Security Analyst (Tier 1/2/3 SOC)
What is Security Analyst (Tier 1/2/3 SOC)?
Security Analyst (Tier 1/2/3 SOC)A Security Operations Center professional who monitors alerts, investigates incidents, and escalates threats, with seniority commonly tiered from Tier 1 triage to Tier 3 advanced investigation.
A Security Analyst works inside a Security Operations Center (SOC) to detect, triage, and respond to potential security incidents. Tier 1 analysts watch SIEM, EDR, and XDR queues, validate alerts against playbooks, and escalate true positives; Tier 2 analysts perform deeper investigation, correlate events across tools, contain affected hosts, and own incident tickets; Tier 3 analysts handle advanced incidents, conduct threat hunting, build detections, and tune the SIEM. Reporting is usually to a SOC manager who in turn reports to a Director of Security Operations or the CISO. Common qualifications include a bachelor's degree, hands-on experience with SIEM/EDR platforms, and certifications such as Security+, BTL1, GCIA, GCIH, or CySA+.
● Examples
- 01
Tier 1 closes phishing alerts after confirming they were blocked by the email gateway.
- 02
Tier 3 reconstructs an APT intrusion timeline using EDR telemetry and authentication logs.
● Frequently asked questions
What is Security Analyst (Tier 1/2/3 SOC)?
A Security Operations Center professional who monitors alerts, investigates incidents, and escalates threats, with seniority commonly tiered from Tier 1 triage to Tier 3 advanced investigation. It belongs to the Roles & Careers category of cybersecurity.
What does Security Analyst (Tier 1/2/3 SOC) mean?
A Security Operations Center professional who monitors alerts, investigates incidents, and escalates threats, with seniority commonly tiered from Tier 1 triage to Tier 3 advanced investigation.
How does Security Analyst (Tier 1/2/3 SOC) work?
A Security Analyst works inside a Security Operations Center (SOC) to detect, triage, and respond to potential security incidents. Tier 1 analysts watch SIEM, EDR, and XDR queues, validate alerts against playbooks, and escalate true positives; Tier 2 analysts perform deeper investigation, correlate events across tools, contain affected hosts, and own incident tickets; Tier 3 analysts handle advanced incidents, conduct threat hunting, build detections, and tune the SIEM. Reporting is usually to a SOC manager who in turn reports to a Director of Security Operations or the CISO. Common qualifications include a bachelor's degree, hands-on experience with SIEM/EDR platforms, and certifications such as Security+, BTL1, GCIA, GCIH, or CySA+.
How do you defend against Security Analyst (Tier 1/2/3 SOC)?
Defences for Security Analyst (Tier 1/2/3 SOC) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Security Analyst (Tier 1/2/3 SOC)?
Common alternative names include: SOC analyst, Cybersecurity analyst.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 1254
XDR (Extended Detection and Response)
A security platform that unifies telemetry from endpoint, network, identity, email and cloud sensors to deliver correlated detections and integrated response actions.
- roles№ 1146
Threat Hunter
A senior defender who proactively searches enterprise telemetry for adversary activity that has bypassed existing detections, using hypothesis-driven queries, threat intelligence, and behavioral analytics.
- roles№ 523
Incident Responder
A specialist who leads or supports the technical response to confirmed security incidents, performing containment, eradication, forensic analysis, and recovery while coordinating with legal, communications, and executives.
- roles№ 996
Security Engineer
An engineer who designs, builds, and operates the controls, automation, and tooling that keep systems secure across infrastructure, applications, identity, and detection pipelines.