. Today, it exists as a website, meetup space, conference, and magazine to name a few. The history of hacking is fascinating, and their name comes from 2600hz, which is the frequency at which a plastic whistle found inside a Captain Crunch box sounded when you blew it. Blown into a payphone and it allowed the hacker to make free phone calls.
DEF CON: The crown jewel of hacking conferences. The DEF CON conference is traditionally held annually in the summer in Las Vegas, NV. It is considered a pilgrimage for anyone in infosec! There is so much to do, so many knobs to twist, bells to ding, and big red buttons to push; you will never have time to do it all. What makes this conference great for your career is that recruiters love it! I have heard so many stories of people getting job offers on the spot at DEF CON. DEF CON is even better if you volunteer at the events. You will meet more people and at a deeper level. Additionally, DEF CON has “DEF CON groups,” which are smaller DEF CON meetings in your local areas, usually on a monthly basis. This is also a great way to network with your regional infosec peers to see what is happening in your local infosec industry and hopefully pick up a lead!
BSides: BSides is a popular conference held locally in many cities and during the same time frame as Defcon in Las Vegas. It is relatively popular and offers a lot of value. Tickets are cheap (and free if you volunteer), giving you access to what is going on and the people in your area.
OWASP: Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the Web.
Hackerspaces and Makerspaces: These meetups in your local areas are a great way to meet people, tinker, pull knobs, and push buttons. Sometimes these meetings will allow their members to give presentations in a show and tell format, and that is a great way to build your presentation skills.
If you have been attending meetings in your surrounding areas, don’t forget to take a pencil and notepad with you to write down emails and contact info of the people you meet. It is not weird and doesn’t feel uncomfortable, everyone there is there for the same reason, and you’d be the lucky one with a notepad. Most people would feel flattered if you cared enough to write their information on the notepad. Tell your new friends you want to keep in contact and be on the lookout for them. Follow up with everyone the day after, and send them your resume to share with others.
Competitions
This article wouldn’t be complete if we didn’t take a minute to talk about capture-the-flag (CTF) competitions. Capture-the-flag has been around since the very beginning and how it started is with vulnerable applications and systems that have a text string hidden inside of them. The participant finds the text string and submits it to the judges and they get points for every proof that they’ve hacked it. It started in 1996 at DEF CON (mentioned above) and today, has evolved into all sorts of various capture-the-flag challenges inside and outside of conferences. In fact, Tyler’s favorite challenge is the DEF CON Blue Team Village capture-the-flag but has competed in Ghost in the Shellcode, SANS Netwars and Holiday Hack, CSAW and was a mentor for highschoolers for the CyberPatriot program. Tyler was never really fantastic at them but always competed on a team and that was the fun of it. Most bigger conferences other than DEF CON will have their own capture-the-flag competitions. For instance, the Splunk conference, Splunk.conf, hosts a popular capture-the-flag called BOTS, for Boss of the SOC, that is very challenging and popular (congrats VMware for taking 3rd in 2023!). If you are in college, there are many student oriented capture-the-flag competitions and perhaps the biggest one that should be on your radar is the Collegiate Cyber Defense Competition (CCDC).
In addition to these, there are many online CTF competitions and challenges that not only have communities that you can join and participate in to enhance your networking by finding common ground with new people, but also provide awards, credentials, and overall bragging rights. Probably the most popular online CTF platform today that I would certainly recommend you taking a look at is TryHackMe. TryHackMe’s popularity has skyrocketed for being the premier hacking challenge and it’s common to look around on LinkedIn and see analysts advertising that they are “Top 2% in TryHackMe” or “Top 5% TryHackMe”. If you get serious about playing the game and showing off your skills, you can purchase the subscription to make your learning and earning points faster.
On the other hand, for defense (blue team) challenges, LetsDefend is rising in popularity. They have a free option but for the SOC Analyst track it’s a subscription. They have some neat challenges that would give you some hands-on exposure to some of the things we do on a daily basis and even give you a certificate to share on LinkedIn.
Medium
If you want to start building a brand as a cybersecurity expert, then Medium is where you need to go to start doing it. Creating a blog can be one of the most rewarding things any professional can do, not only does Medium have a huge built-in audience of technology professionals, teaching and writing about a topic improves retention of the information. You’re going to find out sooner or later that if you don’t use the information you lose it. Teaching something to someone else helps you retain that knowledge for longer. Choose a few topics on the SOC and cybersecurity, maybe about your latest project or something you’ve studied that you’ve found interesting and teach it. One of your audience members might be your new manager! Write at least two articles every week and share them on all of your social media outlets, including LinkedIn. And always remember to learn, do, teach to retain. And it helps others. We will talk more about that later.
A blog will establish you as someone who knows something about cybersecurity. Make sure you leave a banner at the end of every Medium article connecting to your LinkedIn profile. This way any person interested in you can reach out and connect!
Creating a Course
Online courses are all the rage nowadays and websites like Udemy make it very easy to create and sell online courses. Creating an online course is one of the best ways to establish your credentials in the field. Set up an instructor account on Udemy for free and create a simple course on cybersecurity concepts and add it to your resume. Reach out to Tyler Wall on LinkedIn for opportunities to collaborate. It takes a village to create a good Udemy course and Tyler knows some people and has a few resources to build your reputation and even make a couple bucks in the process. Whether you’re a writer, technical demonstrator, or just have a cool idea for a cloud or security course he’s all ears to hear it. Come join the team and get your name out there.
Once you have attended a few meetings, optionally built a course, and are blogging, you can start to build a network of like-minded community members to associate with. Once you have started to build your network, you might have a few leads, but you also want to not have all your eggs in one basket. You will want to apply for jobs on traditional job posting boards.
Where to Search for Jobs
The Information Security world has embraced social media to locate and recruit top talent. With LinkedIn standing out as a clear place to start. Not only can you find job postings, you can get connected with headhunters and recruiters looking to find top talent. LinkedIn offers a premium subscription that can be used to find and connect with recruiters. They offer free trials of LinkedIn Premium and I highly recommend using it when job searching.
If your LinkedIN is uninteresting, then you aren’t attracting the attention you need no matter how good your cybersecurity knowledge is. Other than putting in your certifications and credentials in the headline, there are a few tips to keep in mind.
LinkedIN Profile Tips
LinkedIn is not the only website to consolidate job postings, Indeed and Monster are worth investigating too. Once you’ve accumulated a few technical certifications, sites like Credly.com have job boards that are looking for talented people with the certifications you’ve attained.
Finally, you can’t go wrong by looking at the careers section of a company’s website. This will show you what open positions are available and provide you insight into what they are looking for in an applicant.
Note: Don’t be afraid to apply even if you don’t meet all of the requirements in the job posting. To quote the great Wayne Gretzky, “You miss 100% of the shots you don’t take.”
Applying for Jobs
We would like to explain to you how to perform a job hunt. First off, you need to get your resume together. It takes a lot of trial and error to perfect a resume, but you can also have a professional help you build a good one. A resume can take form in many styles, but it will have the same basic information:
Resume Components
Keep your resume to under three pages to prevent over skimming by the readers.
We offer a resume workshop service where we will share a document with you and probe you with questions until we get all of the information out of you about your previous experience and then write it in a way that is quickly and easily consumed..
Once your resume is together, you can move forward to a job search. There are several job posting websites that have proven successful for us; however, I have had the most success with LinkedIn. When I am searching for a job, I usually purchase their premium membership so that I am able to see the statistics for each job I am applying for, send
InMail messages to hiring managers or recruiters for a company I am interested in, and see who is looking at my profile. Also, Google has a good aggregation of jobs to search through. Using Google, you are able to set up and configure job alerts specifically for cybersecurity jobs.
The security analyst position is the job that you will be able to land the easiest as a first step into information security. There is a revolving door in most SOCs, and the position for security analyst opens frequently. The titles that you want to look for first are:
SOC Analyst Job Titles
If you are mobile and can move anywhere, your odds for finding a good fit quickly are pretty good. If you live far outside of a big city, then your options may be more limited. Most SOCs require you to be on-site for security purposes, during COVID everyone moved remote, and now more companies are returning to a hybrid work model.
Common Interview Questions
The following is a list of common interview questions that might be asked during an interview for a junior SOC analyst. Some are very basic and some are harder, but we feel if you can answer these questions you have the required knowledge to become a SOC analyst:
What is an RFC 1918 address?
Do you know them?
Define a Class A, B, or C network.
What are the seven phases of the cyber kill chain?
What is the purpose of the Mitre ATT&CK Framework?
What is the difference between TCP and UDP?
What are ports 80, 443, 22, 23, 25, and 53?
What is data exfiltration?
What Windows protocol is commonly used for data exfiltration?
Do you have a home lab?
Explain it.
What is AWS? Azure?
Explain how you’ve used it.
What is a DMZ, and why is it a common target for cyberattacks?
The importance of having technical knowledge cannot be overstated. The above questions are pretty simple, but you might be surprised to learn that seven out of ten candidates don’t know the common TCP/UDP ports used by modern services. I highly suggest using a common study guide to prepare for your interview. An example of this is the website Quizlet.com. They provide a flashcard style learning platform for information technology certifications like Network+ or Security+. Also, Udemy has a few SOC Analyst interview question courses that you can take.
Despite the need for a basic understanding of information technology, that only covers half of the requirement to be a SOC analyst. An analyst should be a critical thinker and possess an acumen for problem solving. Interviewers will usually test a candidate’s ability for problem solving with scenario-based questions. Let’s cover some scenarios I’ve seen and used to conduct interviews:
“You are a tier 1 SOC analyst, responsible for monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating that they can’t access their personal cloud drive. The VP knows this is against company policy, but the VP is adamant that this is required for legitimate business requirements.”
Do you process the access request for the VP?
What is your response to the VP?
Who else should you include in the reply email?
“You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating. You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same, internal destination IP address. Some quick Googling shows that UDP port 161 is used for by the Simple Network Management Protocol and the byte count of the traffic is miniscule.”
Do you think this is data exfiltration?
If this is not data exfiltration, what legitimate services could cause this alert?
What team could provide an explanation for the traffic?
The first scenario is an example of what you might be asked when applying for an entry level analyst role, while the second is a little more advanced. Let’s go over what the interviewer is looking for.
Scenario 1 is designed to identify if the applicant can be easily intimidated by senior leadership in your organization. Information security is the responsibility of all members of the organization; it should not be waived for the convenience of one senior leader. The larger lesson here is about making risk-based decisions. A junior analyst should never assume the risk of policy exceptions.
The interviewer will ask how the applicant will respond to the VP as it will showcase their experience with customer service. Customer service is another very important task of a SOC analyst. Whether working for an MSSP or for a company internal SOC, there will be times when interfacing with other teams will require the analyst to show a certain level of tact and professionalism. The third question helps the interviewer to understand the prioritization skills of the analyst. If an analyst is working with a VP, there is a high probability there is a procedure around communicating with senior leadership within the org.
Scenario 2 is designed to test the applicant’s critical thinking and technical knowledge while also providing the interviewer with insight to the applicant’s investigative reasoning. This scenario also gives insight to the most important quality of a SOC analyst; if you don’t know the answer, admit it. The last thing the SOC team needs is a “know-it-all”; they are dangerous and toxic to the workplace. If this article teaches you one thing, let it be this lesson. There will be questions you can’t answer, and that’s fine. The worst thing you can do is give a wrong answer with the confidence that you are 100% correct.
Remember that the above scenarios are examples only; each interviewer will use their own set of questions. The goal remains the same, to locate and select the best applicant for the position. Our goal is to assist you in becoming that applicant. The following are a few tricks and tips to help you become that “best applicant” for the position:
Interview Tips
Summary
The most important thing we want you to take out of this article is that you have tools to help you find a job. Use job boards, network with others in your area and online, and study to understand the answers to the common interview questions. The job market is growing fast, but in the future, the skills for analysts will change as SOC automation and the cloud begin to mature. The resources that I’ve explained will be even more valuable to you as you move forward in time.
One last thing to end this article. You are entering the world of “cybersecurity”. Cybersecurity is defined as, “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack” This is always correctly spelled as one word to denote a profession, a practice, even an industry.
ARTICLE QUIZ (ANSWERS FOLLOW)
For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______.
Ⓐ 2600.org
Ⓑ DEF CON
Ⓒ Bsides
Ⓓ OWASP
This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity.
Ⓐ Bsides
Ⓑ OWASP
Ⓒ DEF CON
Ⓓ Hackerspaces
_______ is a nonprofit foundation that strives to improve the security of software.
Ⓐ DEF CON
Ⓑ OWASP
Ⓒ BSides
Ⓓ 2600
All the following items should be included on your resume for a SOC analyst position except:
Ⓐ Unrelated certifications
Ⓑ Experience related to IT
Ⓒ Skills that line up to the job listing
Ⓓ Phone and email address
When searching for open analyst positions, use all the following titles except:
Ⓐ Information Security Analyst
Ⓑ Security Operations Center Analyst
Ⓒ Security Analyst
Ⓓ Software Analyst
Which of the following is not a reason to include your LinkedIn profile on your resume?
Ⓐ LinkedIn provides an overview of you as a professional
Ⓑ LinkedIn enables you to upload multiple pictures of yourself
Ⓒ LinkedIn gives personalized information about yourself
Ⓓ LinkedIn allows you to provide more information about yourself
All the following are questions you might be asked in an interview except:
Ⓐ What’s the difference between TCPand UDP?
Ⓑ What are the ports 80,443,22,23,25, and 53?
Ⓒ What’s an RFC1928 address?
Ⓓ What is a DMZ, and why is it a common target for cyberattacks?
Which of the following was not on the list of questions you might be asked in a SOC Analyst interview?
Ⓐ What is ASW?
Ⓑ Define a Class A, B, or C network?
Ⓒ What are the seven phases of the cyber kill chain?
Ⓓ What’s the purpose of the MITREATT&CK Framework?
In an interview, you should do all the following when it comes to body language except:
Ⓐ Use brief affirmations like “Isee.”
Ⓑ Make eye contact.
Ⓒ Maintain good posture.
Ⓓ Show signs of restlessness or boredom.
The authors of this course recommend a premium membership on _______ to view statistics for jobs you apply to.
Ⓐ Indeed
Ⓑ Monster
Ⓓ Glassdoor
ARTICLE QUIZ SOLUTIONS
For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______.
Ⓐ 32%
Abit of “hacker history” but in some cities 2600 meetings are very much alive and well.
This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity.
Ⓒ DEF CON
DEF CONis held in the summer in Las Vegas every year. Agreat place to get involved!
_______ is a nonprofit foundation that strives to improve the security of software.
Ⓑ OWASP
The Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.
All the following items should be included on your resume for a SOC analyst position except:
Ⓐ Unrelated certifications
Do not include unrelated certifications on your resume.
When searching for open analyst positions, use all the following titles except:
Ⓐ Software Analyst
Software Analyst isn’t a typical cybersecurity job title.
Which of the following is not a reason to include your LinkedIn profile on your resume?
Ⓑ LinkedIn enables you to upload multiple pictures of yourself
Uploading multiple pictures of yourself shouldn’t be a reason to use LinkedIn in cybersecurity.
All the following are questions you might be asked in an interview except:
Ⓒ What’s an RFC1928 address?
RFC1918 is the standard, not RFC1928.
Which of the following was not on the list of questions you might be asked in a SOC Analyst interview?
Ⓐ What is ASW?
ASW isn’t a common acronym in cybersecurity.
In an interview, you should do all the following when it comes to body language except:
Ⓓ Show signs of restlessness or boredom.
The answer to this question should be very obvious but should spark your research, “What are signs of restlessness or boredom?”
The authors of this course recommend a premium membership on _______ to view statistics for jobs you apply to.
The Authors of this course have found value with premium LinkedIn memberships while they were applying for jobs
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.
Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.
Comments