All topics ›
SOC Analyst ›
Threat Hunting
Threat Hunting · SOC Analyst What's the difference between alert-driven SOC and threat hunting?
Alert-driven (reactive): SIEM/EDR generates alerts → analyst investigates → confirms + responds. Most SOC L1 work is alert-driven. Threat hunting (proactive): analyst forms hypothesis ('adversary may have established persistence via WMI subscription') → searches data without preexisting alert → either confirms threat or rules out. Hypothesis-driven hunting is L2/L3 work, not L1. PEAK framework (SANS) for hunting: Prepare, Execute, Act, Knowledge sharing. Most senior SOC roles split time: 60% alert response, 40% hunting + detection engineering.
Want the full explanation? This is the atomic answer suitable for
quick interview prep. For the structured deep-dive — including code samples,
strong-answer vs weak-answer notes, common follow-up questions, and how this fits
the larger soc analyst topic — see the full Q&A on Networkers Home:
→ SOC Analyst Interview Hub — Full Q&A with deep context
→ SOC Analyst Interview Hub — Full Q&A with deep context
How Networkers Home prepares students for this kind of question
This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.
→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation
Related Threat Hunting questions
Threat Hunting
Q. Walk me through a hypothesis-driven hunt for lateral movement.
(1) Hypothesis: 'Adversary may be using PsExec or remote service creation for lateral movement'. (2) Data sources needed: Windows Event Logs (5145 Network Share, 7045 Service Install), Sysmon Event 1 (process creation wi…
Read full answer →