EC-Council · CSA
Validates foundational and advanced skills in Security Operations Center monitoring and analysis, covering SOC operations, SIEM deployment and use cases, log management, incident triaging, indicators of compromise investigation, threat hunting, and malware analysis.
Questions
570
Duration
180 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this CSA practice exam to prepare for Certified SOC Analyst (CSA) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 570 questions for EC-Council CSA, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified SOC Analyst (CSA) — exam code 312-39 — is an associate-level credential awarded by EC-Council that validates a candidate's ability to perform Tier I and Tier II Security Operations Center (SOC) functions. The certification covers the full SOC workflow, from understanding the People, Process, and Technology framework of SOC operations to deploying and tuning SIEM platforms, managing centralized log pipelines, triaging alerts, investigating indicators of compromise (IoCs), and executing incident response procedures. The curriculum spans over 350 SIEM use cases across application, network, insider-threat, and compliance scenarios, and incorporates AI-enabled capabilities for alert prioritization, threat detection automation, and SIEM rule generation.
The CSA is the only SOC analyst credential that maps 100% to the NIST/NICE Framework under the Protect and Defend (PR) work role of Cyber Defense Analysis (CDA). It was recently updated to CSA v2, adding modules on cloud security operations (AWS, Azure, GCP), forensic investigation and malware analysis within a SOC context, and threat hunting using modern tools such as Velociraptor, YARA, and UEBA platforms. Candidates gain hands-on experience with industry-standard platforms including Splunk, the ELK Stack, OSSIM, and Log360, preparing them to operate effectively in real-world SOC environments from day one.
The CSA is primarily designed for current and aspiring Tier I and Tier II SOC analysts seeking to formalize and advance their operational skills. It is equally well-suited for network administrators, network security engineers, and cybersecurity analysts who want to transition into a dedicated security operations role. IT professionals working in network defense, security monitoring, or incident handling — including federal employees and government contractors with NICE Framework responsibilities — will find the credential directly applicable to their daily work.
Candidates do not need prior security certifications to pursue the CSA, but a foundational understanding of networking concepts, operating systems, and basic cybersecurity principles is strongly recommended. Professionals who have completed EC-Council's Network Defense Essentials (NDE) or Certified Network Defender (CND), or who hold equivalent knowledge, are well-positioned to succeed.
EC-Council does not mandate formal prerequisites for the CSA exam, making it accessible to candidates early in their cybersecurity careers. However, EC-Council recommends that candidates possess a working knowledge of networking fundamentals (TCP/IP, protocols, network devices), basic operating system concepts for both Windows and Linux environments, and a general understanding of information security concepts before attempting the exam.
Candidates who complete EC-Council's official CSA training program — available in instructor-led, online self-paced, and live-online formats — are best prepared for the exam, as the course is aligned directly to the exam blueprint. Practical familiarity with at least one SIEM platform (such as Splunk or the ELK Stack) and exposure to log analysis tools will significantly ease the learning curve for the more heavily weighted domains.
The CSA exam (code 312-39) consists of 100 multiple-choice questions delivered in a proctored format through EC-Council's ECC Exam Centre. Candidates are allotted 180 minutes (3 hours) to complete the exam. A passing score of 70% (70 out of 100 correct) is required to earn the certification. The exam is available as an online proctored test or at an authorized EC-Council testing center.
The exam is aligned to the CSA v2 blueprint, and all questions are mapped to the eight official exam domains. There are no separate practical or lab components required to earn the certification, though EC-Council's official training includes extensive hands-on lab exercises. The exam fee is approximately $250 USD, and the resulting certification is valid for three years, after which holders must earn continuing education credits or retake the exam to maintain the credential.
Earning the CSA credential positions professionals for Tier I and Tier II SOC analyst roles, which are among the most consistently in-demand positions in cybersecurity. SOC analysts in the United States typically earn between $60,000 and $95,000 annually at the entry-to-mid level, with Tier II analysts and those holding recognized credentials commanding salaries toward the higher end of that range. The CSA is recognized by government agencies and federal contractors, and its alignment to the NICE Framework (CDA work role) makes it relevant for public-sector cybersecurity positions that require role-based certifications.
Compared to alternatives such as CompTIA CySA+ or the SANS GIAC GCIA, the CSA is more narrowly focused on SOC operations and SIEM-centric detection workflows, making it a strong choice for professionals whose day-to-day work centers on alert triage and incident monitoring rather than broader threat analysis or network forensics. The CSA is often pursued as a stepping stone toward more advanced EC-Council credentials such as the Certified Incident Handler (E|CIH) or Certified Threat Intelligence Analyst (C|TIA), or toward vendor-specific SIEM certifications from Splunk or Microsoft.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 570 questions.
Preview — answers shown1. A vulnerability management team is prioritizing patches for their environment. They have a critical vulnerability with CVSS 3.1 score of 9.8 but an EPSS score of 0.02 (2%). How should the team interpret this combination when prioritizing remediation? (Select one!)
Explanation
Modern vulnerability management best practices recommend using both CVSS (severity) and EPSS (exploitation probability) together for risk-based prioritization. A CVSS 9.8 indicates critical severity if exploited, but EPSS 2% suggests low near-term exploitation probability based on real-world threat intelligence. This combination allows for scheduled patching according to organizational SLAs rather than emergency response, while monitoring for EPSS changes. Patching immediately based solely on CVSS ignores valuable threat intelligence and wastes resources. Deprioritizing completely ignores the high severity and potential impact. Using only EPSS ignores the potential catastrophic impact if exploitation does occur.
2. A healthcare organization implements audit logging for systems containing electronic protected health information to meet HIPAA Security Rule requirements. What is the minimum retention period HIPAA requires for audit logs and documentation related to ePHI systems? (Select one!)
Explanation
HIPAA requires audit logs and documentation related to systems containing electronic protected health information to be retained for 6 years from the date of creation or the date when it last was in effect, whichever is later. This retention period significantly exceeds most other compliance frameworks and supports long-term accountability for healthcare data access and modifications. The 12-month retention with 3-month immediate accessibility requirement is specific to PCI DSS for payment card industry compliance, not HIPAA. The 7-year retention period is not a HIPAA standard requirement. The 90-day online retention approach does not meet HIPAA's 6-year minimum retention requirement and lacks specificity regarding accessibility timeframes mandated by the regulation.
3. A threat intelligence analyst maps an observed attack campaign to the Cyber Kill Chain framework. The analyst identifies that the adversary registered lookalike domains mimicking the target organization three months before the attack, then created macro-enabled documents. At which phase did the adversary create the weaponized payload? (Select one!)
Explanation
Weaponization is the Cyber Kill Chain phase where adversaries create the malicious payload by combining malware with an exploit into a deliverable package, such as embedding macros in documents. Reconnaissance involves gathering information about the target. Delivery is transmitting the weapon to the target environment. Resource Development is a MITRE ATT&CK tactic (TA0042), not a Cyber Kill Chain phase. The Lockheed Martin Cyber Kill Chain has seven sequential phases, and weaponization occurs after reconnaissance but before delivery. Domain registration would fall under reconnaissance or preparation, while the actual creation of the malicious document represents weaponization.
4. An MSSP evaluates SIEM deployment options for a healthcare client subject to strict data sovereignty regulations. The client must retain all log data within their own infrastructure but lacks internal SOC expertise for 24/7 monitoring and incident response. Which SIEM deployment architecture best meets these requirements? (Select one!)
Explanation
Self-hosted, MSSP Managed deployment allows the organization to retain SIEM infrastructure and log data within their own premises to meet data sovereignty requirements, while the MSSP provides expert monitoring, analysis, and incident response services. This model ensures sensitive healthcare data never leaves the organization's environment while benefiting from external security expertise. Cloud, MSSP Managed would store data in cloud infrastructure, violating sovereignty requirements. Self-hosted, Self-Managed lacks the required 24/7 SOC expertise. Cloud, Jointly Managed still involves cloud data storage, failing sovereignty constraints.
5. A threat intelligence analyst receives STIX 2.1 threat data containing an Indicator object with pattern "[file:hashes.SHA256 = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']" and a Malware object describing a banking trojan. The analyst needs to understand the relationship between these objects. Which STIX Relationship Object (SRO) type most likely connects these two objects? (Select one!)
Explanation
The indicates relationship type connects Indicator objects to what they detect, such as malware, attack patterns, or threat actors. An indicator (file hash) indicates the presence of malware. The uses relationship flows from threat actors or malware to tools or attack patterns they employ. The targets relationship describes what a threat actor or malware targets (victims, sectors). The attributed-to relationship connects intrusion sets or campaigns to threat actors responsible for them.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam