100+ Free CSA Practice Questions

Pass your Certified SOC Analyst (CSA v2) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which SOC analyst tier is primarily responsible for the initial triage and validation of incoming alerts?

Tier 1

Tier 2

Tier 3

SOC Manager

to track

2026 Statistics

Key Facts: CSA Exam

100

Exam Questions

EC-Council

70%

Passing Score

EC-Council

3 hours

Exam Duration

EC-Council

$250

Exam Fee

EC-Council

Content Domains

CSA v2 Blueprint

3 years

Certification Validity

ECE required

The CSA exam (312-39) has 100 multiple-choice questions in 3 hours with a 70% passing score and a $250 voucher fee. The v2 blueprint covers SOC fundamentals (5%), cyber threats and IoCs (8%), log management (15%), SIEM-based incident detection (25%), threat intelligence (12%), incident response (25%), forensics and malware analysis (5%), and cloud SOC (5%).

Sample CSA Practice Questions

Try these sample questions to test your CSA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which SOC analyst tier is primarily responsible for the initial triage and validation of incoming alerts?

A.Tier 1

B.Tier 2

C.Tier 3

D.SOC Manager

Explanation: Tier 1 SOC analysts perform initial triage — they monitor SIEM dashboards, validate alerts, classify incidents, and either close false positives or escalate true positives to Tier 2. Tier 2 conducts deeper investigation, Tier 3 performs threat hunting and handles complex incidents, and the SOC Manager oversees operations and reporting.

2Which three pillars form the foundation of effective SOC operations?

A.Hardware, Software, and Firmware

B.People, Process, and Technology

C.Confidentiality, Integrity, and Availability

D.Detection, Response, and Recovery

Explanation: The People, Process, and Technology (PPT) framework is the foundation of SOC operations. People are the analysts and engineers, Process defines workflows and playbooks, and Technology includes SIEM, EDR, and ticketing tools. A weakness in any pillar undermines the entire SOC.

3An organization wants to retain control over its security data and analysts but does not want to manage SIEM infrastructure. Which SOC model best fits this requirement?

A.Fully outsourced SOC (MSSP)

B.Co-managed (hybrid) SOC

C.Virtual SOC with no internal staff

D.Dedicated in-house SOC

Explanation: A co-managed (hybrid) SOC keeps analysts and data ownership in-house while outsourcing infrastructure, 24/7 monitoring, or specific functions to a managed provider. This balances control with operational cost and is the standard approach for mid-size enterprises that want internal context without staffing a full 24/7 team.

4Which SOC KPI measures the average time between when an incident occurs and when it is detected?

A.Mean Time to Respond (MTTR)

B.Mean Time to Detect (MTTD)

C.Mean Time Between Failures (MTBF)

D.Mean Time to Containment (MTTC)

Explanation: Mean Time to Detect (MTTD) measures the average time between the start of an incident and its detection by the SOC. Reducing MTTD is critical because attacker dwell time directly correlates with damage. MTTR measures detection-to-response, MTBF is a reliability metric, and MTTC measures detection-to-containment.

5At which SOC maturity level does the organization establish formal documentation, repeatable processes, and consistent metrics, but still relies on manual analyst work?

A.Initial

B.Managed

C.Defined

D.Optimized

Explanation: At the Defined maturity level, the SOC has documented processes, runbooks, and metrics that produce consistent results, but heavy automation and continuous improvement are not yet in place. Initial is ad-hoc, Managed adds basic processes, Defined formalizes them, Quantitatively Managed measures, and Optimized continuously improves with automation.

6An attacker uses ARP spoofing to position themselves between a victim and the gateway. Which type of attack is this?

A.Denial of service

B.Man-in-the-middle (MitM)

C.Privilege escalation

D.SQL injection

Explanation: ARP spoofing redirects traffic by sending forged ARP replies that map the gateway's IP to the attacker's MAC address. This positions the attacker between victim and gateway as a Man-in-the-Middle, allowing them to intercept, modify, or drop traffic. SOC analysts detect this through ARP table changes, duplicate IP/MAC mappings, and anomalous ARP traffic volume.

7Which of the following is an Indicator of Compromise (IoC) rather than an Indicator of Attack (IoA)?

A.PowerShell encoding a command and connecting to an external IP

B.A SHA-256 file hash known to belong to a Cobalt Strike beacon

C.A user creating multiple accounts with admin privileges in rapid succession

D.Lateral movement using PsExec across several hosts

Explanation: IoCs are forensic artifacts of past or ongoing compromise — file hashes, IP addresses, domain names, registry keys. IoAs describe attacker behavior in progress regardless of specific artifacts. A SHA-256 hash is a classic IoC; the other options describe behaviors (encoded PowerShell, account creation, lateral movement) that are IoAs.

8In the MITRE ATT&CK framework, which tactic covers techniques attackers use to maintain access to a system across reboots?

A.Initial Access

B.Persistence

C.Defense Evasion

D.Exfiltration

Explanation: Persistence (TA0003) covers techniques attackers use to maintain footholds across reboots, credential changes, or other interruptions. Examples include Run keys (T1547.001), scheduled tasks (T1053), WMI event subscriptions (T1546.003), and service installation. Initial Access is the entry vector, Defense Evasion hides activity, and Exfiltration moves data out.

9Which stage of the Lockheed Martin Cyber Kill Chain involves delivering the malicious payload to the target via email, USB, or compromised website?

A.Reconnaissance

B.Weaponization

C.Delivery

D.Installation

Explanation: The Cyber Kill Chain Delivery phase covers transmission of the weaponized payload to the target — via phishing email, USB drop, watering hole, or other vectors. Reconnaissance is target research, Weaponization couples exploit and payload, Exploitation triggers the code, Installation establishes persistence, C2 communicates with the attacker, and Actions on Objectives achieves the goal.

10An employee with legitimate access copies sensitive files to a USB drive on their last day before resigning. Which threat category does this represent?

A.External attacker with stolen credentials

B.Insider threat (malicious insider)

C.Supply chain attack

D.Drive-by download

Explanation: A malicious insider is an authorized user who intentionally abuses their access for personal gain or harm to the organization. Departing employees stealing data is a classic insider threat scenario detected via DLP, USB monitoring, and unusual file access patterns near termination dates. The other options describe external or third-party threat vectors.

About the CSA Exam

The Certified SOC Analyst (CSA v2) validates Tier I and Tier II SOC analyst skills in security operations, log management, SIEM deployment, alert triage, threat intelligence, incident response, and cloud SOC architectures. CSA prepares analysts to monitor, detect, triage, and respond to security incidents using modern SIEM and EDR/XDR platforms.

Questions

100 scored questions

Time Limit

3 hours

Passing Score

70%

Exam Fee

$250 (exam voucher) (EC-Council / Pearson VUE)

CSA Exam Content Outline

Security Operations and Management

SOC fundamentals, workflow, people/process/technology model, SOC types, maturity models, KPIs, and best practices

Cyber Threats, IoCs, and Attack Methodology

Network/host/application/email/insider TTPs, social engineering, IoCs, MITRE ATT&CK, and Cyber Kill Chain

15%

Log Management

Windows/Linux/Mac logs, firewall, router, web server, database, and email logs; centralized logging architecture

25%

Incident Detection and Triage (SIEM)

SIEM architecture, deployment, use case management, correlation rules, AI-assisted rules, alert triage, dashboards, and SOC reports

12%

Proactive Threat Detection

Threat intelligence types, sources, TIPs, threat-intel-driven SOC, threat hunting frameworks, PowerShell and YARA

25%

Incident Response

IR phases, network/application/email/insider/malware response, SOC playbooks, and EDR/XDR workflows

Forensics Investigation and Malware Analysis

Forensic investigation principles, network/email/insider investigations, static and dynamic malware analysis

Introduction to Cloud SOC

Azure SOC with Microsoft Sentinel, AWS SOC with Security Hub, GCP SOC with Chronicle and Security Command Center

How to Pass the CSA Exam

What You Need to Know

Passing score: 70%
Exam length: 100 questions
Time limit: 3 hours
Exam fee: $250 (exam voucher)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CSA Study Tips from Top Performers

1Memorize the SOC tier structure — Tier 1 triages alerts, Tier 2 investigates, Tier 3 hunts and handles complex incidents

2Master Windows event IDs: 4624 (logon), 4625 (failed logon), 4688 (process creation), 4768/4769 (Kerberos TGT/TGS)

3Understand the difference between IOCs (what happened) and IOAs (what is happening) and when to use each

4Learn SIEM correlation rule logic — threshold, sequence, and statistical rules with time windows and aggregation

5Study the MITRE ATT&CK matrix tactics and how SOC analysts map alerts to specific techniques and sub-techniques

6Practice the Cyber Kill Chain stages and which detection controls disrupt each phase

7Know the difference between EDR (endpoint focus) and XDR (cross-domain) and when each provides better visibility

8Study cloud-native SOC tooling: Microsoft Sentinel (Azure), AWS Security Hub + GuardDuty, Chronicle (GCP)

Frequently Asked Questions

What is the CSA exam format?

The CSA exam (312-39) consists of 100 multiple-choice questions to be completed in 3 hours. The passing score is 70%, though EC-Council uses a 'cut score' that can range from 60-85% depending on the exam form. Questions cover SOC operations, log management, SIEM, threat intelligence, incident response, and cloud SOC.

How much does the CSA certification cost?

The CSA exam voucher costs approximately $250. Training packages are available from EC-Council and authorized partners at various price points. Self-study candidates may need to submit an eligibility application with an application fee.

What is the difference between CSA and ECIH?

CSA focuses on Tier I/II SOC analyst skills — monitoring, log analysis, SIEM operations, alert triage, and initial incident detection. ECIH focuses on the formal incident handling lifecycle, malware analysis, forensics, and cloud incident response after a confirmed incident. CSA feeds into ECIH as a natural career progression.

Does CSA cover specific SIEM platforms?

CSA v2 is vendor-neutral but covers SIEM concepts that map to leading platforms including Splunk, IBM QRadar, ELK/Elastic Security, and Microsoft Sentinel. The blueprint emphasizes SIEM architecture, use case management, correlation rules, and alert triage rather than vendor-specific syntax.

What jobs can I get with a CSA certification?

CSA certification prepares you for roles including Tier I and Tier II SOC Analyst, Security Monitoring Analyst, SIEM Engineer, Threat Detection Analyst, Cybersecurity Analyst, and Junior Threat Hunter. CSA aligns with the NICE Cybersecurity Workforce Framework for federal cybersecurity roles.