SOC Analyst
What is SOC Analyst?
SOC AnalystA security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).
A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.
● Examples
- 01
A Tier 1 SOC analyst triages an EDR alert for a suspicious PowerShell command line, confirms it matches a benign sysadmin script, and closes the ticket.
- 02
A Tier 3 analyst writes a Sigma rule for a new lateral-movement technique observed in a recent intrusion, then validates coverage with Atomic Red Team.
● Frequently asked questions
What is SOC Analyst?
A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering). It belongs to the Roles & Careers category of cybersecurity.
What does SOC Analyst mean?
A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).
How does SOC Analyst work?
A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.
How do you defend against SOC Analyst?
Defences for SOC Analyst typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SOC Analyst?
Common alternative names include: Security Operations Center analyst, SOC Tier 1/2/3.
● Related terms
- roles№ 1101
Security Analyst (Tier 1/2/3 SOC)
A Security Operations Center professional who monitors alerts, investigates incidents, and escalates threats, with seniority commonly tiered from Tier 1 triage to Tier 3 advanced investigation.
- roles№ 1108
Security Engineer
An engineer who designs, builds, and operates the controls, automation, and tooling that keep systems secure across infrastructure, applications, identity, and detection pipelines.
- roles№ 581
Incident Responder
A specialist who leads or supports the technical response to confirmed security incidents, performing containment, eradication, forensic analysis, and recovery while coordinating with legal, communications, and executives.
- roles№ 1266
Threat Hunter
A senior defender who proactively searches enterprise telemetry for adversary activity that has bypassed existing detections, using hypothesis-driven queries, threat intelligence, and behavioral analytics.
- defense-ops№ 1151
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 412
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.