PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free SAL1 Practice Questions

Pass your TryHackMe Security Analyst Level 1 (SAL1) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A SOC analyst observes outbound HTTPS traffic to an IP address that appears in a threat intelligence feed as a known C2 server. The internal host making the connection has no legitimate business reason to contact external IPs directly. Which action should the analyst take FIRST?

A
B
C
D
to track
Same family resources

Explore More TryHackMe Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

TryHackMe Cyber Security 101 (SEC1)

Practice Questions

TryHackMe Junior Penetration Tester (PT1)

Practice Questions

TryHackMe Security Analyst Level 2 (SAL2)

Practice Questions
2026 Statistics

Key Facts: SAL1 Exam

750/1000

Passing Score

TryHackMe

80 MCQ + 2 Simulations

Exam Components

TryHackMe

24 hours

Exam Window

TryHackMe

20% MCQ / 80% Practical

Score Distribution

TryHackMe

Browser-based

Exam Delivery

TryHackMe

Entry–Intermediate

Difficulty Level

TryHackMe

The TryHackMe Security Analyst Level 1 (SAL1) is a practical SOC analyst certification with a 24-hour exam window comprising 80 MCQ (200 pts / 20%) plus two SOC simulator scenarios (400 pts each / 40% each). Candidates need 750/1000 to pass. The exam uses a browser-based SOC environment with Splunk and email analysis tools.

Sample SAL1 Practice Questions

Try these sample questions to test your SAL1 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A SOC analyst receives an alert classified as 'High' severity in the SIEM. The alert was triggered by a single failed login attempt from an internal IP address. What is the most appropriate first action?
A.Immediately escalate to Tier 2 and close the ticket
B.Enrich the alert by checking user context, asset criticality, and recent login history before assigning a verdict
C.Block the source IP address at the firewall without further investigation
D.Mark the alert as a True Positive and begin incident response procedures
Explanation: Alert triage requires enrichment before a verdict is assigned. A single failed login from an internal IP could be a user mistake; checking the user's role, asset criticality, and whether there are additional failed attempts helps classify the alert accurately as True Positive, False Positive, or Benign. Acting without enrichment leads to incorrect verdicts.
2In the TryHackMe SOC Level 1 path, which framework ranks Indicators of Compromise (IoCs) by the level of difficulty they impose on an attacker when defenders detect and act on them?
A.MITRE ATT&CK
B.Cyber Kill Chain
C.Pyramid of Pain
D.Unified Kill Chain
Explanation: The Pyramid of Pain, developed by David Bianco, ranks IoCs from easiest to hardest for attackers to replace: Hash Values (trivial) at the bottom, up through IP Addresses, Domain Names, Network/Host Artifacts, Tools, and TTPs (Tactics, Techniques, and Procedures) at the top. Blocking TTPs imposes the greatest cost on an attacker.
3An analyst examines a suspicious email and notes the 'From' display name shows 'IT Support <help@company.com>' but the actual 'Reply-To' header points to 'admin@malicious-domain.xyz'. Which phishing technique is being used?
A.Sender spoofing with reply-to manipulation
B.Typosquatting
C.Spear phishing with malware attachment
D.Business Email Compromise via account takeover
Explanation: Sender spoofing with reply-to manipulation is a common phishing technique where the visible 'From' field shows a trusted name/address to fool the recipient, while the 'Reply-To' header redirects any reply to an attacker-controlled address. This allows the attacker to intercept replies without needing access to the spoofed domain.
4What does the SPF (Sender Policy Framework) DNS record do in email authentication?
A.Encrypts the email body using public key cryptography
B.Adds a cryptographic digital signature to each outgoing email header
C.Specifies which mail servers are authorized to send email on behalf of a domain
D.Instructs receiving mail servers on how to handle emails that fail authentication checks
Explanation: SPF is a DNS TXT record that lists the mail servers (by IP address or mechanisms like 'include:') authorized to send email on behalf of a domain. When a receiving mail server checks SPF, it verifies that the sending server's IP is listed in the domain's SPF record. A failed SPF check is a strong phishing indicator.
5A SIEM alert fires for a successful authentication to an admin console from a known-clean internal IP at 2:14 AM on a weekend. The user account belongs to a software developer with no admin privileges. Which verdict is most appropriate?
A.False Positive — admin logins during off-hours are expected
B.Informational — log the event and take no further action
C.Benign True Positive — developer needed emergency access
D.True Positive — credential compromise or unauthorized access is highly probable
Explanation: Accessing an admin console with an account that has no admin privileges at an unusual time (2 AM weekend) is a strong indicator of credential compromise or privilege escalation. This is a True Positive requiring investigation and likely escalation. The combination of off-hours timing, non-admin account, and admin console access elevates suspicion significantly.
6In the Cyber Kill Chain model developed by Lockheed Martin, at which stage does the attacker first interact with the target system by sending a malicious email with an infected attachment?
A.Reconnaissance
B.Weaponization
C.Delivery
D.Exploitation
Explanation: Delivery is the third stage of the Cyber Kill Chain, where the attacker transmits the weaponized payload to the target — for example, by sending a malicious email attachment, hosting a drive-by-download link, or using a USB drop. Delivery is the first stage that directly involves the target organization's infrastructure.
7When analyzing a packet capture in Wireshark, an analyst sees multiple TCP SYN packets sent to different ports on the same destination IP with no corresponding SYN-ACK responses. What activity is most likely occurring?
A.A legitimate web server establishing multiple TLS sessions
B.A TCP SYN flood DDoS attack against the destination
C.A port scan (e.g., nmap SYN scan) to discover open ports
D.A three-way handshake completing multiple simultaneous connections
Explanation: Multiple SYN packets to different destination ports with no SYN-ACK replies is the signature of a TCP SYN scan (also called a half-open or stealth scan). Tools like nmap use this technique to quickly enumerate open ports by sending SYN packets and checking whether the target responds with SYN-ACK (open) or RST (closed). This is one of the most common reconnaissance techniques visible in packet captures.
8A Splunk SPL (Search Processing Language) query needs to count the number of failed login events per source IP in the last 24 hours. Which query structure is correct?
A.index=auth EventCode=4625 | stats count by src_ip | timechart span=1h
B.index=auth EventCode=4625 earliest=-24h | table count src_ip
C.index=auth EventCode=4625 earliest=-24h | stats count by src_ip
D.index=auth EventCode=4625 | where count > 5 | stats by src_ip
Explanation: The correct SPL uses 'earliest=-24h' to restrict the time range, then pipes to 'stats count by src_ip' to aggregate failed login counts (EventCode 4625 is a Windows failed login) per source IP. The 'stats count by' command is the standard Splunk aggregation for this use case.
9What is the primary difference between an Indicator of Compromise (IoC) and an Indicator of Attack (IoA)?
A.IoCs are reactive — evidence that a breach occurred; IoAs are proactive — behaviors suggesting an attack is in progress
B.IoCs are produced by red teams; IoAs are produced by blue teams
C.IoAs are specific file hashes; IoCs are behavioral patterns
D.IoCs require a SIEM; IoAs can only be detected by EDR tools
Explanation: IoCs (Indicators of Compromise) are forensic artifacts — such as malicious IP addresses, file hashes, or domain names — that indicate a system has already been compromised. IoAs (Indicators of Attack) focus on the attacker's behaviors and intent, such as process injection attempts or lateral movement patterns, allowing detection while an attack is still in progress. IoAs enable earlier detection and response.
10An analyst is reviewing Windows Security Event Log for signs of brute-force activity. Which Event ID indicates a successful Windows logon?
A.4624
B.4625
C.4648
D.4720
Explanation: Windows Security Event ID 4624 is generated for every successful account logon. SOC analysts pair this with 4625 (failed logon) to detect brute-force success — a sequence of many 4625 events followed by a 4624 from the same source indicates a successful brute-force attack.

About the SAL1 Exam

The TryHackMe SAL1 certifies entry-level SOC analyst skills across alert triage, SIEM operations, phishing analysis, network traffic analysis, and incident communication — validated through both an 80-question MCQ theory section and two hands-on SOC simulation assessments.

Questions

80 scored questions

Time Limit

24-hour window (60 min MCQ + 2 hr x 2 simulations)

Passing Score

750/1000

Exam Fee

Included with TryHackMe Premium (check tryhackme.com for current pricing) (TryHackMe)

SAL1 Exam Content Outline

~25%

Alert Triage & SOC Workflows

Alert classification verdicts, enrichment workflow, SOC tiers and escalation, workbooks, SOC metrics (MTTD/MTTR/MTTA), SOAR automation concepts

~20%

SIEM Evidence Interpretation

Splunk SPL (stats, dedup, lookup), Windows Event IDs, Sysmon events, Elastic Stack architecture, log correlation techniques

~20%

Phishing & Email Analysis

Email header forensics, SPF/DKIM/DMARC authentication, sender spoofing, typosquatting, URL parsing, double extension attacks

~15%

Network Traffic Analysis

OSI model, TCP handshake, port scanning detection, beaconing, DGA/DNS tunneling, ARP spoofing, HTTP analysis, SSL/TLS, Wireshark

~15%

Threat Intelligence & Cyber Defence Frameworks

MITRE ATT&CK, Pyramid of Pain, Cyber Kill Chain, Unified Kill Chain, IoC vs IoA, VirusTotal, MISP, CTI lifecycle

~5%

Suspicious Activity & Incident Response

Process tree analysis, PowerShell obfuscation, web shells, credential dumping, AD attacks, ransomware containment, incident reporting

How to Pass the SAL1 Exam

What You Need to Know

  • Passing score: 750/1000
  • Exam length: 80 questions
  • Time limit: 24-hour window (60 min MCQ + 2 hr x 2 simulations)
  • Exam fee: Included with TryHackMe Premium (check tryhackme.com for current pricing)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

SAL1 Study Tips from Top Performers

1Complete the full TryHackMe SOC Level 1 path in order — each module builds on the previous one
2Memorize key Windows Event IDs: 4624 (logon success), 4625 (logon fail), 4688 (process creation), 4720 (user created), 4728 (group member added), 7045 (service installed)
3Practice reading email headers manually — understand SPF, DKIM, DMARC, and the Received chain for phishing triage
4Know your Pyramid of Pain levels from bottom to top: Hash → IP → Domain → Network/Host Artifacts → Tools → TTPs
5Practice Splunk SPL: 'stats count by', 'dedup', 'timechart', 'lookup', and 'table' are core commands for the exam
6For the simulations, structure your case report like a journalist: Who, What, When, Where, How — then add IoCs and recommendations

Frequently Asked Questions

What is the TryHackMe SAL1 exam format?

The SAL1 exam has three components within a 24-hour window: 80 multiple-choice questions (200 points, 60 minutes), SOC Simulation 1 (400 points, 2 hours), and SOC Simulation 2 (400 points, 2 hours). The total is 1000 points and candidates need 750 to pass. The simulations use a browser-based SOC environment with Splunk dashboards and email analysis tools.

How hard is the TryHackMe SAL1 exam?

The SAL1 is rated entry-to-intermediate difficulty. Candidates who have completed the TryHackMe SOC Level 1 learning path and practiced the SOC simulator rooms report that the MCQ section tests foundational SOC concepts, while the simulation sections require practical investigation skills — alert triage, log analysis in Splunk, phishing email examination, and written case reporting.

What topics are covered in the SAL1 MCQ section?

The 80-question MCQ section covers: SOC workflows and alert triage concepts, SIEM fundamentals (Splunk and Elastic Stack), phishing and email authentication (SPF/DKIM/DMARC), network traffic analysis (OSI model, TCP, DNS, HTTP), cyber defence frameworks (Pyramid of Pain, Cyber Kill Chain, MITRE ATT&CK), threat intelligence basics, Windows event logs, and cryptography fundamentals.

Do I need a TryHackMe subscription to take the SAL1?

Yes. The SAL1 training content (SOC Level 1 learning path) and exam access require a TryHackMe Premium subscription. The exam voucher is typically included with qualifying subscription plans. Check tryhackme.com/certification/security-analyst-level-1 for current pricing and subscription requirements.

How should I prepare for the SAL1 SOC simulations?

Complete the full TryHackMe SOC Level 1 learning path, paying special attention to the SOC L1 Alert Triage, SOC L1 Alert Reporting, and SOC Simulator rooms. Practice writing case reports with timelines, IoCs, and recommended actions. Develop Splunk SPL query skills and practice analyzing phishing email headers. The simulations reward systematic investigation over speed.

What comes after SAL1 — what certification should I study for next?

TryHackMe's own progression leads to SAL2 (72-hour practical). Other logical next steps include CompTIA CySA+, Hack The Box CDSA (practical SOC lab), or Blue Team Level 1 (BTL1) from Security Blue Team. These certifications build on SAL1 foundations with deeper SIEM operations, threat hunting, and digital forensics skills.