Written by:

Josh Gideon

Founder of TotalCyber.io

October 18, 2024

What Is A SOC Analyst And What Do They Do?

Discover the essential role SOC Analysts play in defending organizations against cyber threats.

An image of a futuristic Security Operations Centre

Are you considering a career in cyber security? Perhaps deciding to transition from a different cyber specialism? Often considered a great entry level cyber security role, a SOC analyst (sometimes referred as information security analyst amongst others) role can provide a great gateway into the world of cyber security.

Organisations from small to large employ SOC analysts to protect the organisation from cyber threats. However, in an ever-increasingly challenging job market, it is important that you understand the requirements of the role, and set yourself goals and targets to better differentiate yourself.

Browse our latest SOC analyst jobs today to take the next step in your cyber security career.

What is a SOC?

SOC is an acronym for Security Operations Centre. A SOC is a function responsible for identifying and responding to cyber security threats that target an organisation. A SOC will achieve this goal by receiving log information from computers, servers and other devices on the organisations network, and process this information, translating them into alerts to identify potential cyber security threats.

Depending on the organisations size, budget, risk profile and general cyber security attitudes, a SOC can be composed of different teams/sub-functions:

  • Tier 1/2/3 SOC Analysts - (more on this below).
  • Digital forensics - Digital forensic experts, akin to traditional forensic experts, are responsible for conducting digital forensic investigations. This may include dissecting and analysing malware, building timelines of evidence and more.
  • Detection engineers - Responsible for creating and maintaining SOC tooling such as rulesets in a SIEM or SOAR, including management of the tooling itself.
  • Cyber threat intelligence - Tasked with understanding the organisations threats and ensuring suitable defenses are in place to identify or eliminate an attack.
  • Threat hunters - Threat hunters are responsible for continuously searching for previously unidentified threats through a process known as threat hunting.

Interested to know more about SOCs, drop me a message on Mastodon at @totalcyber.

What is a SOC Analyst and what do they do?

In a traditional SOC structure, a SOC Analyst can be one of three tiers: tier 1, tier 2 and tier 3. There is a drive within the industry to move away from this model although however much disguised, you will loosely see this model employed by SOCs.

What does a Tier 1 SOC Analyst do?

Tier 1 SOC analyst is responsible for initial triage and investigation of cyber security alerts. Alerts are often generated in a central monitoring platform where it is the responsibility of the analyst to analyse the alert and determine the course of action. This includes identifying the source of the incident, determining the scope of the incident and assessing the impact of the incident.

Tier 1 analysts are also responsible for providing initial response and containment measures, as well as escalating incidents to higher tiers if necessary. For example, a containment measure could be to isolate a computer if there is a suspicion that a attacker has gained remote control. This is where security analysts typically spend most of their time.

Tier 1 analysts are typically the least experienced analysts, and their primary function is to monitor event logs for suspicious activity. When they feel something needs further investigation, they gather as much information as possible and escalate the incident to Tier 2.

A Tier 1 SOC Analyst will typically have 0-2 years of experience in cyber security.

What does a Tier 2 SOC Analyst do?

A Tier 2 SOC Analyst receives escalated alerts from Tier 1 and conducts a more thorough investigation. As Tier 2 analysts are typically more experienced, it is their responsibility to investigate the root cause of an alert and determine if further response measures are necessary. A Tier 2 SOC analyst may also be responsible for basic malware analysis, threat hunting and incident reporting depending on the structure of the SOC.

Tier 2 SOC Analysts typically have 1–4 years of experience in cybersecurity, including exposure to security monitoring, log analysis, and incident response.

What does a Tier 3 SOC Analyst do?

A Tier 3 SOC Analyst, also referred as an incident responder, is the final stage of escalation for a cyber security alert. A more experienced role, a Tier 3 SOC Analyst is responsible for managing cyber security incidents (confirmed cyber security threats), conducting malware analysis/reversing and digital forensic investigations, incident report creation, and managing a cyber incident through to completion. A Tier 3 analyst will liaise with the SOC management to communicate incident progress.

A Tier 3 SOC Analyst will often have good organisational knowledge, and detailed understanding of the cyber security controls that can be leveraged to investigate and respond to a cyber security incident.

A Tier 3 SOC Analyst extended responsibilities can include threat hunting, detection engineering, threat intelligence gathering, and close partnership with penetration testing teams.

Tier 3 SOC Analysts typically have 4-5+ years of experience in cybersecurity, often with backgrounds in fields such as penetration testing, digital forensics, or malware analysis. They will have a deep understanding of both offensive and defensive cyber TTPs (tactics, techniques and procedures).

How do I become a SOC Analyst?

A SOC Analyst is exposed to a wide range of cyber security threats of different complexities and therefore a skillset spanning different cyber security topics is required. However, for Tier 1 analysts, you are not expected to be an expert. Often, organisations will have pre-defined training paths for SOC Analysts to enhance their technical skillset.

The technical skills a SOC Analyst will typically possess are:

  • Understanding of networking such as the TCP/IP stack, common protocols such as HTTP and SMTP, and tooling such as wireshark and nmap.
  • An understanding of operating systems such as “what is a scheduled task”, and how to navigate the OS with only a command prompt.
  • Understanding of cyber security threats and how a computer can become infected with malware.
  • An understanding of organisation networks and the core components such as Active Directory.
  • An understanding of one or more cloud providers such as AWS or Azure.

For an entry level SOC Analyst role, having an understanding of all mentioned above is typically not required. For example, if this is your first cyber security role, an understanding of organisation networks won’t be necessary.

For entry level roles, managers will search for other (soft) qualities in a candidate that aren’t strictly technical related, including but not limited to:

  • Analytical and problem-solving abilities.
  • Willingness to, and evidence of, learning about cyber security.
  • Communication skills.
  • A strong appetite to pursue a career in cyber security.

What certifications do I need to become a SOC Analyst?

There is no fixed list of certifications that you need to become a SOC Analyst. Simply your self-learning combined with a great attitude can be enough to secure an entry level position. That said, there are some certifications that can be valuable for aspiring SOC Analysts:

For a more thorough explanation of breaking into cyber security including courses I recommend, consider reading this article.

Remember, while certifications can be beneficial, hands-on experience and practical skills are equally important in this field. Many employers value a combination of certifications, education, and practical experience.

Do I need IT experience to become a SOC Analyst?

Not always but it’s beneficial. In an increasingly competitive market, some may consider opting for an IT role first before transitioning to a SOC Analyst. A widely considered “good career route” is starting a career as an IT help desk analyst to build the foundational knowledge on general IT topics such as networking and operating systems, and to better understand organisation networks.

Using IT help desk analyst as an example, in an IT type role you will gain exposure to organisation practices such as incident handling, change control, communication channels, etc. You will also be exposed to core technologies such as Windows/Linux servers, Active Directory, application management such as SCCM, and much more. This knowledge is invaluable as a SOC Analyst.

I myself took this route and with hindsight can say that it significantly helped me early on in my career.

How to get a SOC Analyst job?

SOC Analysts are in high-demand and there is a continued shortage of strong talent in the industry. Consider the following as a path to securing your first job as a SOC Analyst:

  • Build foundational knowledge: Gain experience in IT, particularly in areas like networking, operating systems, and general cybersecurity concepts.
  • Develop relevant skills: Focus on analytical and problem-solving abilities, and demonstrate a willingness to learn about cybersecurity. Strong communication skills are important.
  • Consider certifications: While not always necessary, certifications like CompTIA Security+, GIAC Security Essentials (GSEC), or SANS GIAC Certified Incident Handler (GCIH) can be valuable. Don’t overlook self-studying, and practical exercises such as Hack the Box.
  • Gain practical experience: Hands-on experience is crucial. Look for internships, volunteer opportunities, or personal projects to build your skills.

Remember, entry-level positions often don't require extensive experience. Demonstrating a strong interest in cybersecurity, a willingness to learn, and relevant foundational skills can help you stand out to potential employers.

How much does a SOC Analyst make?

SOC Analyst salaries will range significantly depending on location and tier level. However, as of October 2024, Glassdoor considers the pay range of a SOC Analyst to be between $103K - $179K/yr in the United States, and £33K - £52K in London, UK. Roles requiring more experience such as a Tier 3 incident responder can make significantly more.

Where can you find SOC Analyst jobs?

You’ve landed on the right website. Browse through 100+ SOC Analyst jobs right now at totalcyber.io. We are a specialist cyber security job board exclusively hosting cyber security jobs.

Want to know more about SOC Analysts or interested in a general cyber security discussion, send me a message on Mastodon at @totalcyber. Also, consider following @totalcyberjobsbot for hourly updates on the latest cyber security jobs.

Find jobs that move you

Find your next cybersecurity job.

Explore hundreds of opportunities today.

Search jobs
TotalCyber.io

Cyber Security jobs across the world

Copyright 2024 All Rights Reserved by YipCraft

We will contibute 1% of your purchase to remove CO2 from the atmosphere.

For companies

Cyber Security jobs