INTERVIEW

SIMULATION FOR
CYBERSECURITY
ANALYST POSITION
(L1, L2, L3) FROM
VARIOUS
BACKGROUNDS
COMPLETE WITH ATS
RESUME EXAMPLES

BY IZZMIER IZZUDDIN
SIMULATED ATS-FRIENDLY RESUME TAILORED FOR A NEW
GRADUATE WITH SOC INTERNSHIP EXPERIENCE
RESUME

WAYNE ROONEY
Location: Old Trafford, Greater Manchester Phone: +1 (123) 456-7890
Email: wayne.rooney@izzmier.com LinkedIn: linkedin.com/in/wayne-rooney

OBJECTIVE
Motivated and detail-oriented recent graduate with hands-on SOC internship experience
seeking an entry-level position as a Cybersecurity Analyst (L1). Eager to leverage
knowledge in threat monitoring, log analysis and incident response to enhance
organisational security posture.

EDUCATION
Bachelor of Science in Computer Science University of Champions, Goal City, GC
Graduated: May 2024
• GPA: 3.8/4.0
• Relevant Courses: Cybersecurity Fundamentals, Network Security, Threat Hunting, SIEM
Tools

CERTIFICATIONS
• CompTIA Security+ | Issued: June 2024
• Certified SOC Analyst (CSA) | Issued: August 2024
• Splunk Core Certified User | Issued: September 2024

TECHNICAL SKILLS
• SIEM Tools: Splunk, QRadar, AlienVault
• Networking: TCP/IP, DNS, Firewalls, VPNs
• Scripting: Python, Bash
• Log Analysis & Threat Detection
• Vulnerability Management: Nessus, OpenVAS
• Incident Response Procedures
PROFESSIONAL EXPERIENCE
SOC Intern Defenders Cybersecurity Services, Goal City, GC May 2024 – August 2024
• Monitored and analysed security events using Splunk to detect anomalies and potential
threats.
• Conducted log correlation to identify malicious activities, reducing false positives by
25%.
• Assisted in incident triaging and escalation, following standard incident response
procedures.
• Drafted detailed reports on security incidents for senior analysts.
• Supported the configuration of SIEM dashboards for enhanced monitoring capabilities.

PROJECTS
Home Cybersecurity Lab
• Built and configured a virtual SOC environment using VMware, Splunk and Kali Linux.
• Simulated attacks like phishing, malware infections and brute force to practice
detection and response.
Phishing Detection Script
• Developed a Python script to analyse email headers and detect phishing attempts.
• Successfully flagged 95% of test cases during validation.

VOLUNTEER EXPERIENCE
IT Security Assistant Footballers United Charity Foundation, Goal City, GC March 2023 –
April 2023
• Educated staff on password hygiene and phishing prevention.
• Conducted basic network security assessments to identify potential vulnerabilities.

REFERENCES
Byran Robson Senior Cybersecurity Analyst Defenders Cybersecurity Services Phone:
+1 (123) 987-6543 email: bryan.robson@company.com
Denis Irwin IT Security Consultant Footballers United Charity Foundation phone: +1
(123) 567-8901 email: Denis.Irwin@company.com
INTERVIEW SIMULATION FOR WAYNE ROONEY, A NEW
GRADUATE FOR ANALYST L1 ROLE
PART 1: INTRODUCTION AND MOTIVATION

Interviewer: Good morning, Wayne. Welcome to the interview for the Cybersecurity
Analyst (L1) position. I hope you’re doing well.

Candidate (Wayne): Good morning! Thank you for having me. I’m excited about the
opportunity and looking forward to our discussion.

Interviewer: Let’s start with you introducing yourself. Could you walk me through your
background and what led you to pursue a career in cybersecurity?

Candidate: Sure! I recently graduated with a Bachelor’s degree in Computer Science from
the University of Champions, where I developed a strong interest in cybersecurity. During
my studies, I took courses like Cybersecurity Fundamentals, Network Security and Threat
Hunting, which laid a solid foundation for my understanding of the field. I also completed
an SOC internship at Defenders Cybersecurity Services, where I gained hands-on
experience in threat monitoring, log analysis and incident response. My motivation to
pursue cybersecurity comes from my passion for problem-solving and my desire to protect
organisations from cyber threats. I’m particularly drawn to the dynamic and ever-evolving
nature of the field.

Interviewer: That’s great to hear. Could you share why you’re interested in this specific
role and our organisation?

Candidate: I’m interested in this role because it aligns perfectly with my skills and career
aspirations. Your organisation’s reputation for innovative security solutions and its focus
on proactive threat management resonate with my professional goals. I believe this role
would provide me with an excellent opportunity to apply my knowledge and grow as a
cybersecurity professional.

PART 2: TECHNICAL SKILLS AND COMPETENCIES

Interviewer: Let’s move on to some technical questions. Can you explain the differences
between a stateful and a stateless firewall?

Candidate: A stateful firewall tracks the state of active connections and makes decisions
based on the context of the traffic, such as its history and connection state. For example, it
remembers whether a request was initiated from within the network and allows the
corresponding response. In contrast, a stateless firewall filters packets based solely on
predefined rules like source and destination IP addresses, ports and protocols, without
keeping track of connection states.

Interviewer: Great explanation! Next, let’s talk about SIEM tools. You’ve worked with
Splunk during your internship. Can you describe a scenario where you used Splunk to
identify a security incident?

Candidate: Certainly! During my internship, I was monitoring Splunk dashboards when I

noticed unusual login attempts from a foreign IP address. Using log correlation, I
discovered a brute force attack targeting one of the company’s servers. I verified the
anomaly by checking for failed login attempts followed by a successful login within a short
timeframe. I escalated the incident to senior analysts after triaging and documenting the
findings, which allowed the team to block the IP and reset the compromised credentials.

Interviewer: That’s a good example. How would you respond if you saw a potential
phishing attack targeting your organisation?

Candidate: If I detected a potential phishing attack, I would first confirm its legitimacy by
analysing email headers and any URLs embedded in the message. Next, I’d isolate any
affected accounts or endpoints and check for further compromise. I would document the
incident, escalate it to the appropriate team and recommend measures like blocking the
sender’s domain and updating the email filters. Additionally, I’d collaborate with the
training team to educate employees on recognising phishing attempts.

PART 3: BEHAVIOURAL QUESTIONS

Interviewer: Cybersecurity often involves high-pressure situations. Can you describe a

time when you faced a challenging situation and how you handled it?

Candidate: During my SOC internship, there was an instance where we received multiple
alerts for potential ransomware activity. The volume of alerts was overwhelming and it was
critical to prioritise effectively. I used Splunk to filter and group similar alerts, focusing first
on those affecting high-priority assets. By coordinating with the team, we identified the
root cause and mitigated the issue within a few hours. It was a challenging situation, but I
learned the importance of staying calm and working methodically.

Interviewer: That’s a strong example. How do you stay updated on the latest cybersecurity
threats and trends?

Candidate: I regularly follow reputable cybersecurity blogs and forums, such as Krebs on
Security and the SANS Internet Storm Center. I also attend webinars and have subscribed
to threat intelligence feeds to stay informed about emerging threats. Additionally, I engage
in hands-on practice through my home lab to experiment with the latest tools and attack
techniques.
PART 4: SCENARIO-BASED QUESTIONS

Interviewer: Let’s work through a scenario. Suppose you receive an alert about suspicious
outbound traffic from a user’s endpoint to an unknown IP address. How would you handle
this?

Candidate: I would start by validating the alert to ensure it’s not a false positive. This
involves analysing the traffic logs to identify the protocol, destination IP and the type of
data being transmitted. Next, I’d check for any associated anomalies, like new processes
running on the endpoint or unusual behaviour from the user’s account. If the alert is
confirmed, I’d isolate the endpoint to prevent further communication, gather evidence for
analysis and escalate the incident to the appropriate team. Lastly, I’d recommend a root
cause analysis and preventive measures, such as blocking the destination IP and
educating the user.

Interviewer: Well done! What if you’re unable to identify the root cause of an alert quickly?

Candidate: If the root cause isn’t immediately clear, I’d focus on containment measures
to minimise potential impact, such as isolating affected systems or accounts. I’d then
document all findings and escalate the issue to more experienced analysts or the threat
intelligence team for further investigation. Collaboration and thorough documentation are
key in such cases.

PART 5: CLOSING AND QUESTIONS

Interviewer: That concludes the main portion of our interview. Do you have any questions
for me?

Candidate: Yes, I do. Thank you for asking. I’m curious about the training and development
opportunities available for entry-level analysts in your organisation. How does your team
foster skill development?

Interviewer: We place a strong emphasis on learning and growth. New hires undergo
structured onboarding and continuous training, including access to industry certifications,
workshops and mentorship programs. You’d also have opportunities to rotate across
different cybersecurity functions to broaden your experience.

Candidate: That sounds excellent! My other question is, what does success look like for
someone in this role during their first six months?

Interviewer: Success involves quickly adapting to our processes, effectively triaging and
escalating incidents and demonstrating a proactive approach to learning. Showing
consistent improvement in handling alerts and contributing to the team’s objectives are
key indicators of success.

Candidate: Thank you for the insights! I’m excited about the possibility of contributing to
your team.

Interviewer: Thank you, Wayne. It was a pleasure speaking with you. We’ll be in touch
soon regarding the next steps.

Candidate: Likewise, thank you for the opportunity. I look forward to hearing from you.
SIMULATED ATS-FRIENDLY RESUME FOR AN EXPERIENCED IT
PROFESSIONAL TRANSITIONING TO A CYBERSECURITY
ANALYST L1 ROLE
RESUME

CRISTIANO RONALDO
Location: Old Trafford, Greater Manchester Phone: +1 (234) 567-8901
Email: crisitiano.ronaldo@izzmier.com LinkedIn: linkedin.com/in/cristiano-ronaldo

OBJECTIVE
Experienced IT professional with over 5 years of expertise in network administration,
system troubleshooting and IT infrastructure management. Seeking to transition into a
Cybersecurity Analyst L1 role to leverage technical skills, a passion for security and
recently acquired cybersecurity certifications to protect organisational assets from
evolving threats.

EDUCATION
Bachelor of Science in Information Technology Techville University, Techville, TV
Graduated: May 2018
• GPA: 3.6/4.0
• Relevant Courses: Networking Essentials, IT Security Principles, Systems Administration

CERTIFICATIONS
• CompTIA Security+ | Issued: July 2024
• Certified SOC Analyst (CSA) | Issued: September 2024
• Cisco Certified Network Associate (CCNA) | Issued: January 2023
• Splunk Core Certified User | Issued: October 2024

TECHNICAL SKILLS
• Networking: TCP/IP, DNS, VLANs, Firewalls, VPNs
• Systems Administration: Windows Server, Linux (Ubuntu, CentOS)
• Cybersecurity Tools: Splunk, Nessus, Wireshark
• Incident Response & Log Analysis
• Scripting: Python, PowerShell, Bash
• Virtualisation: VMware, Hyper-V

PROFESSIONAL EXPERIENCE
IT Systems Administrator Tech Solutions Inc., Techville, TV June 2018 – Present
• Managed IT infrastructure, including servers, networks and endpoints, ensuring 99.9%
uptime.
• Monitored network traffic for anomalies, proactively addressing potential security
threats.
• Implemented and maintained firewalls and VPN configurations to secure corporate
data.
• Conducted regular patch management to address software vulnerabilities.
• Collaborated with cybersecurity teams to implement security controls and conduct
system hardening.
IT Support Specialist NetGuard Services, Techville, TV July 2016 – June 2018
• Provided Tier 2 technical support to end-users, resolving over 95% of issues on the first
call.
• Conducted hardware and software troubleshooting, including network-related
problems.
• Assisted in setting up user accounts with appropriate permissions and security
configurations.
• Created IT documentation and user guides to improve team efficiency.

CYBERSECURITY PROJECTS
Home SOC Lab Setup
• Built and managed a virtual SOC lab using Splunk, Kali Linux and Nessus.
• Simulated various attack scenarios, including phishing and malware infections, to
practice detection and response techniques.
Network Security Audit
• Conducted a self-initiated security audit of a small business network, identifying key
vulnerabilities.
• Recommended firewall configurations and endpoint protection solutions to improve
security posture.

VOLUNTEER EXPERIENCE
Cybersecurity Awareness Volunteer Secure Future Foundation, Techville, TV March
2024 – Present
• Delivered training on phishing detection and password hygiene to small business
employees.
• Assisted in implementing basic cybersecurity measures for nonprofit organisations.

REFERENCES
Steve Bruce Senior Security Engineer Secure Future Foundation Phone: +1 (234) 765-
4321 email: steve.bruce@company.com
Jaap Stam IT Manager Tech Solutions Inc. Phone: +1 (234) 123-4567
email: jap.stam@company.com

INTERVIEW SIMULATION FOR CRISTIANO RONALDO,

TRANSITIONING FROM AN IT BACKGROUND TO A
CYBERSECURITY ANALYST L1 ROLE
PART 1: INTRODUCTION & BACKGROUND DISCUSSION

Interviewer: Good morning, Cristiano! Thank you for taking the time to interview with us
today. Can you start by telling us about your current role and why you're interested in
transitioning into a cybersecurity role?

Candidate (Cristiano): Good morning! I currently work as an IT Systems Administrator at

Tech Solutions Inc. Over the past five years, I've gained hands-on experience managing IT
infrastructure, troubleshooting systems and securing networks. While I enjoy IT, I’ve
developed a strong interest in cybersecurity, particularly during my collaboration with
cybersecurity teams on projects like firewall configuration and system hardening.
Recently, I’ve pursued certifications such as CompTIA Security+ and CSA to solidify my
knowledge. I’m excited to apply my technical expertise and passion for security in a
dedicated cybersecurity role.

PART 2: TECHNICAL QUESTIONS & SCENARIO-BASED DISCUSSIONS

NETWORKING FUNDAMENTALS

Interviewer: Given your networking background, can you explain the difference between a
firewall and a VPN? How do these tools contribute to cybersecurity?

Candidate: A firewall acts as a barrier between internal and external networks, filtering
traffic based on predefined security rules to block unauthorised access. A VPN, on the
other hand, encrypts data transmissions over public or shared networks, ensuring
confidentiality and integrity. Together, they enhance cybersecurity by securing endpoints
and protecting data in transit.

Interviewer: If a firewall rule blocks outgoing traffic on port 22, what service might that
affect and how would you troubleshoot it?

Candidate: Blocking port 22 would affect SSH, which is commonly used for secure remote
management of servers. To troubleshoot, I’d first verify the rule in the firewall
configuration, check if SSH services are running on the host and ensure there’s no
misconfiguration or connectivity issue.

LOG ANALYSIS & THREAT DETECTION

Interviewer: Can you describe a step-by-step process for analysing a suspicious log entry?

Candidate: Certainly. First, I would identify the source of the log (e.g., web server, firewall
or endpoint). Then, I’d examine key fields like timestamps, IP addresses and event types.
Next, I’d cross-reference the activity against known indicators of compromise (IOCs) or
threat intelligence feeds. If the log entry looks suspicious, I’d correlate it with other logs to
establish a pattern and determine the severity of the event.

Interviewer: Let’s say you find a series of failed login attempts followed by a successful
one. What steps would you take next?

Candidate: I’d immediately escalate the issue, considering it a potential brute-force

attack. I’d check the source IP for geolocation and reputation, confirm if the user logged in
from an unusual location and notify the user to verify the activity. Simultaneously, I’d
implement measures like blocking the IP temporarily and enabling MFA if not already in
place.

INCIDENT RESPONSE

Interviewer: Walk me through how you would handle a ransomware attack reported on a
company server.

Candidate: First, I’d isolate the affected system to prevent the spread of the ransomware.
Then, I’d notify the incident response team and management. Next, I’d begin investigating
the attack by reviewing logs to determine the infection vector. After gathering relevant data,
I’d assist in restoring from backups and patching vulnerabilities to prevent recurrence.
Lastly, I’d document the incident thoroughly and help conduct a post-mortem analysis.

Interviewer: How would you ensure that such an incident doesn’t happen again?
Candidate: I’d recommend conducting a comprehensive security assessment, updating
security policies, ensuring regular backups and providing training to employees on
phishing and other attack vectors.

TOOL FAMILIARITY & PROJECTS

Interviewer: You’ve mentioned Splunk in your resume. How have you used it in your
projects?

Candidate: In my home lab, I configured Splunk to ingest logs from simulated attacks. For
example, I set up dashboards to monitor brute force attempts and phishing simulations. I
practiced creating alerts for anomalous activity and wrote SPL queries to filter and analyse
specific patterns.

Interviewer: What challenges did you face while setting up Splunk and how did you resolve
them?

Candidate: Initially, I struggled with log ingestion from multiple sources due to
misconfigurations. I resolved it by carefully mapping log sources, ensuring correct
permissions and consulting Splunk’s documentation. It was a great learning experience.

PART 3: BEHAVIOURAL QUESTIONS

Interviewer: Tell me about a time you collaborated with a team to solve a challenging
problem.

Candidate: At Tech Solutions, we once experienced a critical outage due to a

misconfigured firewall rule. The network team and I collaborated to identify the issue. I
analysed the logs while they reviewed the firewall configuration. Together, we pinpointed
the rule causing the problem and restored services within an hour. This taught me the
importance of clear communication and teamwork during high-pressure situations.

WRAP-UP & CANDIDATE QUESTIONS

Interviewer: Thanks, Cristiano. Before we wrap up, do you have any questions for us?

Candidate: Yes, I’d like to know about the onboarding process for someone transitioning
into cybersecurity. Are there specific training programmes or mentorship opportunities
available to help bridge the gap from IT to cybersecurity?

Interviewer: Great question. We offer a comprehensive onboarding programme, including

SOC-specific training, access to labs for hands-on practice and a mentorship system
where you’ll shadow a senior analyst during your first few months.
SIMULATED ATS-FRIENDLY RESUME FOR SOMEONE
TRANSITIONING TO A CYBERSECURITY ANALYST L1 ROLE FROM
A NON-IT FIELD
RESUME

CARLOS TEVEZ
Location: Old Trafford, Greater Manchester Phone: +1 (567) 890-1234
Email: carlos.tevez@izzmier.com LinkedIn: linkedin.com/in/tcarlos-tevez

OBJECTIVE
Detail-oriented professional with 7+ years of experience in operations management
seeking to transition into a Cybersecurity Analyst L1 role. Completed intensive
cybersecurity training and certifications, demonstrating a strong foundation in network
security, incident response and threat analysis. Excited to apply transferable skills in
problem-solving, attention to detail and process optimisation to the cybersecurity domain.

EDUCATION
Bachelor of Arts in Business Administration Future Leaders University, Progress City,
PC Graduated: May 2016

CERTIFICATIONS
• CompTIA Security+ | Issued: September 2024
• Certified SOC Analyst (CSA) | Issued: October 2024
• Splunk Core Certified User | Issued: November 2024
• (Optional) Google IT Support Professional Certificate | Issued: August 2024

TECHNICAL SKILLS
• Cybersecurity Tools: Splunk, Wireshark, Nessus
• Networking Fundamentals: TCP/IP, DNS, Firewalls
• Incident Response Procedures
• Log Analysis & Threat Detection
• Scripting Basics: Python, Bash
• Operating Systems: Windows, Linux
PROFESSIONAL EXPERIENCE
Operations Manager Peak Performance Solutions, Progress City, PC June 2017 – Present
• Oversaw and optimised workflows, resulting in a 20% improvement in efficiency across
teams.
• Conducted risk assessments to identify and mitigate operational vulnerabilities.
• Collaborated with cross-functional teams to implement new policies, emphasising
attention to detail and accuracy.
• Investigated and resolved process discrepancies, ensuring adherence to compliance
standards.
Customer Service Specialist Global Assist Services, Progress City, PC June 2016 – May
2017
• Resolved over 50 customer inquiries daily, maintaining a 98% satisfaction rate.
• Identified patterns in customer issues and escalated recurring problems for process
improvement.
• Leveraged analytical skills to evaluate feedback data and enhance team performance.

CYBERSECURITY PROJECTS
Home SOC Lab Setup
• Built a personal SOC lab using Splunk and Kali Linux to practice log analysis and incident
detection.
• Simulated real-world attack scenarios, including phishing and brute force, to develop
hands-on skills.
Security Awareness Campaign
• Developed a training presentation for friends and family on phishing awareness and
password security.
• Provided practical tips on recognising social engineering attacks.

VOLUNTEER EXPERIENCE
Cybersecurity Advocate Community Cyber Awareness Group, Progress City, PC January
2024 – Present
• Conducted workshops for small business owners on basic cybersecurity measures.
• Created educational materials on phishing prevention and secure password
management.

REFERENCES
Wes Brown Cybersecurity Instructor Cyber Career Academy Phone: +1 (567) 432-1098
Email: wes.brown@company.com
Nicky Butt Operations Director Peak Performance Solutions Phone: +1 (567) 654-3210
Email: nicky.butt@company.com

INTERVIEW SIMULATION FOR CARLOS TEVEZ, TRANSITIONING

FROM NON-IT BACKGROUND TO A CYBERSECURITY ANALYST L1
ROLE
PART 1: INTRODUCTION & BACKGROUND DISCUSSION

Interviewer: Good morning, Carlos! Thank you for taking the time to interview with us
today. Can you start by sharing more about your career journey and what inspired you to
transition into cybersecurity?

Candidate (Carlos): Good morning and thank you for this opportunity! I’ve spent the last 7
years in operations management, focusing on process optimisation, risk assessments and
ensuring compliance. While I found my role rewarding, I developed a growing interest in
cybersecurity, especially as digital risks started impacting businesses. Over the past year,
I’ve pursued certifications like Security+ and CSA, set up a home lab to gain hands-on
experience with tools like Splunk and volunteered to educate others about phishing and
secure practices. I’m excited to bring my analytical skills, attention to detail and
commitment to learning into a cybersecurity analyst role.

PART 2: TECHNICAL QUESTIONS & SCENARIO-BASED DISCUSSIONS

NETWORKING FUNDAMENTALS

Interviewer: Can you explain the difference between a firewall and a proxy and how they
each contribute to cybersecurity?

Candidate: A firewall monitors and filters incoming and outgoing network traffic based on
security rules, blocking unauthorised access. A proxy, on the other hand, acts as an
intermediary between users and external networks, often anonymising traffic and providing
an extra layer of security by hiding internal IP addresses. Firewalls focus on traffic control,
while proxies focus on user activity protection.

Interviewer: If you see traffic flagged as suspicious on port 3389, what service might it
involve and how would you investigate it?

Candidate: Port 3389 is commonly used for Remote Desktop Protocol (RDP). Suspicious
traffic here could indicate unauthorised remote access attempts. I’d investigate by
reviewing logs for unusual login times, geolocation of the source IP and repeated failed
login attempts. If the activity appears malicious, I’d isolate the affected system and alert
the incident response team.

LOG ANALYSIS & THREAT DETECTION

Interviewer: Let’s say you’re reviewing firewall logs and notice multiple failed login
attempts from a single IP followed by a successful attempt. What would your next steps
be?

Candidate: This could be a brute force attack. I’d first check the geolocation and
reputation of the source IP to verify if it’s from a known malicious actor. Then, I’d cross-
check logs to confirm the user’s activity pattern and verify if the login is legitimate with the
user. Meanwhile, I’d block the IP temporarily, recommend enabling MFA and escalate the
case to the incident response team for further analysis.

Interviewer: How would you identify indicators of compromise (IOCs) in logs?

Candidate: I’d look for patterns like unusual IP addresses, irregular login times, multiple
failed login attempts or data transfers during off-peak hours. I’d also cross-reference these
indicators with threat intelligence feeds and correlate them across different log sources to
detect anomalies.

INCIDENT RESPONSE

Interviewer: Imagine an employee reports clicking on a phishing link. How would you
handle this incident?

Candidate: I’d first instruct the employee to disconnect their system from the network to
prevent any potential spread of malware. Then, I’d check email logs to analyse the phishing
attempt and isolate any other affected systems. Next, I’d scan the employee’s system for
malicious payloads and reset their credentials. Simultaneously, I’d alert the incident
response team and initiate employee awareness training to reinforce best practices.

Interviewer: How would you ensure phishing incidents decrease in the future?

Candidate: I’d recommend implementing email filtering solutions, enabling MFA and
conducting regular phishing simulations and training sessions to educate employees
about recognising phishing attempts.

TOOL FAMILIARITY & PROJECTS

Interviewer: Can you describe how you’ve used Splunk in your cybersecurity projects?
Candidate: In my home lab, I configured Splunk to monitor logs from simulated
environments. For example, I set up alerts to detect brute-force attempts and created
dashboards to track network activity. This helped me develop a deeper understanding of
log analysis and threat detection.

Interviewer: What challenges did you face with Splunk and how did you resolve them?

Candidate: Initially, I had trouble with log ingestion due to format mismatches. After
researching online documentation and experimenting, I fixed the issue by properly
mapping the log sources and using Splunk’s tools to normalise the data. This process
taught me the importance of attention to detail when configuring systems.

PART 3: BEHAVIOURAL QUESTIONS & WRAP-UP

Interviewer: Tell me about a time you handled a complex challenge at work and how it
relates to cybersecurity.

Candidate: In operations, I once discovered discrepancies in inventory that risked

regulatory compliance. I collaborated with cross-functional teams to trace the issue,
analysed workflows and implemented stricter controls. This experience translates well to
cybersecurity, as both involve identifying vulnerabilities, analysing data and enforcing
preventive measures.

Interviewer: How do you prioritise tasks in a high-pressure environment like a SOC?

Candidate: I use a structured approach: assess the severity and impact of each task,
address critical incidents first and delegate or escalate where appropriate. Maintaining
clear communication with the team is key to ensuring efficiency.

WRAP-UP

Interviewer: Thanks, Carlos. Do you have any questions for us?

Candidate: Yes, I’d like to learn about the tools and technologies your SOC primarily uses.
How do you support new analysts in becoming proficient with them?

Interviewer: We use tools like Splunk, Nessus and Palo Alto firewalls. New analysts go
through an onboarding programme that includes hands-on labs and mentorship from
experienced team members.
SIMULATED ATS-FRIENDLY RESUME FOR SOMEONE SEEKING TO
TRANSITION FROM A CYBERSECURITY ANALYST L1 ROLE TO AN
L2 POSITION
RESUME

DIMITAR BERBATOV
Location: Old Trafford, Greater Manchester Phone: +1 (234) 567-8901
Email: dimitar.berbatov@izzmier.com LinkedIn: linkedin.com/in/dimitar-berbatov

OBJECTIVE
Dedicated Cybersecurity Analyst L1 with over 2 years of experience in incident response,
log analysis and threat detection, seeking to advance to a Cybersecurity Analyst L2 role.
Proven ability to handle complex security incidents, mentor junior analysts and contribute
to improving detection and response processes. Committed to enhancing organisational
security posture through advanced threat analysis and proactive defense strategies.

EDUCATION
Bachelor of Science in Computer Science CyberTech University, CyberCity, CC
Graduated: May 2020

CERTIFICATIONS
• CompTIA Cybersecurity Analyst (CySA+) | Issued: May 2024
• Certified SOC Analyst (CSA) | Issued: March 2024
• Splunk Core Certified Power User | Issued: November 2023
• GIAC Certified Incident Handler (GCIH) | Issued: August 2024

TECHNICAL SKILLS
• SIEM Platforms: Splunk, QRadar, AlienVault
• Endpoint Detection and Response (EDR): CrowdStrike, Carbon Black
• Incident Response: Malware analysis, phishing investigations, root cause analysis
• Threat Intelligence: MITRE ATT&CK, VirusTotal, ThreatConnect
• Scripting: Python (automation, parsing logs), PowerShell
• Networking & Protocols: TCP/IP, DNS, HTTP, SSL/TLS
• Operating Systems: Windows, Linux (Ubuntu, CentOS)
PROFESSIONAL EXPERIENCE
Cybersecurity Analyst L1 TechSecure Solutions, CyberCity, CC June 2022 – Present
• Monitored and triaged over 500 alerts monthly using Splunk, identifying and escalating
150+ high-priority incidents.
• Investigated malware infections, conducting root cause analysis and recommending
remediation steps.
• Performed phishing analysis, identifying malicious email campaigns and mitigating
associated risks.
• Developed automation scripts in Python to streamline repetitive tasks, reducing incident
resolution time by 20%.
• Assisted in creating playbooks and processes for common incident scenarios.
• Collaborated with L2 and L3 analysts to resolve complex incidents, gaining exposure to
advanced investigation techniques.
Cybersecurity Intern SecureTech Enterprises, CyberCity, CC June 2021 – May 2022
• Assisted in monitoring and analysing security events across multiple client
environments using QRadar.
• Conducted vulnerability scans using Nessus and prepared detailed reports with
recommended mitigations.
• Shadowed senior analysts during incident response, learning techniques such as
memory forensics and malware sandboxing.
• Created initial triage reports for phishing emails, including header analysis and link
examination.
• Built a Python script to parse logs for anomalous activities, reducing manual effort for
the SOC team by 15%.

CYBERSECURITY PROJECTS
Advanced Threat Detection Framework
• Designed a Splunk dashboard for enhanced detection of lateral movement and privilege
escalation activities.
• Implemented custom correlation rules to detect anomalies in user behavior based on
MITRE ATT&CK tactics.
Incident Response Simulation
• Led a tabletop exercise simulating a ransomware attack, coordinating with cross-
functional teams to test incident response plans.
• Documented post-simulation improvements, resulting in a 25% improvement in incident
handling time.

VOLUNTEER EXPERIENCE
Mentor CyberPath Academy, CyberCity, CC January 2024 – Present
• Conducted weekly sessions for aspiring analysts, focusing on log analysis, threat
detection and SIEM best practices.

ACHIEVEMENTS
• Employee of the Month: Recognised for rapid response and resolution of a high-impact
malware incident.
• Process Improvement: Suggested and implemented log filtering improvements in
Splunk, reducing false positives by 30%.

REFERENCES
George Best Senior Cybersecurity Analyst L2 TechSecure Solutions Phone: +1 (234) 890-
7654 Email: George@company.com
Bobby Charlton SOC Manager TechSecure Solutions Phone: +1 (567) 432-1098 Email:
casey.defender@company.com

INTERVIEW SIMULATION FOR DIMITAR BERBATOV,

TRANSITIONING FROM L1 TO L2 ROLE
PART 1: INTRODUCTION & CAREER ASPIRATIONS

Interviewer: Good afternoon, Dimitar! It’s great to have you here today. Can you begin by
sharing your journey in cybersecurity and what’s motivating you to transition from your
current L1 role to a more advanced L2 role?

Candidate (Dimitar): Good afternoon and thank you for having me. I’ve been working as an
L1 Cybersecurity Analyst for the past 2 years at XYZ Corp. In this role, I’ve had extensive
experience in monitoring SIEM alerts, initial triage and managing incidents using platforms
like Splunk and QRadar. My day-to-day tasks involve analysing log data, investigating
suspicious activities and escalating critical incidents to L2.

I’ve gained a solid understanding of threat landscapes, vulnerability management and

incident response processes. However, I’m eager to grow and take on more advanced
challenges in threat hunting, root cause analysis and deeper technical investigations,
which is why I’m pursuing an L2 role. I’d like to leverage my knowledge in analysing
complex alerts and contributing to the overall incident management process at a higher
level.

PART 2: TECHNICAL AND SCENARIO-BASED QUESTIONS

INCIDENT RESPONSE AND ROOT CAUSE ANALYSIS

Interviewer: Dimitar, as an L1 analyst, you’ve likely handled basic incident triage. As you
transition to an L2 role, how would you approach an escalated incident that involves
advanced malware suspected of being part of a targeted attack?

Candidate: In a situation like this, I would begin by gathering all available data from the
SIEM platform, looking for indicators of compromise (IOCs) that can point to the malware's
entry vector. I would investigate the initial infection vector by checking logs from firewalls,
IDS/IPS systems and endpoint protection solutions to identify abnormal traffic patterns or
suspicious file behavior.

From there, I would focus on isolating affected systems to prevent lateral movement. I’d
also review network traffic to detect unusual command-and-control (C2) communications.
Once the initial containment steps are taken, I would work on identifying the root cause
whether it's a vulnerability exploited or a misconfiguration and report the findings to
management, followed by a thorough post-incident analysis to refine our security controls.

Interviewer: As part of the L2 team, you would also be expected to assist in forensics and
malware analysis. How would you approach analysing a malware sample?

Candidate: I would begin by collecting a copy of the malware sample, ensuring proper
containment to avoid cross-contamination. I’d use sandboxing environments like Cuckoo
Sandbox or any internal analysis tools to observe the malware’s behavior in a controlled
space. I’d look for communication attempts to external servers, identify any file changes
and gather hash values to search for other instances of the malware in the network.

In addition, I’d work with our threat intelligence team to look for existing IOCs related to
this malware family and correlate them with our SIEM logs. The goal is to understand the
malware’s lifecycle, spread patterns and impact and then provide remediation steps to
prevent future incidents.

SIEM ANALYSIS AND ADVANCED TRIAGE

Interviewer: As an L1 analyst, you were responsible for triaging alerts. At L2, you’ll need to
dive deeper into the analysis and conduct more sophisticated investigations. Can you walk
us through how you would perform an in-depth analysis of a suspicious network
connection that has triggered an alert in the SIEM system?
Candidate: First, I’d examine the details of the alert, including the source and destination
IPs, the protocols involved and the ports being used. I would investigate the reputation of
the IP addresses involved, looking them up in threat intelligence platforms like VirusTotal
or ThreatConnect to see if they are associated with any known malicious activity.

Next, I would review firewall, proxy and IDS/IPS logs to trace the full flow of the traffic,
checking for any unusual patterns like large amounts of data being transferred or
unexpected connections to external IPs. I would also look at the destination server for
signs of compromise, such as unexpected services running or unauthorised user activity. If
necessary, I’d escalate the case to other teams for further investigation or remediation.

During this phase, I would document all findings in a clear and concise manner, helping my
colleagues understand the threat's behavior and potential impact.

Interviewer: How do you ensure that incidents are properly documented and what role
does this play in improving overall incident response?

Candidate: Proper documentation is crucial for maintaining an audit trail, ensuring

transparency and enabling post-incident analysis. I ensure that all relevant details,
including timelines, systems affected, investigation steps and resolutions, are
documented in the incident ticket. This information helps improve the response to similar
incidents in the future and assists in identifying recurring patterns

At L2, I would also make sure to capture any lessons learned from the incident and
communicate them to the broader team, contributing to refining playbooks and improving
detection methods.

THREAT HUNTING AND ADVANCED DETECTION

Interviewer: At the L2 level, threat hunting is an important responsibility. Can you explain
how you would go about hunting for threats in a network and what tools or methodologies
you would use?

Candidate: As part of threat hunting, I’d first review current threat intelligence to look for
emerging attack patterns or TTPs (Tactics, Techniques and Procedures) that could be
relevant to our environment. I would use frameworks like MITRE ATT&CK to guide my hunt
and map potential adversary techniques to our network activities.

For tools, I would use SIEM systems like Splunk and QRadar to search for unusual patterns
in logs that could indicate hidden threats, such as anomalous logins, privilege escalation
attempts or lateral movement across the network. I might also use network traffic analysis
tools like Wireshark or Zeek to monitor traffic for signs of C2 communication or data
exfiltration.
One key part of threat hunting is maintaining a proactive stance rather than waiting for
alerts, I would regularly scan logs and network traffic for anything out of the ordinary,
including patterns or behaviors that might indicate the presence of advanced persistent
threats (APT).

PART 3: BEHAVIOURAL QUESTIONS & WRAP-UP

COLLABORATION AND LEADERSHIP IN THE SOC

Interviewer: As an L2 analyst, you’ll be expected to guide and mentor L1 analysts. Can you
share an example of a time when you helped a colleague or team member improve their
skills or understanding of cybersecurity?

Candidate: During my time as an L1 analyst, I often assisted newer colleagues with

understanding the basics of incident triage and log analysis. For example, one colleague
was struggling with identifying the severity of alerts in our SIEM system. I sat down with
them and walked through the process of correlating different log data sources and
prioritising alerts based on the type of threat, system criticality and historical context.

I also created a set of internal best practice guides that helped our L1 team better identify
false positives and focus on the most relevant alerts. It was rewarding to see them become
more confident in their roles and I enjoy the idea of taking on more mentorship
responsibilities as an L2 analyst.

HANDLING STRESS AND HIGH-PRESSURE SITUATIONS

Interviewer: As an L2 analyst, you’ll need to manage high-pressure situations, such as a

potential security breach. How do you handle stressful situations, especially when you're
responsible for leading an investigation?

Candidate: I’ve been in high-pressure situations before, especially during major incidents
where every second counts. I handle stress by staying calm, focusing on the facts and
following established procedures. I also make sure to communicate clearly with the team
and other stakeholders to ensure everyone is aligned and knows their role in the response.

If I’m leading an investigation, I focus on breaking down the task into manageable steps,
prioritising critical actions first. It’s essential to maintain a clear head, especially when
dealing with complex incidents and to keep the team motivated by fostering a collaborative
and positive atmosphere.

WRAP-UP AND FINAL QUESTIONS

Interviewer: Thank you for your detailed responses, Dimitar. Do you have any questions
for us about the L2 role or the team you’ll be working with?
Candidate: Yes, I’d like to know more about how your team currently handles post-
incident reviews and knowledge sharing. Are there any ongoing initiatives to improve
detection or response strategies?

Interviewer: We prioritise continuous improvement by holding regular post-incident

reviews, where we analyse the effectiveness of our response and identify any gaps. We
also have a knowledge-sharing platform where analysts contribute lessons learned and
new detection strategies. We’re always looking to improve and as an L2 analyst, you would
have a chance to contribute to these initiatives and help mentor the team.
SIMULATED ATS-FRIENDLY RESUME FOR SOMEONE LOOKING
TO TRANSITION FROM A CYBERSECURITY ANALYST L2 TO AN L3
(SENIOR CYBERSECURITY ANALYST) POSITION
RESUME

JUAN MATA
Location: Old Trafford, Greater Manchester Phone: +1 (234) 567-8901
Email: juan.mata@izzmier.com LinkedIn: linkedin.com/in/juan-mata

OBJECTIVE
Experienced Cybersecurity Analyst L2 with 4+ years of expertise in advanced threat
detection, incident response and SIEM management. Proven track record of mentoring
junior analysts, enhancing SOC workflows and handling complex security incidents.
Seeking a Cybersecurity Analyst L3 role to lead proactive threat hunting efforts, optimise
incident response strategies and contribute to organisational cybersecurity resilience.

EDUCATION
Bachelor of Science in Computer Science CyberTech University, CyberCity, CC
Graduated: May 2018

CERTIFICATIONS
• Certified Information Systems Security Professional (CISSP) | Issued: March 2024
• GIAC Certified Enterprise Defender (GCED) | Issued: September 2023
• CompTIA Cybersecurity Analyst (CySA+) | Issued: May 2022
• Splunk Core Certified Advanced Power User | Issued: August 2023
• Certified Incident Handler (GCIH) | Issued: November 2022

TECHNICAL SKILLS
• Advanced Threat Analysis: MITRE ATT&CK, YARA rules, Sigma rules
• SIEM & Log Management: Splunk, QRadar, Elastic Stack
• Threat Hunting: Behavioral analytics, anomaly detection and proactive hunt strategies
• Incident Response: Advanced malware analysis, reverse engineering, memory
forensics
• Scripting & Automation: Python, Bash, PowerShell
• Cloud Security: Azure Sentinel, AWS GuardDuty
• Networking: Deep packet inspection, Wireshark, TCPDump

PROFESSIONAL EXPERIENCE
Cybersecurity Analyst L2 SecureTech Enterprises, CyberCity, CC June 2021 – Present
• Led investigations into advanced persistent threats (APTs), coordinating with global
teams to mitigate risks.
• Designed custom Splunk correlation rules and dashboards, improving SOC efficiency by
35%.
• Conducted threat-hunting exercises, identifying and remediating 20+ hidden threats
across enterprise networks.
• Served as a mentor to L1 analysts, providing training in phishing analysis, log correlation
and incident reporting.
• Led post-incident reviews, ensuring lessons learned were incorporated into updated
SOC processes.
• Enhanced SIEM log source integration, reducing false positives by 40%.
• Collaborated with threat intelligence teams to integrate IOCs into detection
mechanisms.
Cybersecurity Analyst L1 TechSecure Solutions, CyberCity, CC June 2019 – May 2021
• Monitored and triaged 600+ security alerts monthly using Splunk and QRadar.
• Performed malware triage, utilising tools such as VirusTotal and sandbox environments.
• Supported incident response activities, including containment and eradication of
ransomware.
• Developed automation scripts in Python to parse logs and improve triage efficiency.
• Documented SOPs for common incidents, improving response consistency for the L1
team.

CYBERSECURITY PROJECTS
Advanced Threat Hunting Toolkit
• Created YARA rules for detecting advanced malware strains and implemented them in
EDR solutions.
• Built a Python-based log analysis tool to identify unusual login patterns and privilege
escalation.
SOC Process Optimisation
• Analysed SOC workflows and recommended improvements to playbook automation and
communication processes, reducing mean time to resolution (MTTR) by 25%.

VOLUNTEER EXPERIENCE
Trainer and Speaker CyberPath Academy, CyberCity, CC July 2022 – Present
• Conducted workshops on advanced log correlation, threat hunting techniques and
incident response best practices.
• Delivered presentations on emerging cybersecurity threats and prevention strategies.

ACHIEVEMENTS
• Employee Excellence Award (2023): Recognised for successfully mitigating a multi-
stage APT attack within 24 hours.
• Process Improvement Leadership: Designed and implemented a phishing email
detection workflow that reduced response time by 30%.
• Threat Intelligence Integration: Spearheaded the integration of external threat feeds,
enhancing detection rates by 20%.

REFERENCES
Mark Hughes SOC Manager SecureTech Enterprises Phone:+1 (234) 890-7654 Email:
mark.hughes@company.com
Andy Cole Director of Security Operations SecureTech Enterprises Phone: +1 (567) 432-
1098 Email: andy.cole@company.com

SIMULATION INTERVIEW FOR DIMITAR BERBATOV,

TRANSITIONING FROM L1 TO L2 ROLE
PART 1: INTRODUCTION & CAREER ASPIRATIONS

Interviewer: Good afternoon, Juan! Thanks for joining us today. Can you start by telling us
a bit about your journey in cybersecurity and why you're seeking to transition to an L3
position?

Candidate (Juan): Good afternoon and thank you for this opportunity. My journey in
cybersecurity started right after university when I joined TechSecure Solutions as an L1
Analyst. I spent two years learning the fundamentals of incident response and threat
detection. From there, I transitioned to SecureTech Enterprises as an L2 Analyst, where
I’ve spent the last 3+ years handling more complex incidents, conducting threat-hunting
exercises and mentoring junior analysts.
I’m seeking an L3 role because I want to take on more leadership responsibilities, such as
driving proactive threat-hunting initiatives and refining incident response strategies. I’m
also excited to contribute to SOC maturity by implementing advanced detection
mechanisms and fostering a culture of collaboration and continuous learning.

PART 2: TECHNICAL AND SCENARIO-BASED QUESTIONS

ADVANCED THREAT DETECTION

Interviewer: You’ve mentioned your experience with MITRE ATT&CK and YARA rules. Can
you describe how you’ve used these frameworks in your threat-hunting activities?

Candidate: Certainly! I’ve used the MITRE ATT&CK framework to map out attack vectors
during threat-hunting exercises. For instance, while investigating unusual DNS traffic, I
identified patterns consistent with the 'Command and Control' tactic. I developed YARA
rules to detect those specific behaviours across endpoint logs, which helped us identify
and isolate an infected host before further data exfiltration occurred.

Interviewer: How do you prioritise threats during a hunt?

Candidate: I prioritise based on the potential impact and likelihood of the threat. For
example, if I detect indicators of an advanced malware family targeting critical
infrastructure, it becomes a top priority. I also use threat intelligence feeds and risk-
scoring mechanisms to assess the severity of threats.

INCIDENT RESPONSE LEADERSHIP

Interviewer: Let’s say your team identifies an ongoing ransomware attack. How would you
lead the incident response efforts as an L3 Analyst?

Candidate: I’d start by convening an emergency response team and assigning clear roles
to ensure a coordinated approach. Next, I’d isolate the affected systems to prevent lateral
movement. I’d use memory forensics and reverse engineering to understand the
ransomware strain and its behaviour. Simultaneously, I’d engage with senior leadership to
align on communication strategies, particularly if customer or regulatory notifications are
required.

Post-containment, I’d lead a detailed post-incident review to identify root causes and
implement stronger preventive measures, such as refining EDR policies and conducting
employee awareness training.

Interviewer: How would you evaluate the effectiveness of your response after the
incident?
Candidate: I’d measure effectiveness by reviewing metrics such as MTTR, the scope of
containment and the success of recovery efforts. Additionally, I’d solicit feedback from
team members during the post-incident review and compare our actions to the predefined
playbooks, identifying areas for improvement.

TOOL EXPERTISE AND OPTIMISATION

Interviewer: Your resume mentions creating custom correlation rules in Splunk. Can you
provide an example of a rule you designed and the outcome?

Candidate: Sure! I created a Splunk correlation rule to detect credential stuffing attacks.
The rule flagged multiple failed login attempts followed by a successful one within a short
timeframe from the same IP. By correlating this with geolocation data, we discovered a
botnet targeting our web application. This rule reduced detection time by 40%, allowing us
to mitigate the attack before any accounts were compromised.

Interviewer: What challenges did you face in optimising Splunk performance for large-
scale log ingestion?

Candidate: One major challenge was handling high log volume without impacting query
performance. I resolved this by implementing data summarisation techniques, such as
creating summary indexes for commonly queried data and optimising search queries by
filtering unnecessary fields upfront.

CLOUD SECURITY

Interviewer: Given the increasing migration to cloud environments, how have you applied
your skills to secure cloud infrastructures?

Candidate: I’ve worked with Azure Sentinel to monitor and secure cloud workloads. For
instance, I configured alerts to detect anomalous API activity, such as unauthorised
access attempts to critical resources. I also implemented GuardDuty in AWS to identify
suspicious S3 bucket access patterns, enhancing our overall cloud security posture.

PART 3: BEHAVIOURAL QUESTIONS & WRAP-UP

LEADERSHIP AND MENTORSHIP

Interviewer: Can you share a time when you mentored a junior analyst and how that
experience prepared you for an L3 role?

Candidate: At SecureTech, I mentored several L1 analysts, one of whom struggled with log
correlation. I developed a step-by-step training guide and conducted weekly review
sessions to track progress. Over three months, the analyst became proficient and started
contributing to threat-hunting exercises. This experience reinforced the importance of
patience, clear communication and creating tailored learning plans key skills for an L3
role.

Interviewer: How would you foster collaboration in a diverse SOC team?

Candidate: I’d promote open communication by implementing daily stand-ups and weekly
knowledge-sharing sessions. I’d also encourage cross-training, so team members can
understand and appreciate each other's responsibilities, leading to a more cohesive and
supportive environment.

LONG-TERM VISION

Interviewer: What do you think are the biggest challenges SOCs will face in the next five
years and how would you prepare to address them as an L3 Analyst?

Candidate: I believe SOCs will face challenges from increasingly sophisticated threats,
talent shortages and the need to integrate AI into workflows. To prepare, I’d focus on
continuous upskilling, particularly in AI-driven threat detection and mentor the next
generation of analysts to close the skills gap. I’d also advocate for investments in
automation to reduce manual workloads, enabling analysts to focus on higher-value tasks.

WRAP-UP

Interviewer: Thanks, Juan. Do you have any questions for us?

Candidate:
Yes, could you share more about the threat-hunting initiatives your team is currently
focusing on and how an L3 Analyst would contribute to them?

Interviewer:
Our current focus is on improving lateral movement detection and insider threat
identification. An L3 Analyst would lead these initiatives, develop detection use cases and
coordinate with threat intelligence teams to stay ahead of evolving threats.
SIMULATED ATS-FRIENDLY RESUME FOR SOMEONE
TRANSITIONING FROM A CYBERSECURITY ENGINEER ROLE TO
A CYBERSECURITY ANALYST POSITION
RESUME
PARK JI-SUNG
Location: Old Trafford, Greater Manchester Phone: +1 (345) 678-9012
Email: ji.sung.park@izzmier.com LinkedIn: linkedin.com/in/ji-sung

OBJECTIVE
Skilled Cybersecurity Engineer with 5+ years of experience in designing and implementing
security infrastructures, seeking to transition into a Cybersecurity Analyst role. Proficient
in threat detection, log analysis and incident response, with a strong passion for hands-on
monitoring and analysis. Committed to leveraging engineering expertise to strengthen
organisational defense mechanisms and enhance threat intelligence capabilities.

EDUCATION
Bachelor of Science in Information Technology TechSecure University, CyberCity, CC
Graduated: May 2017

CERTIFICATIONS
• CompTIA Cybersecurity Analyst (CySA+) | Issued: July 2024
• Certified Information Systems Security Professional (CISSP) | Issued: May 2023
• Splunk Core Certified User | Issued: November 2023
• Certified Ethical Hacker (CEH) | Issued: March 2022
• AWS Certified Security - Specialty | Issued: December 2022

TECHNICAL SKILLS
• SIEM & Log Analysis: Splunk, QRadar, Elastic Stack
• Incident Response: Root cause analysis, malware triage and containment strategies
• Threat Intelligence: IOC analysis, MITRE ATT&CK, ThreatConnect
• Infrastructure Security: Firewalls (Palo Alto, Fortinet), IDS/IPS (Snort, Suricata)
• Cloud Security: AWS GuardDuty, Azure Sentinel
• Scripting & Automation: Python, PowerShell, Bash
• Networking: TCP/IP, DNS, VPNs, VLANs, Packet analysis

PROFESSIONAL EXPERIENCE
Cybersecurity Engineer SecureTech Solutions, CyberCity, CC June 2018 – Present
• Deployed and managed enterprise-grade firewalls, IDS/IPS and endpoint protection
systems across global networks.
• Collaborated with SOC teams to integrate and fine-tune log sources in SIEM platforms,
enhancing detection rates by 30%.
• Conducted periodic vulnerability scans using Nessus and implemented remediation
plans to address critical findings.
• Provided Tier-3 support for escalated incidents, assisting SOC analysts in advanced
malware analysis and forensic investigations.
• Automated routine security monitoring tasks using Python scripts, improving operational
efficiency by 20%.
• Designed network segmentation strategies to mitigate the risk of lateral movement
during potential breaches.
IT Security Analyst Intern CyberDefense Inc., CyberCity, CC June 2017 – May 2018
• Monitored security events using Splunk and conducted initial triage of alerts to
determine threat severity.
• Investigated phishing incidents, analysing email headers and attachments to identify
malicious intent.
• Assisted in creating incident response playbooks for common threats such as
ransomware and DDoS attacks.
• Generated weekly reports on security trends and provided recommendations to improve
detection capabilities.

CYBERSECURITY PROJECTS
SIEM Optimisation for Threat Detection
• Enhanced log parsing and correlation rules in QRadar, reducing false positives by 25%.
• Developed custom dashboards for detecting unusual login patterns and privilege
escalation attempts.
Proactive Threat Hunting Framework
• Built Python scripts to analyse DNS logs for anomalous domain queries and exfiltration
patterns.
• Conducted threat hunting exercises based on MITRE ATT&CK techniques, identifying and
remediating 15+ potential risks.

VOLUNTEER EXPERIENCE
Cybersecurity Mentor TechGuard Academy, CyberCity, CC January 2023 – Present
• Trained aspiring analysts in log analysis, SIEM management and incident response
basics through hands-on workshops.

ACHIEVEMENTS
• Process Optimisation Award (2023): Recognised for improving the efficiency of log
ingestion pipelines in Splunk by 40%.
• Incident Escalation Excellence (2022): Acknowledged for resolving a critical zero-day
exploit incident with minimal downtime.
• Cloud Security Initiative: Led a project to implement AWS GuardDuty, improving cloud
threat detection by 35%.

REFERENCES
Roy Keane SOC Manager SecureTech Solutions Phone: +1 (234) 890-7654 Email:
roy.keane@company.com
Ryan Giggs Director of Security Operations SecureTech Solutions Phone: +1 (567) 432-
1098 Email: ryan.giggs@company.com

SIMULATION INTERVIEW FOR PARK JI-SUNG, TRANSITIONING

FROM CYBERSECURITY ENGINEER TO CYBERSECURITY
ANALYST
PART 1: INTRODUCTION & CAREER ASPIRATIONS

Interviewer: Good afternoon, Park! Thanks for joining us today. Could you start by telling
us about your journey in cybersecurity and what motivates you to transition from a
Cybersecurity Engineer to a Cybersecurity Analyst role?

Candidate (Park): Good afternoon and thank you for having me. My journey in
cybersecurity began after I graduated from TechSecure University with a degree in
Information Technology. I started as an IT Security Analyst Intern at CyberDefense Inc.,
where I monitored security events and helped create incident response playbooks. After
that, I joined SecureTech Solutions as a Cybersecurity Engineer, where I’ve been for the
past five years. During this time, I designed and implemented security infrastructures,
deployed firewalls, managed IDS/IPS and fine-tuned SIEM systems

Although I’ve gained a lot of experience on the engineering side, I’m now looking to
transition into a Cybersecurity Analyst role. I’ve developed a strong interest in threat
detection, log analysis and incident response. I want to focus more on the hands-on
aspects of monitoring and analysing security events in real time and I’m excited about
contributing to proactive threat hunting and refining incident response strategies.

PART 2: TECHNICAL AND SCENARIO-BASED QUESTIONS

THREAT DETECTION & SIEM EXPERTISE

Interviewer: Given your experience with SIEM platforms like Splunk and QRadar, could you
walk us through how you would set up and optimise a SIEM system for better threat
detection?

Candidate: Certainly! When optimising a SIEM system, the first step is ensuring that
relevant log sources are integrated correctly this includes firewalls, endpoint protection
systems, IDS/IPS and cloud security platforms. In my role as a Cybersecurity Engineer, I
worked closely with SOC teams to fine-tune log sources, which improved detection rates
by 30%. I also focus on customising correlation rules to identify specific attack patterns
based on previous incidents.

For example, I would configure correlation rules to detect unusual login patterns or
privilege escalation attempts using QRadar’s custom rules engine and I’d leverage
Splunk’s search and reporting functionalities to create dashboards for visualising these
patterns. Once the detection mechanisms are in place, I’d conduct regular tuning to
ensure the rules are minimising false positives and maximising the visibility of emerging
threats.

Interviewer: How do you prioritise alerts within a SIEM system to avoid alert fatigue and
ensure efficient triage?

Candidate: I prioritise alerts based on threat intelligence feeds, risk scoring and the
criticality of the asset being targeted. For instance, if a potential data exfiltration attempt is
detected from a high-value asset, it becomes a top priority. I also assess the context
around each alert, such as the user's privileges and historical activity, to determine its
severity. To reduce alert fatigue, I fine-tune thresholds and set up tiered alerting, so the
most critical issues are brought to the forefront for immediate action.

INCIDENT RESPONSE AND ROOT CAUSE ANALYSIS

Interviewer: Let’s say your team identifies a possible malware infection on an endpoint. As
an analyst, how would you go about investigating and responding to this incident?

Candidate: I would start by isolating the affected endpoint from the network to contain the
potential spread. After that, I would collect memory dumps and perform forensic analysis
to identify the malware’s behaviour. I would review logs from the affected endpoint using
SIEM data to identify unusual processes, network connections or file modifications that
could point to the malware’s origin.

Once the malware is identified, I would work with the team to determine the root cause
and gather relevant IOCs to block the malware on other systems. After containment, I’d
collaborate with the SOC team to implement preventive measures, such as tightening EDR
policies, enhancing user awareness training and reviewing firewall configurations to
ensure they are properly blocking similar threats.

Interviewer: How do you ensure that the incident response process is thorough and
efficient?

Candidate: I use predefined incident response playbooks to ensure consistency and

completeness. For example, each type of incident, such as ransomware or a DDoS attack,
has a specific playbook outlining initial actions, containment strategies and recovery
steps. After an incident is contained, I conduct post-incident reviews, analyse metrics like
mean time to detect (MTTD) and mean time to respond (MTTR) and document lessons
learned. This ensures that each incident is a learning opportunity, helping the team
improve our overall response and preparedness.

THREAT INTELLIGENCE AND MITRE ATT&CK FRAMEWORK

Interviewer: You’ve worked with MITRE ATT&CK and threat intelligence platforms like
ThreatConnect. Can you explain how you’ve used these tools in your previous roles to
strengthen detection and response capabilities?

Candidate: MITRE ATT&CK is a powerful framework for mapping adversary tactics and
techniques and I’ve used it extensively in my threat-hunting exercises. For example, I’ve
mapped unusual DNS traffic patterns to MITRE techniques like ‘Command and Control’ to
identify potential C2 traffic. By correlating this with endpoint and network logs, we were
able to track the attacker’s lateral movement and block further exfiltration.

In terms of threat intelligence, I’ve used ThreatConnect to collect IOCs and integrate them
into our SIEM system. By automating the ingestion of threat intelligence data, we could
proactively detect emerging threats and map them to MITRE ATT&CK tactics. I’ve also used
threat intelligence to refine correlation rules and make our detection systems more
dynamic.
CLOUD SECURITY AND AUTOMATION

Interviewer: Given your experience in cloud security and automation, how would you
secure a cloud environment like AWS or Azure as part of an analyst role?

Candidate: I’ve worked with AWS GuardDuty and Azure Sentinel to monitor and secure
cloud environments. For AWS, I configured GuardDuty to detect unusual API activity and
potential unauthorised access to S3 buckets. In Azure, I used Sentinel to configure alerts
for anomalous behaviour in cloud workloads, such as failed login attempts or lateral
movement across virtual machines.

As an analyst, I’d integrate cloud-native security tools into our SIEM system to ensure that
we have visibility into cloud-based threats. Additionally, I would use automation tools, like
Lambda in AWS, to trigger predefined responses to specific alerts, such as isolating a
compromised instance or blocking suspicious IPs automatically.

PART 3: BEHAVIOURAL QUESTIONS & WRAP-UP

LEADERSHIP AND MENTORSHIP

Interviewer: Can you share a time when you mentored a colleague or junior analyst and
how you think this experience prepares you for an analyst role?

Candidate: Certainly! In my current role, I’ve often assisted junior analysts with
troubleshooting complex issues related to log analysis and incident response. One of my
colleagues was struggling with understanding log correlation in Splunk, so I created a step-
by-step guide and held a couple of one-on-one sessions. Over time, they became more
proficient and this experience helped me realise the importance of clear communication
and patience when mentoring.

This experience has prepared me for an analyst role by sharpening my ability to break down
complex concepts and provide guidance to less experienced team members, helping the
overall team succeed.

Interviewer: How do you approach collaboration with other teams, especially in a diverse
SOC environment?

Candidate: I believe in fostering a collaborative culture through open communication and

knowledge-sharing. I’d encourage regular stand-up meetings and debrief sessions after
incidents to ensure that the team learns from each situation. I also advocate for cross-
training initiatives, so team members can understand and appreciate each other’s
responsibilities, which leads to better teamwork during high-pressure situations.

LONG-TERM VISION AND CHALLENGES

Interviewer: Looking ahead, what do you think are the biggest challenges that SOCs will
face in the coming years and how would you contribute to addressing them in an analyst
role?

Candidate: One of the biggest challenges will be the increasing sophistication of cyber
threats. To stay ahead, I’d focus on upskilling in emerging areas like AI-driven threat
detection and automating routine tasks to free up time for more strategic work.
Additionally, I believe that talent shortages in cybersecurity will continue to be a challenge,
so I’d actively contribute to knowledge-sharing and mentoring to help bridge the skills gap
in our team.

WRAP-UP

Interviewer: Thanks, Park. Do you have any questions for us?

Candidate: Yes, I’d love to know more about the types of incidents your SOC typically
handles and what areas the team is focusing on to improve detection and response?

Interviewer: Our SOC focuses on a wide range of incidents, including ransomware,

phishing and insider threats. Currently, we’re working on improving lateral movement
detection and integrating more threat intelligence into our detection systems. As an
analyst, you’d play a key role in shaping those initiatives and ensuring we’re ready for
emerging threats.