What is a SOC analyst?

What is a Security Operations Centre?

A SOC is a centralised team responsible for monitoring, detecting, analysing, and responding to cybersecurity incidents. Large organisations operate their own in-house SOC (often 24/7); smaller organisations outsource to a Managed Security Service Provider (MSSP) that operates a shared SOC for multiple clients.

The SOC is built around a SIEM platform — a system that aggregates logs from across the entire organisation (firewalls, endpoints, cloud services, applications) and applies detection rules and machine learning to flag suspicious activity. Every flag becomes an alert; every alert requires a human analyst to decide: real threat or false positive?

The SOC analyst tier structure

1. Tier 1
   Alert Triage Analyst — The entry-level role. Monitors the SIEM dashboard, triages incoming alerts, determines whether an alert is a true positive or false positive, escalates confirmed incidents to Tier 2. Requires solid understanding of common attack patterns and the ability to follow runbooks and escalation procedures. The most common entry role for new cybersecurity professionals.
2. Tier 2
   Incident Responder / Investigator — Receives escalated incidents from Tier 1 and performs deeper investigation. Analyses malware samples, reviews endpoint forensic data, correlates events across multiple log sources, and leads the technical response to confirmed breaches. Often holds GCIH, Security+, or CEH certification.
3. Tier 3
   Threat Hunter / Senior Analyst — Proactively searches for threats that have evaded automated detection. Writes custom detection rules, performs advanced forensic analysis, conducts threat intelligence integration, and mentors Tier 1/2 analysts. Often holds GCFA, GCFE, or advanced certifications.

A SOC analyst's day

A Tier 1 SOC analyst shift typically looks like this:

• Handover brief: Review incidents from the previous shift — what's ongoing, what needs follow-up, any active threats.
• Alert triage: Work through the alert queue. For each alert: investigate the context (source IP, destination, user account, time of day), check threat intel feeds, determine true positive or false positive.
• Incident creation: For confirmed true positives, create an incident ticket with findings, evidence (log screenshots, IP details), and severity classification.
• Escalation: Escalate high-severity incidents to Tier 2 or the Incident Response team according to the SOC playbook.
• Documentation: Update runbooks, close resolved alerts, contribute to shift reports.

Core SOC tools

• SIEM: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM — the central platform for log aggregation and alert generation.
• EDR: CrowdStrike Falcon, SentinelOne, Microsoft Defender — endpoint detection and response for host-level visibility.
• Threat Intelligence Platforms: VirusTotal, AlienVault OTX, MISP — context for indicators of compromise (IOCs).
• Ticketing / SOAR: ServiceNow, Jira, Palo Alto XSOAR — managing incident workflows and automating repetitive response tasks.
• Network Analysis: Wireshark, Zeek, Security Onion — analysing packet captures and network flow data during investigation.

Certifications for SOC analysts

The most common certification path for SOC analysts:

• CompTIA Security+ SY0-701: The standard foundation cert — required for many Tier 1 roles, especially in government and defence.
• EC-Council CSA (Certified SOC Analyst): Specifically designed for SOC analysts — covers SIEM operations, incident detection, and SOC procedures.
• CEH v13: Understanding attacker techniques makes SOC analysts dramatically better at recognising and investigating threats.
• GIAC GCIH (Incident Handler): Advanced certification for Tier 2 analysts specialising in incident response.