What a SOC actually is
A Security Operations Centre is the dedicated team — and in larger organisations, a physical facility — responsible for monitoring an organisation's entire technology environment around the clock. The SOC is where security alerts land, where incidents are investigated, and where the decision to escalate, contain, or close a threat is made.
Think of it as the nerve centre of an organisation's security posture. Every endpoint, every server, every network connection, every cloud workload generates telemetry. The SOC exists to watch that telemetry continuously and act when something looks wrong.
The core functions of a SOC cover five areas: continuous monitoring (watching all systems in real time), threat detection (identifying suspicious patterns in the noise), incident response (containing and eradicating confirmed threats), vulnerability management (tracking and prioritising unpatched exposure), and threat intelligence (using external data to enrich internal alerts and anticipate emerging risks).
SOC tier structure
Most SOCs operate on a tiered analyst model. Each tier has a defined scope of work and a clear escalation path to the next level. Understanding the tiers is essential if you want to build a career in security operations — because the vast majority of SOC careers start at Tier 1.
-
1Tier 1 — Alert Triage Analyst
The first line of defence. Tier 1 analysts monitor the alert queue, review incoming events, dismiss confirmed false positives, and escalate genuine incidents to Tier 2. The workload is high-volume and fast-paced — a Tier 1 analyst in an enterprise SOC may process hundreds of alerts per shift. The skill is not technical sophistication; it is speed, discipline, and knowing what to escalate.
-
2Tier 2 — Incident Responder
Tier 2 analysts take escalated incidents and investigate them in depth. This includes correlating evidence across multiple data sources, performing initial containment actions (isolating a host, blocking an IP), enriching alerts with threat intelligence, and conducting basic forensic analysis. Tier 2 is where most of the substantive security work happens.
-
3Tier 3 — Threat Hunter / Senior IR Lead
Tier 3 analysts are the most experienced members of the team. They lead complex incident investigations, perform proactive threat hunting (searching for adversaries that have evaded automated detection), develop new detection rules, build automation playbooks, and mentor junior analysts. Not all SOCs have a dedicated Tier 3 — in smaller teams, this role may be shared.
The hardest part of SOC work isn't technical — it's managing alert fatigue. A Tier 1 analyst may review 1,000+ alerts per shift. The skill is knowing which 3 to escalate.
Key SOC tools
A modern SOC operates across several interconnected technology platforms. No single tool covers everything — the SOC technology stack is designed so each layer feeds context into the next.
- SIEM (Security Information and Event Management): The central log aggregation and correlation engine. Collects logs from all sources and generates alerts based on detection rules. Examples: Splunk, Microsoft Sentinel, IBM QRadar.
- EDR (Endpoint Detection and Response): Provides deep telemetry from individual endpoints — process creation, file changes, network connections, registry modifications. Examples: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne.
- SOAR (Security Orchestration, Automation and Response): Automates repetitive SOC tasks and coordinates response workflows across tools. Reduces mean time to respond by eliminating manual steps. Examples: Palo Alto XSOAR, Splunk SOAR.
- Threat Intelligence Feeds: External data sources providing indicators of compromise (IOCs), threat actor profiles, and emerging attack patterns. Used to enrich alerts and prioritise response.
- Ticketing System: Tracks every incident from detection through closure. Provides audit trail and performance metrics. Examples: JIRA Service Management, ServiceNow.
In-house SOC vs MSSP
Building a SOC is expensive. Round-the-clock coverage requires shift workers, tooling licences, and significant ongoing training investment. For organisations that cannot justify that cost, a Managed Security Service Provider (MSSP) offers an alternative — outsourcing the monitoring, detection, and initial response function to a specialist third party.
In-house SOCs offer deeper context (the team knows the organisation's environment, normal behaviour, and risk priorities) and greater control over tooling and processes. MSSPs offer 24/7 coverage at substantially lower cost, which makes them practical for mid-market organisations that need security operations but cannot staff a full internal team.
Hybrid models are increasingly common: an organisation maintains a small internal security team focused on strategy, IR leadership, and tool ownership, while an MSSP handles the continuous monitoring and Tier 1 alert triage function.
A day in a SOC
SOC work follows a consistent rhythm, regardless of organisation size. A typical analyst shift follows this pattern:
- Shift handover briefing: Incoming team reviews open incidents, escalated tickets, and any ongoing investigations from the previous shift.
- Alert queue review: Work through the incoming alert queue from the SIEM, triaging each alert as false positive, low priority, or escalation candidate.
- False positive dismissal and tuning: Close confirmed false positives and document the pattern to improve detection rule accuracy.
- Escalation and incident documentation: Confirmed incidents are opened as formal tickets, enriched with evidence, and handed to Tier 2 if they require deeper investigation.
- Threat intelligence check: Review any new IOCs or threat actor advisories relevant to the organisation's sector or technology stack.
- Ticket closure and reporting: Close resolved incidents, update documentation, and contribute to the shift handover notes for the incoming team.