Network Fundamentals
1. What is the OSI model and why is it important for security?
The OSI (Open Systems Interconnection) model is a conceptual framework that standardises network communication into 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. It is important for security because attacks and defences are layer-specific — packet sniffing targets the Physical/Data Link layer, IP spoofing targets the Network layer, session hijacking targets the Session layer, and SQL injection targets the Application layer. Understanding which layer a threat operates at guides the appropriate defensive control.
2. What is the difference between TCP and UDP?
TCP (Transmission Control Protocol) is a connection-oriented protocol that establishes a three-way handshake (SYN, SYN-ACK, ACK) before data transfer, guarantees delivery through acknowledgements and retransmissions, and ensures data arrives in order. UDP (User Datagram Protocol) is connectionless, sends packets without establishing a connection, and provides no delivery guarantee or ordering. TCP is used for web (HTTP/HTTPS), email (SMTP), and file transfer. UDP is used for DNS, streaming, VoIP, and online gaming where speed matters more than guaranteed delivery.
3. What is the difference between a hub, switch, and router?
A hub broadcasts all incoming traffic to every port on the network, creating a collision domain and making traffic visible to all connected devices — a significant security risk (passive sniffing). A switch forwards traffic only to the specific port of the destination MAC address, reducing unnecessary traffic exposure. A router connects different networks (e.g., LAN to internet) and makes forwarding decisions based on IP addresses using routing tables. From a security perspective, switches are preferred over hubs, and routers enforce network segmentation.
4. What is VLAN and how does it improve security?
A VLAN (Virtual Local Area Network) logically segments a physical network into isolated broadcast domains, even on the same physical switch. Devices on different VLANs cannot communicate directly without passing through a router or firewall. This limits the blast radius of security incidents — a compromised device in one VLAN cannot directly access devices in another. Common use cases include separating guest Wi-Fi from internal networks, isolating IoT devices, and segregating PCI-DSS cardholder data environments from general corporate traffic.
5. What is the three-way handshake and how is it exploited?
The TCP three-way handshake establishes a connection: the client sends SYN, the server replies with SYN-ACK (allocating resources), and the client completes with ACK. A SYN flood attack exploits this by sending thousands of SYN packets with spoofed source IPs, causing the server to allocate resources for half-open connections that are never completed, exhausting server resources and causing a denial of service. Defences include SYN cookies (which delay resource allocation until the handshake completes) and rate-limiting SYN packets at the firewall.
6. What is the difference between IPv4 and IPv6?
IPv4 uses 32-bit addresses (4.3 billion unique addresses) in dotted-decimal notation (e.g., 192.168.1.1). IPv6 uses 128-bit addresses (340 undecillion unique addresses) in hexadecimal notation (e.g., 2001:0db8::1). IPv6 includes built-in IPsec support, eliminates NAT (since all devices can have globally unique IPs), has simplified headers for faster routing, and supports stateless address autoconfiguration. Security implications include that IPv6 may bypass security controls designed only for IPv4, and dual-stack environments introduce additional attack surface.
7. What is ARP and what is ARP poisoning?
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. When a device wants to communicate with an IP address, it broadcasts an ARP request asking "who has this IP?" and the device with that IP responds with its MAC address. ARP poisoning (ARP spoofing) is an attack where an attacker sends fake ARP replies to associate their MAC address with a legitimate IP address, redirecting traffic through the attacker's machine for man-in-the-middle attacks. Dynamic ARP Inspection (DAI) on switches mitigates this.
8. What is DNS and what is DNS poisoning?
DNS (Domain Name System) translates human-readable domain names (www.example.com) into IP addresses. DNS poisoning (DNS cache poisoning) is an attack where an attacker injects false DNS records into a resolver's cache, causing users to be redirected to malicious IP addresses when they request a legitimate domain. This can facilitate phishing, credential theft, and malware distribution. DNSSEC (DNS Security Extensions) mitigates this by digitally signing DNS records. DoH (DNS over HTTPS) encrypts DNS traffic to prevent eavesdropping.
9. What is NAT and how does it affect security?
NAT (Network Address Translation) maps private IP addresses (10.x.x.x, 192.168.x.x, 172.16-31.x.x) to one or more public IP addresses, allowing many internal devices to share a single external IP. It provides a degree of security through obscurity by hiding internal IP addressing from external networks. However, NAT is not a security control and should not substitute a firewall. NAT complicates intrusion detection, makes peer-to-peer connections harder, and can interfere with protocols that embed IP addresses in payloads (such as SIP for VoIP).
10. What are common network ports and their security relevance?
Security professionals must know key ports: SSH (22), Telnet (23 — unencrypted, should not be used), SMTP (25), DNS (53), HTTP (80), HTTPS (443), SMB (445 — exploited by EternalBlue/WannaCry), RDP (3389 — targeted by brute force), IMAP (143), LDAP (389), Kerberos (88). Open ports represent an attack surface — port scanning with tools like Nmap reveals what services are exposed. Unnecessary ports should be closed via firewall rules. Ports below 1024 are well-known, 1024-49151 are registered, and above 49151 are dynamic/ephemeral.
Threats & Attacks
11. What is a man-in-the-middle (MITM) attack?
A MITM attack occurs when an attacker secretly intercepts and relays (and potentially alters) communication between two parties who believe they are communicating directly with each other. Common MITM techniques include ARP poisoning (on local networks), SSL stripping (downgrading HTTPS to HTTP), rogue Wi-Fi access points, and BGP hijacking. Defences include HTTPS everywhere with HSTS, certificate pinning in mobile apps, mutual TLS authentication, VPNs on untrusted networks, and DNSSEC.
12. What is a DDoS attack and how is it mitigated?
A Distributed Denial of Service (DDoS) attack floods a target (server, network, application) with traffic from many compromised machines (a botnet) to exhaust resources and make the service unavailable. Types include volumetric attacks (bandwidth exhaustion), protocol attacks (SYN floods, Ping of Death), and application layer attacks (HTTP floods). Mitigations include traffic scrubbing services (Cloudflare, AWS Shield), rate limiting, anycast network diffusion, black-hole routing for attack traffic, and Web Application Firewalls for Layer 7 attacks.
13. What is SQL injection and how is it prevented?
SQL injection is an attack where malicious SQL code is inserted into an input field that is directly incorporated into a database query, allowing the attacker to read, modify, or delete database data; bypass authentication; and in some cases execute OS commands. For example, entering ' OR '1'='1 in a login form may return all users. Prevention includes using parameterised queries (prepared statements), stored procedures, input validation and whitelisting, least privilege for database accounts, and WAFs. Never construct SQL queries by string concatenation with user input.
14. What is cross-site scripting (XSS)?
XSS is a web vulnerability where an attacker injects malicious scripts (typically JavaScript) into web pages viewed by other users. Stored XSS embeds the script in the database (e.g., a comment field) and executes whenever any user loads the page. Reflected XSS is included in a URL and executes when a victim clicks a crafted link. DOM-based XSS manipulates the client-side DOM. XSS can steal session cookies, redirect users, deface websites, or install keyloggers. Prevention includes output encoding, Content Security Policy (CSP) headers, and input validation.
15. What is a phishing attack?
Phishing is a social engineering attack where attackers deceive victims into revealing sensitive information (credentials, financial data) or installing malware by impersonating a trusted entity via email, SMS (smishing), or voice calls (vishing). Spear phishing targets specific individuals with personalised content using information gathered from social media or LinkedIn. Business Email Compromise (BEC) targets finance staff with fraudulent payment requests. Defences include email filtering (SPF, DKIM, DMARC), multi-factor authentication, security awareness training, and zero-trust principles.
16. What is ransomware and how does it spread?
Ransomware is malware that encrypts a victim's files and demands payment (usually cryptocurrency) for the decryption key. It spreads through phishing emails with malicious attachments, drive-by downloads exploiting unpatched browser vulnerabilities, RDP brute force on internet-exposed servers, exploitation of software vulnerabilities (e.g., EternalBlue via SMB), and supply chain attacks. Notable examples include WannaCry, NotPetya, and REvil. Defences include regular offline backups, network segmentation, endpoint protection, patching, and disabling SMBv1.
17. What is privilege escalation?
Privilege escalation is an attack where an attacker who has gained limited access to a system exploits vulnerabilities to gain higher privileges — typically administrator or root. Vertical escalation moves from a low-privileged user to a higher-privileged account. Horizontal escalation accesses another user account with the same privilege level to access their data. Techniques include exploiting misconfigurations (SUID binaries, weak file permissions), unpatched kernel vulnerabilities, token impersonation (Windows), sudo misconfigurations (Linux), and DLL hijacking.
18. What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw in software that is unknown to the vendor and for which no official patch exists — giving defenders "zero days" to fix it before exploitation. Attackers who discover zero-days can exploit them before any protection is available. Zero-days are highly valuable and are sold on the dark web, used by nation-state actors, and have been used in attacks like Stuxnet and SUNBURST. Defences include defence-in-depth (network segmentation, least privilege), anomaly detection, application whitelisting, and timely patching when fixes are released.
19. What is lateral movement in a cyberattack?
Lateral movement refers to the techniques attackers use to progressively move through a network after gaining initial access, seeking higher privileges or access to more valuable assets. Common techniques include Pass the Hash (using captured NTLM hashes without knowing plaintext passwords), Pass the Ticket (using Kerberos tickets), remote service exploitation, using legitimate tools like PsExec and WMI (Living off the Land), and credential stuffing from dumped credentials. Detection relies on monitoring for unusual authentication patterns, anomalous service usage, and unusual network connections.
20. What is the MITRE ATT&CK framework?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognised knowledge base of adversary tactics and techniques based on real-world observations. It organises attack behaviour into 14 tactics (from Reconnaissance through Impact) and hundreds of specific techniques and sub-techniques. Security teams use it to assess detection coverage, develop threat detection rules, conduct red/blue team exercises, and map defensive controls to known attack patterns. The framework is used in threat intelligence, SIEM rule development, and security assessments worldwide.
Firewalls & IDS
21. What are the different types of firewalls?
Packet filtering firewalls inspect individual packets against rules based on source/destination IP, port, and protocol — they are fast but stateless. Stateful inspection firewalls track the state of network connections and allow traffic based on context (e.g., allowing return traffic only if an outbound connection was established). Application-layer firewalls (proxy firewalls) inspect traffic at Layer 7 and understand application protocols (HTTP, FTP). Next-Generation Firewalls (NGFW) add deep packet inspection, intrusion prevention, application identification, user identity tracking, and SSL inspection.
22. What is the difference between IDS and IPS?
An IDS (Intrusion Detection System) monitors network traffic or host activity for suspicious behaviour and generates alerts without taking action — it is passive. An IPS (Intrusion Prevention System) sits inline with traffic and can actively block or drop malicious packets when threats are detected. Both use signature-based detection (matching known patterns), anomaly-based detection (identifying deviations from baseline), and heuristic analysis. False positives are a key challenge: IPS false positives can block legitimate traffic, so they require careful tuning before deployment in prevention mode.
23. What is a DMZ and why is it used?
A DMZ (Demilitarised Zone) is a network segment placed between the internet and the internal corporate network, containing public-facing servers (web servers, email gateways, VPN concentrators). Traffic from the internet is allowed to reach the DMZ but not the internal network directly. A second firewall separates the DMZ from the internal network. Even if a DMZ server is compromised, the attacker still needs to penetrate the internal firewall. This two-firewall architecture (or three-tier) significantly limits the exposure of internal systems to internet-borne attacks.
24. What is stateful inspection in a firewall?
Stateful inspection (also called dynamic packet filtering) maintains a state table tracking active network connections. When an outbound connection is established (e.g., a user requests a web page), the firewall notes the connection parameters (source/destination IP, port, sequence numbers). Return traffic is allowed only if it matches an entry in the state table. This prevents attackers from injecting unsolicited inbound packets that appear to be legitimate responses. Stateless firewalls are vulnerable to certain spoofing attacks that stateful firewalls block by validating connection state.
25. What are WAF (Web Application Firewall) and its role?
A WAF inspects HTTP/HTTPS traffic at the application layer to protect web applications from attacks such as SQL injection, XSS, CSRF, and OWASP Top 10 vulnerabilities. It can operate in negative security mode (blocking known bad patterns using signatures) or positive security mode (allowing only known good patterns). Cloud WAFs (Cloudflare, AWS WAF, Azure Front Door) sit in front of web applications and provide protection without modifying application code. WAFs are not a substitute for secure coding but add an additional layer of defence and provide valuable logging for forensic analysis.
26. What is port scanning and how is it detected?
Port scanning probes a target IP address to discover open ports and identify running services, commonly done with Nmap. Techniques include TCP SYN scan (half-open, stealthy), TCP connect scan (full three-way handshake, noisy), UDP scan, and service version detection (-sV). OS fingerprinting (-O) identifies the target operating system. Detection involves monitoring for sequential port probes from a single source, connections to closed ports, and abnormal traffic volumes from an IP. IDS/IPS systems have signatures for common scan patterns. nmap -sS -p- -T4 target is a common full port SYN scan.
27. What is Network Address Translation (NAT) traversal in the context of VPNs?
NAT-T (NAT Traversal) solves the problem that standard IPsec encapsulates packets in a way that NAT devices cannot modify (because NAT changes IP headers which IPsec protects). NAT-T encapsulates IPsec packets inside UDP port 4500, allowing NAT devices to translate the outer UDP headers without violating the IPsec integrity protection. It is automatically negotiated between IPsec peers when NAT is detected. Without NAT-T, IPsec VPNs fail through NAT devices. Most modern VPN implementations support NAT-T by default.
28. What is a honeypot and how is it used?
A honeypot is a security resource that has no production value and is designed to be attacked or compromised — any interaction with it signals malicious activity. Low-interaction honeypots emulate services (SSH, HTTP) and log connection attempts. High-interaction honeypots run real operating systems and capture attacker tools and techniques in detail. Honeypots are used to gather threat intelligence about attacker TTPs, detect lateral movement in internal networks, and delay attackers. A honeynet is a network of honeypots. They must be carefully isolated to prevent attackers from using them as jump points.
29. What is network segmentation and why is it a security best practice?
Network segmentation divides a network into smaller subnetworks (segments) with controlled access between them using firewalls, ACLs, and VLANs. It limits lateral movement — a compromised device in one segment cannot freely communicate with all other devices. It reduces the blast radius of a ransomware infection or data breach. It enables applying stricter security controls to sensitive segments (e.g., payment systems, HR data, industrial control systems) without affecting the entire network. Zero Trust architecture extends this by applying segment-of-one principles to every user and device.
30. What is the principle of least privilege in network security?
The principle of least privilege means granting users, systems, and processes only the minimum access rights necessary to perform their specific function. Applied to network security: users should only have access to the network segments they need, services should only have access to the databases they require, and firewall rules should permit only the specific ports and protocols necessary for business purposes. This limits the damage an attacker can cause if they compromise an account or system. Least privilege is enforced through role-based access control (RBAC), ACLs, and network micro-segmentation.
Cryptography & PKI
31. What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses the same key for both encryption and decryption — it is fast and suitable for encrypting large amounts of data. AES is the gold standard symmetric algorithm. The challenge is securely exchanging the shared key. Asymmetric encryption uses a mathematically linked key pair: a public key (shared openly) for encryption and a private key (kept secret) for decryption (or signing and verification). RSA and ECC are common asymmetric algorithms. It is slower but solves the key exchange problem. TLS uses asymmetric encryption to exchange a symmetric session key.
32. What is the difference between hashing, encryption, and encoding?
Hashing is a one-way transformation that converts data into a fixed-size digest (fingerprint) — it cannot be reversed and is used for integrity verification and password storage (bcrypt, SHA-256). Encryption is a two-way transformation that converts plaintext to ciphertext using a key — it can be reversed with the correct key and is used for confidentiality. Encoding converts data to a different format using a publicly known scheme (Base64, URL encoding) for compatibility — it is not a security control and can be trivially reversed. Confusing encoding with encryption is a common security mistake.
33. What is PKI (Public Key Infrastructure)?
PKI is the framework of policies, roles, hardware, software, and procedures that manage digital certificates and public-key encryption. It consists of a Certificate Authority (CA) that issues and signs digital certificates, a Registration Authority (RA) that verifies identities before certificate issuance, and a Certificate Revocation List (CRL) or OCSP for checking certificate validity. Digital certificates bind a public key to an identity, allowing parties to establish trust. PKI is the foundation of HTTPS, email signing (S/MIME), code signing, and VPN authentication.
34. What is TLS and how does the TLS handshake work?
TLS (Transport Layer Security) encrypts data in transit between a client and server. The TLS 1.3 handshake: the client sends a ClientHello with supported cipher suites and a random value; the server responds with a ServerHello selecting the cipher suite, its certificate, and a key share; the client verifies the certificate against trusted CAs, sends its key share; both sides derive the session keys from the key exchange. All subsequent communication is encrypted with symmetric encryption using the negotiated session keys. HTTPS is HTTP over TLS (port 443).
35. What is the difference between SSL and TLS?
SSL (Secure Sockets Layer) was the original protocol for encrypting web communications. SSL 2.0 and 3.0 have serious known vulnerabilities (POODLE, DROWN) and are deprecated. TLS (Transport Layer Security) is the successor to SSL, with TLS 1.0 through 1.3 progressively fixing vulnerabilities. TLS 1.3 (2018) removes support for weak cipher suites, requires forward secrecy for all sessions, and simplifies the handshake. Despite common usage, "SSL" typically refers to TLS in modern contexts. TLS 1.0 and 1.1 are deprecated by most browsers as of 2020 — TLS 1.2 and 1.3 should be used.
36. What is forward secrecy?
Forward secrecy (also called perfect forward secrecy, PFS) ensures that even if a server's private key is compromised in the future, past encrypted communications cannot be decrypted. It is achieved by using ephemeral key exchange algorithms (Diffie-Hellman Ephemeral — DHE, or Elliptic Curve DHE — ECDHE) to generate a unique session key for each TLS session that is never stored. Without forward secrecy, an attacker who records encrypted traffic today could decrypt it tomorrow if they obtain the server's private key. TLS 1.3 mandates forward secrecy for all connections.
37. What is a digital signature and how does it work?
A digital signature proves the authenticity and integrity of a message or document. The sender hashes the message using a cryptographic hash function (SHA-256) and then encrypts the hash with their private key — this is the signature. The recipient decrypts the signature with the sender's public key to recover the hash and independently computes the hash of the received message. If both hashes match, the signature is valid, proving the message was not tampered with and was sent by the private key holder. Digital signatures are used in code signing, SSL certificates, email (S/MIME), and blockchain.
38. What is multi-factor authentication (MFA)?
MFA requires users to provide two or more authentication factors from different categories: something you know (password, PIN), something you have (hardware token, authenticator app, smart card), and something you are (fingerprint, face recognition, voice). Requiring multiple factors ensures that compromising one factor (e.g., stealing a password) is insufficient for an attacker to gain access. TOTP (Time-based One-Time Passwords, used in Google Authenticator) generates 6-digit codes expiring every 30 seconds. FIDO2/WebAuthn hardware keys (YubiKey) are the strongest form of MFA, resistant to phishing.
39. What is a certificate transparency log?
Certificate Transparency (CT) is a public, auditable log of all SSL/TLS certificates issued by certificate authorities. Any CA that issues a certificate must submit it to one or more CT logs, and browsers require SCTs (Signed Certificate Timestamps) as proof of CT logging. This makes it impossible to issue a rogue certificate for a domain without the domain owner being able to detect it. CT logs allow organisations to monitor for unauthorised certificates issued for their domains. Monitoring services (crt.sh, Facebook CT Monitoring) alert when new certificates are issued.
40. What is key management and why is it critical?
Key management encompasses the generation, distribution, storage, rotation, and revocation of cryptographic keys. Poor key management undermines even strong encryption — encryption is only as secure as the key. Best practices include using hardware security modules (HSMs) for key storage and operations, regular key rotation (especially after potential compromise), never storing keys in source code, using envelope encryption (encrypting data keys with master keys), separating encryption and decryption duties, and maintaining complete key lifecycle documentation. AWS KMS, Azure Key Vault, and HashiCorp Vault are enterprise key management solutions.
Incident Response
41. What are the phases of the incident response lifecycle?
NIST defines six incident response phases: Preparation (establishing policies, tools, team structure, and playbooks before an incident), Identification (detecting and confirming that an incident has occurred), Containment (limiting the damage by isolating affected systems — short-term containment first, then long-term), Eradication (removing the root cause — malware, backdoors, compromised accounts), Recovery (restoring systems to normal operation and monitoring for recurrence), and Lessons Learned (post-incident review to improve processes). SANS uses a similar framework called PICERL.
42. What is a SIEM and what is it used for?
A SIEM (Security Information and Event Management) system collects, aggregates, and correlates log data from across the IT environment (firewalls, endpoints, servers, applications, network devices) and provides real-time analysis for threat detection, alerts, and compliance reporting. It uses rules and machine learning to detect suspicious patterns that no single log source would reveal (e.g., multiple failed logins followed by a successful login from a different country). Popular SIEMs include Splunk, Microsoft Sentinel, IBM QRadar, and Elastic SIEM. SIEMs are the cornerstone of SOC operations.
43. What is log analysis and what logs are most important for security?
Security log analysis involves collecting, normalising, and reviewing logs from across the environment to detect malicious activity, investigate incidents, and meet compliance requirements. Critical log sources include Windows Security Event Logs (authentication, privilege use, process creation), firewall and network device logs (connection attempts, blocked traffic), web server access logs (URL requests, error codes), DNS query logs (unusual domain lookups indicate C2 communication), and endpoint detection and response (EDR) telemetry. Log retention of at least 90 days (and ideally 1 year) is recommended for forensic investigations.
44. What is a forensic image and why is it taken?
A forensic image is a bit-for-bit copy of a storage device (including slack space, deleted files, and unallocated space) taken using write-blocker hardware or forensic imaging tools (FTK Imager, dd, dcfldd). It is taken to preserve evidence in its original state without modifying the source drive — working on a copy ensures the integrity of evidence for legal proceedings. An MD5 or SHA-256 hash of both the original and the image confirms the copy is exact. Forensic images enable investigators to examine files, browser history, registry entries, and recover deleted data.
45. What is chain of custody in digital forensics?
Chain of custody is the documented, chronological record of evidence collection, handling, transfer, and storage that demonstrates the integrity and reliability of digital evidence. Every person who handles evidence must be documented with timestamps, locations, and the purpose of access. Any gap in chain of custody can make evidence inadmissible in court. Best practices include using tamper-evident packaging, using write-blockers during evidence acquisition, logging every action taken during forensic analysis, and maintaining multiple certified copies. Chain of custody is critical for both criminal investigations and civil litigation involving digital evidence.
46. What is threat hunting?
Threat hunting is a proactive security practice where analysts actively search for hidden threats, adversaries, or malicious activity within a network that have evaded automated detection systems (IDS, SIEM, EDR). Unlike reactive alert-based investigation, hunters form hypotheses based on threat intelligence and ATT&CK techniques, then actively search logs, endpoints, and network data for evidence. Common tools include Splunk, Elastic, osquery, Zeek, and Velociraptor. Effective threat hunting requires deep knowledge of normal baseline behaviour so anomalies are recognisable.
47. What is vulnerability scanning vs penetration testing?
Vulnerability scanning is an automated process that identifies known vulnerabilities in systems, applications, and configurations using tools like Nessus, Qualys, and OpenVAS. It is non-exploitative and provides a broad inventory of potential weaknesses with severity ratings. Penetration testing (pen testing) goes further — ethical hackers actively attempt to exploit vulnerabilities to demonstrate real-world impact, chain multiple vulnerabilities together, and test detective and preventive controls. Pen testing provides evidence of actual risk; vulnerability scanning identifies potential risk. Both should be performed regularly, with pen tests typically annually or after significant changes.
48. What is a SOC and what do analysts do?
A SOC (Security Operations Centre) is a centralised team responsible for continuously monitoring, detecting, analysing, and responding to cybersecurity incidents in an organisation. Tier 1 analysts monitor the SIEM queue, triage alerts, and escalate confirmed incidents. Tier 2 analysts perform deeper investigation, correlate events across multiple sources, and lead incident response. Tier 3 analysts are senior experts handling advanced threats, malware analysis, forensics, and threat hunting. SOC analysts use SIEM, EDR, SOAR (security orchestration and automation), and threat intelligence platforms daily.
49. What is SOAR and how does it differ from SIEM?
SOAR (Security Orchestration, Automation, and Response) automates and orchestrates security workflows by integrating multiple security tools and executing pre-defined playbooks in response to alerts. While SIEM collects and correlates logs to detect threats and generate alerts, SOAR takes action on those alerts — automatically enriching them (IP reputation lookup, threat intelligence), isolating endpoints, blocking IPs at the firewall, and notifying stakeholders. SOAR reduces mean time to respond (MTTR) and handles high alert volumes that overwhelm analyst teams. Examples include Palo Alto XSOAR, Splunk SOAR, and Microsoft Sentinel.
50. What is the difference between a red team and a blue team?
A red team simulates adversaries to test an organisation's defences by conducting realistic attack scenarios — phishing, exploiting vulnerabilities, lateral movement, data exfiltration — while remaining undetected as long as possible. A blue team is the defensive security team that monitors, detects, and responds to attacks, including the red team's simulated attacks. A purple team exercise combines both teams working together simultaneously — the red team shares their TTPs in real-time with the blue team to improve detection and response capabilities collaboratively. Red vs. blue exercises reveal gaps in detection and response that automated tools cannot measure.