Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.
What Cybersecurity Analysts Actually Hunt infographic - SOC alerts, attack vectors, SIEM, EDR, and incident response

Click image to open full size

Computer Science

What Cybersecurity Analysts Actually Hunt

SOC alerts, attack vectors, SIEM, EDR, and incident response

Download PNG Save to Pinterest

Related Tools

Related Labs

Related Worksheets

Related Cheat Sheets

Cybersecurity analysts hunt for signs that someone is trying to break into, move through, or damage a computer network. In a Security Operations Center, or SOC, they monitor alerts, logs, endpoints, cloud systems, and user behavior to separate real threats from noise. This work matters because modern attacks often look like normal activity until small clues are connected. A good analyst thinks like both a detective and a systems engineer.

Key Facts

  • Alert priority often depends on risk: Risk = Likelihood x Impact.
  • False positive rate = False positives / Total benign events.
  • Mean time to detect: MTTD = Time detected - Time attack began.
  • Mean time to respond: MTTR = Time contained - Time detected.
  • Common attack paths include phishing, credential theft, privilege escalation, lateral movement, data exfiltration, and ransomware.
  • SIEM tools collect and correlate logs, while EDR tools monitor and respond on individual endpoints.

Vocabulary

SOC
A Security Operations Center is a team and workspace where analysts monitor, investigate, and respond to cyber threats.
SIEM
A Security Information and Event Management system collects logs from many sources and helps analysts find suspicious patterns.
EDR
Endpoint Detection and Response software monitors computers and servers for malicious behavior and can isolate or stop threats.
Lateral movement
Lateral movement is when an attacker uses one compromised system to reach other systems inside a network.
Incident response
Incident response is the organized process of identifying, containing, removing, and recovering from a cybersecurity incident.

Common Mistakes to Avoid

  • Treating every alert as equally urgent, which is wrong because analysts must prioritize based on evidence, asset value, attacker behavior, and possible impact.
  • Assuming a login is safe because the password was correct, which is wrong because attackers often use stolen credentials from phishing or leaks.
  • Looking at one log source only, which is wrong because real attacks often become clear only when endpoint, identity, network, and cloud data are correlated.
  • Confusing red team and blue team roles, which is wrong because red teams simulate attacks to test defenses while blue teams detect, investigate, and respond.

Practice Questions

  1. 1 A SOC receives 1,200 alerts in a day. If 180 are true positives, what percentage of alerts were true positives?
  2. 2 An attacker first phished a user at 09:10, the SOC detected suspicious activity at 10:25, and the endpoint was isolated at 10:55. Calculate the MTTD and the response time after detection.
  3. 3 A user logs in successfully from the United States at 8:00 and then from another country at 8:07, followed by several failed administrator access attempts. Explain why a cybersecurity analyst should investigate this even though one login used the correct password.