What is the PSAA exam format?

The PSAA is a practical hands-on SOC simulation, not a multiple-choice exam. Candidates have 2 full days to complete a realistic SOC assessment investigating security events (phishing emails, network traffic, SIEM alerts, endpoint telemetry), followed by 2 additional days to write and submit a professional incident report. TCM Security assesses candidates on their ability to use analysis tools, interpret artifacts, and apply investigation methodologies.

What does the PSAA exam cost?

The PSAA costs $249, which includes the exam voucher and 12 months of access to TCM Security's SOC 101 course (30+ hours of training). One free retake is included with every voucher. TCM Security also offers a 20% discount for military, veterans, students, teachers, and first responders.

What course should I take to prepare for the PSAA?

TCM Security's Security Operations (SOC) 101 course is the primary preparation pathway and is included with the PSAA voucher. The course provides 30+ hours of practical training covering phishing analysis, network traffic analysis, SIEM operations, endpoint security, threat intelligence, and DFIR fundamentals. The course includes quizzes, written references, and practical exercises.

What skills does the PSAA assess?

The PSAA assesses: phishing email analysis (headers, authentication, URLs, attachments); network traffic analysis (Wireshark, PCAP); security alert triage and escalation (Tier 1/2 SOC workflows); SIEM and log correlation (Windows Event Logs, Splunk); EDR tool usage; threat intelligence enrichment (VirusTotal, IOCs, MITRE ATT&CK); and professional incident report writing.

Does the PSAA certification expire?

No — TCM Security certifications do not expire. Once you pass the PSAA, the certification is yours for life.

Is this practice bank like the real PSAA exam?

No — the real PSAA is a hands-on practical assessment; this is a multiple-choice knowledge-prep bank. However, this bank covers all the conceptual knowledge required to perform well in the practical exam: understanding what tools to use, how protocols work, what indicators mean, and how to apply SOC methodology. Pair this with hands-on practice (TCM SOC 101 labs, TryHackMe, or Blue Team Labs Online) for complete preparation.

All Practice Exams

100+ Free PSAA Practice Questions

Practical SOC Analyst Associate (PSAA) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What is the key difference between a false positive (FP) and a false negative (FN) in SIEM detection?

FP and FN are synonymous terms used interchangeably in SOC operations

FP: benign activity triggers an alert; FN: real attack does not trigger an alert

FP: real attack not detected; FN: benign event triggers an alert

FP: alert escalated incorrectly to Tier 2; FN: alert dismissed without investigation

to track

Same family resources

Explore More TCM Security Practical Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: PSAA Exam

$249

Exam Cost (incl. course)

TCM Security

2 days

Practical Assessment Window

TCM Security

2 days

Incident Report Submission

TCM Security

30+ hours

SOC 101 Course Length

TCM Security

Lifetime

Certification Validity

TCM Security

1 free

Retake Included

TCM Security

The PSAA (Practical SOC Analyst Associate) is TCM Security's entry-level blue team certification. The 2-day practical exam simulates real SOC work—analyzing phishing emails, network packet captures, SIEM alerts, and EDR telemetry—followed by a 2-day window to submit an incident report. It costs $249 (includes SOC 101 course access and one free retake) and does not expire. This 100-question practice bank prepares candidates with testable knowledge from all PSAA domains.

Sample PSAA Practice Questions

Try these sample questions to test your PSAA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1When analyzing an email for phishing indicators, which header field most reliably reveals the actual sending mail server's IP address?

A.From:

B.Reply-To:

C.Received:

D.X-Originating-IP:

Explanation: The 'Received:' header chain records every mail server the message passed through, with the topmost entry added by the receiving server. Because each hop adds a new Received line in order, the oldest entry (bottom of the chain) contains the originating server's IP. Forged From: and Reply-To: values are trivial for attackers to set, making Received: the most reliable field for source attribution.

2An email passes SPF checks but fails DMARC. Which scenario best explains this?

A.The email was sent from an authorized IP but the From: domain does not align with the SPF-authenticated domain.

B.The email was sent from an unauthorized IP and the SPF record is missing.

C.DMARC cannot fail if SPF passes; the configuration is incorrect.

D.The email was signed with DKIM but the DKIM key was revoked.

Explanation: DMARC requires alignment: the domain in the RFC5322 From: header must match the domain authenticated by SPF (envelope sender) or DKIM. A forwarded or indirect mail flow can pass SPF on the envelope but still fail DMARC because the From: domain differs from the envelope domain. This SPF-pass/DMARC-fail scenario is a common phishing technique called cousin-domain spoofing.

3A SOC analyst receives a suspicious email with a URL: https://paypa1-secure.login.example.com/verify. What phishing technique does this URL demonstrate?

A.Typosquatting on the target brand's domain

B.Subdomain spoofing using a trusted brand keyword

C.DNS hijacking of the legitimate domain

D.Homograph attack using Unicode characters

Explanation: The URL uses 'paypa1' as a subdomain of example.com, placing a brand-like keyword at the left of the hostname to deceive a casual reader who only looks at the start of the URL. This is subdomain spoofing: the attacker controls example.com and creates any subdomain they wish. The actual domain (example.com) is entirely different from PayPal.

4Which tool is specifically designed to detonate suspicious email attachments in an isolated environment to observe malicious behavior without risking production systems?

A.Wireshark

B.Any.run or Cuckoo Sandbox

C.Splunk

D.Volatility

Explanation: Any.run and Cuckoo Sandbox are malware sandboxing platforms that execute suspicious files in isolated virtual environments, recording process creation, network connections, file system changes, and registry modifications. This allows analysts to observe malicious behavior safely. Sandboxing is a core step when analyzing email attachments whose hash has no reputation hits.

5During phishing triage, an analyst finds the sender domain was registered 2 days ago. Why is this significant?

A.Newly registered domains are blocked by all email gateways by default.

B.A very low domain age is a strong indicator of a throwaway phishing domain.

C.Attackers always register domains in advance, making recent registration normal.

D.Domain age only matters for DKIM verification, not phishing assessment.

Explanation: Threat actors commonly register new domains immediately before phishing campaigns, giving defenders little time to blocklist them. A domain age of 1–7 days combined with suspicious email content is a high-confidence phishing indicator. WHOIS lookups and passive DNS data revealing low domain age are standard enrichment steps in phishing triage workflows.

6A Wireshark capture shows a host making hundreds of DNS queries per minute to a single domain with long random-looking subdomains (e.g., a1b2c3d4e5.evil.com). What activity does this most likely indicate?

A.Normal CDN traffic

B.DNS amplification DDoS attack

C.DNS tunneling used for data exfiltration or C2

D.Legitimate recursive DNS resolution

Explanation: DNS tunneling encodes data in DNS query and response fields to bypass network controls. Attackers encode exfiltrated data or C2 commands as long, random-looking subdomains. A high volume of queries with lengthy, randomized hostnames under a single domain is a classic DNS tunneling fingerprint. Tools like iodine and dnscat2 implement this technique.

7Which Wireshark display filter would isolate only HTTP POST requests from captured traffic?

A.http.method == POST

B.http.request.method == "POST"

C.tcp.port == 80 and method == "POST"

D.http.response.code == 200

Explanation: The correct Wireshark display filter syntax is http.request.method == "POST". This filters the packet list to show only HTTP packets where the request method is POST, which is useful for identifying credential submission, data exfiltration, or C2 callback traffic over unencrypted HTTP.

8An analyst observes repeated TCP SYN packets from one external IP to multiple ports on an internal host with no SYN-ACK responses. What does this pattern indicate?

A.A completed TCP three-way handshake

B.A TCP port scan (SYN scan / half-open scan)

C.TCP session hijacking

D.A denial-of-service SYN flood targeting the firewall

Explanation: A SYN scan (also called a half-open scan) sends TCP SYN packets to multiple ports without completing the three-way handshake. Closed ports respond with RST; filtered ports send nothing. The absence of SYN-ACK responses to most probes while SYNs continue across many ports is the signature of port scanning, used by attackers for host and service discovery (nmap -sS).

9In network traffic analysis, what characteristic best identifies beaconing behavior associated with C2 communication?

A.Sporadic, high-bandwidth bursts to CDN IP addresses

B.One-time large data transfers over SFTP

C.Regular, periodic outbound connections to the same external host at consistent intervals

D.High-volume inbound ICMP echo replies

Explanation: C2 beaconing is characterized by malware periodically checking in with its command-and-control server at regular intervals (e.g., every 60 seconds). Analysts look for consistent inter-packet timing, small payload sizes, and repeated connections to the same external IP or domain. Statistical analysis of connection intervals (jitter analysis) can detect even beacons with added randomness.

10What does the Wireshark 'Follow TCP Stream' feature allow an analyst to do?

A.Block a TCP connection in real time

B.Reconstruct the full application-layer conversation between two endpoints

C.Decrypt TLS-encrypted traffic automatically

D.Identify the operating system of a remote host from TCP fingerprints

Explanation: Follow TCP Stream reassembles the full byte sequence exchanged between two endpoints across multiple packets, displaying the conversation in readable form. This is invaluable for reconstructing plaintext HTTP sessions, FTP commands, SMTP conversations, or any clear-text protocol payload that spans multiple TCP segments.

About the PSAA Practice Questions

Verified exam format metadata for Practical SOC Analyst Associate (PSAA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free PSAA Practice Questions

Explore More TCM Security Practical Certifications

TCM Security Practical IoT Pentest Associate (PIPA)

TCM Security Practical Junior Penetration Tester (PJPT)

TCM Security Practical Malware Research Professional (PMRP)

TCM Security Practical Mobile Pentest Associate (PMPA)

TCM Security Practical Network Penetration Tester (PNPT)

TCM Security Practical OSINT Research Professional (PORP)

Key Facts: PSAA Exam

Sample PSAA Practice Questions

About the PSAA Practice Questions