The SOC Analyst levels are typically divided into Tier 1, Tier 2, and Tier 3, representing increasing levels of skill, responsibility, and technical depth within a Security Operations Centre (SOC). Here’s a breakdown of each level and what they typically do:
Contents
🧩 Tier 1 – SOC Analyst (Alert Triage / Monitoring)
Entry-level role responsible for initial alert handling, ticket creation, and basic investigations.
🔍 Responsibilities:
- Monitor SIEM dashboards for alerts
- Validate false positives vs true positives
- Escalate incidents to Tier 2 if necessary
- Create and document incident tickets
- Perform basic IOC lookups (IP, domain, hash)
🧠 Skills:
- Basic understanding of TCP/IP, logs, malware types
- Familiarity with tools like Splunk, Microsoft Sentinel, CrowdStrike, etc.
- Knowledge of common attack types (phishing, brute force, malware)
📈 Goal:
Triage quickly and reduce noise while flagging valid threats accurately.
🛠️ Tier 2 – SOC Analyst (Incident Responder / Threat Hunter)
Mid-level analyst responsible for deeper investigations, containment actions, and incident response coordination.
🔍 Responsibilities:
- Investigate escalated alerts and correlate multiple data sources
- Perform threat hunting using logs and EDR/XDR tools
- Contain threats (e.g. isolate host, disable accounts)
- Run memory, forensic or PCAP analysis
- Lead incident response and root cause analysis
- Document findings and update detection rules
🧠 Skills:
- Strong log analysis (Windows Event Logs, Sysmon, firewall, DNS)
- Proficient in query languages (SPL, KQL) and scripting (Python, PowerShell)
- Understanding of MITRE ATT&CK and kill chain tactics
- Able to write and tune SIEM correlation rules
📈 Goal:
Accurately assess and mitigate threats, improve detection logic, and reduce dwell time.
🧠 Tier 3 – SOC Threat Analyst / Engineer / Hunt Team / SME
Advanced-level role focused on threat intel, detection engineering, purple teaming, and tooling improvements.
🔍 Responsibilities:
- Develop and refine detection rules (Sigma, YARA, etc.)
- Lead red team/purple team simulation efforts
- Integrate threat intelligence feeds and TTP mappings
- Automate playbooks via SOAR platforms
- Build dashboards and detection use cases
- Mentor junior analysts and improve SOC maturity
🧠 Skills:
- Deep threat intel understanding (APT profiles, TTPs, malware families)
- Scripting and automation (e.g. with Splunk SOAR, Python, PowerShell)
- Adversary emulation with frameworks (Atomic Red Team, Caldera)
- Experience with forensics, memory analysis, and malware reversing (optional but valued)
📈 Goal:
Harden the environment, reduce manual workload, and proactively improve detection and response capability.
🛡️ Additional Roles Often Found in SOCs
| Role | Description |
|---|---|
| SOC Manager | Leads SOC operations, reporting, and team coordination |
| Incident Response Lead | Oversees major incidents and coordinates business response |
| Threat Intelligence Analyst | Gathers, analyses, and integrates threat intel data |
| Detection Engineer | Builds and tunes alerting logic, dashboards, and use cases |
| SOAR Developer | Automates repetitive tasks and workflows within the SOC |