SOC team roles and tiers explained.
Inside a SOC: the tier model, every role from Tier 1 analyst to SOC manager, how alerts escalate, shift work, and the realistic path in and up.
A Security Operations Center looks like one thing from the outside: a room full of screens and people watching alerts. From the inside it's a layered machine, and every layer is a different job with a different skill set, a different day, and a different next step. "SOC analyst" is not one role — it's the entrance to at least six or seven of them. This is a map of who does what, what escalates between them, and how a real career moves through the building.
If you're still deciding whether the defensive side is your lane, our red, blue and purple team breakdown and the cybersecurity roadmap and careers guide cover the fork above this one. This article assumes you've already pointed at "blue team, SOC" and want to know what's inside.
The tier model: how a SOC is layered
Most SOCs organize analysts into tiers — usually three. Tiers exist to protect the two scarcest resources in the building: attention and expertise. You don't want your best incident responder reading login-failure alerts all day, or a first-week analyst deciding to pull a production server off the network. Tiers route each piece of work to the cheapest level that can safely handle it, and escalate only what needs a more expensive brain.
Tier 1 — triage and monitoring
The front door. Tier 1 works the alert queue: every detection the SIEM, EDR, and other tools throw off lands here first. The job is fast, disciplined triage — is this a false positive, a benign true positive, or something real? T1 follows playbooks, does first-pass enrichment (who is this user, is this IP known-bad, is this a normal login hour), and either closes the alert or escalates it with notes. Volume is high and the clock is always running.
Tier 2 — investigation and response
Tier 2 takes what T1 escalates and actually investigates it. That means pivoting across data sources, reconstructing what happened on a host, deciding whether an incident is real, and taking first containment actions — isolating a machine, disabling an account, blocking a domain. T2 is where "an alert" becomes "an incident with a timeline." They also feed the SOC's improvement loop, flagging noisy rules and gaps back to the engineers.
Tier 3 — threat hunting and advanced analysis
Tier 3 is the senior technical layer: threat hunting, deep analysis of the hard cases, reverse-engineering suspicious binaries, and handling the incidents T2 can't close alone. Crucially, T3 doesn't just wait for escalations — they go looking for what the alerts missed, forming hypotheses ("if an attacker were living off the land here, what would it look like?") and hunting through data to prove or kill them.
What escalates, and when
The rule of thumb: work moves up a tier when it exceeds the current tier's authority, knowledge, or time budget. T1 escalates when an alert can't be closed from the playbook, when enrichment points at a real threat, or when containment is needed that T1 isn't authorized to perform. T2 escalates to T3 or a dedicated responder when the scope is unknown, multiple hosts are involved, the attacker is still active, or the case needs forensics or malware analysis. Good SOCs also track what doesn't escalate — a rule generating 500 alerts a week that all close as false positives is a detection-engineering problem, not a staffing one.
The roles, one desk at a time
SOC Analyst — Tier 1
What they do: monitor and triage alerts against playbooks, escalate the real ones. A day: claim the next alert in the queue, check the process tree or login context, confirm it's a scheduled task everyone forgot about, close it, repeat — punctuated by the occasional one that makes the hair stand up and gets written up for T2. Key skills: networking and OS fundamentals, calm pattern recognition, clear written notes, resistance to alert fatigue. Tools: the SIEM, the EDR console, a ticketing system, threat-intel lookups like VirusTotal. Progress: get fast and accurate, learn one query language deeply, then move to T2.
SOC Analyst — Tier 2
What they do: investigate escalations end to end and run first-line response. A day: pick up a T1 escalation about suspicious PowerShell, pull the full process tree and network connections, correlate against other hosts, confirm a live beacon, isolate the endpoint, and open a proper incident. Key skills: log correlation across sources, attacker tradecraft (the MITRE ATT&CK framework becomes a daily reference), scripting to speed up the boring parts. Tools: SIEM + EDR at depth, SOAR playbooks, packet and log analysis. Progress: specialize toward hunting, detection engineering, or dedicated incident response.
SOC Analyst — Tier 3 / Senior Analyst
What they do: own the hardest investigations, mentor lower tiers, and hunt proactively. A day: half spent closing a nasty multi-host case, half spent running a hypothesis-driven hunt for credential theft that no rule currently catches. Key skills: deep systems internals, malware triage, the ability to work without a playbook. Tools: everything in the stack plus sandboxes and analysis tooling. Progress: into threat hunting, DFIR, detection engineering, or SOC leadership.
Incident Responder (IR)
What they do: take command when something is confirmed bad and coordinate containment, eradication and recovery. A day: during an incident, run the response — assign tasks, keep the timeline, decide when to isolate versus watch, brief leadership; between incidents, write and rehearse playbooks. Key skills: cool head under pressure, structured methodology, communication with non-technical stakeholders. Tools: EDR for containment, forensic and IR frameworks; the NIST SP 800-61 incident-handling guide is the standard reference. Our first 24 hours of an incident checklist is this role in practice. Progress: IR lead, DFIR consultant, or SOC manager.
Threat Hunter
What they do: assume a breach the tools missed and go find it. Hunting is proactive and hypothesis-driven, not alert-driven. A day: pick a technique from ATT&CK, translate "what would this look like in our telemetry?" into queries, sift the results, and either hand a finding to IR or hand a new detection idea to the engineers. Key skills: attacker mindset, fluency in the SIEM query language, statistics and baselining. Tools: the data lake, EDR telemetry, notebooks, ATT&CK. Progress: senior hunter, detection engineering, or research.
Detection / Content Engineer (detection-as-code)
What they do: build and maintain the detections that make the whole SOC work — the rules that decide what becomes an alert. Modern teams treat these as detection-as-code: rules live in version control, get code-reviewed and tested like software, and ship through a pipeline. A day: write a new rule in a format like Sigma, test it against real and simulated data, measure its false-positive rate, and retire a rule that's become noise. Key skills: deep detection logic, ATT&CK mapping, Git and CI, and enough software discipline to keep hundreds of rules maintainable. Tools: Sigma, the SIEM's rule engine, Git, adversary-emulation tools like Atomic Red Team. Progress: detection lead or security-engineering roles.
SIEM Engineer / SOC Platform Engineer
What they do: keep the platform alive and fed. If the detection engineer writes the rules, the SIEM engineer makes sure the data those rules need is actually flowing, parsed, and normalized. A day: onboard a new log source, fix a broken parser that silently dropped a field, tune ingestion so the licensing bill doesn't explode, keep dashboards and integrations working. Key skills: the SIEM platform in depth, data pipelines, regex and parsing, infrastructure and automation. Tools: the SIEM, log shippers and collectors, SOAR, infrastructure-as-code. Progress: security architecture or platform/DevOps-leaning security engineering. See our SIEM, SOAR and EDR toolstack guide for how these pieces fit.
Threat Intelligence Analyst (CTI)
What they do: answer "who might target us, how, and what should we do about it before they do." CTI turns raw reporting into decisions — feeding indicators to detections, prioritizing patching by what's actually being exploited, and briefing leadership. A day: track a threat group's shift in tooling, map their TTPs to ATT&CK, push new indicators into the SIEM, and write a short assessment the SOC and executives can both use. Key skills: analytical writing, source evaluation, geopolitics-meets-malware breadth, avoiding indicator overload. Tools: threat-intel platforms, open-source feeds, ATT&CK, structured frameworks. Progress: senior CTI, threat research, or advising strategy.
DFIR / Forensics Analyst
What they do: the deep forensic side of response — acquire and analyze disk and memory images, reconstruct exactly what an attacker did, and produce findings that can stand up to scrutiny (sometimes in court). A day: image a compromised laptop, carve the memory dump for injected code, build a minute-by-minute timeline from artifacts, and document the chain of custody. Key skills: filesystem and OS internals, evidence handling, meticulous documentation. Tools: forensic suites, memory-analysis frameworks like Volatility, disk imaging tools. Progress: senior DFIR, consulting, or expert-witness work.
SOC Manager / Lead
What they do: run the operation — people, process, and metrics. They own staffing and shift coverage, the metrics that prove the SOC works (mean time to detect and respond), the escalation paths, and the relationship with the rest of the business. A day: less hands-on-keyboard, more shift planning, incident post-mortems, hiring, vendor calls, and defending the budget. Key skills: leadership, calm during major incidents, translating technical risk into business language, and protecting the team from burnout. Progress: head of security operations, then CISO-track roles.
Where the SOC meets the red team: purple teaming
The SOC is the blue team's home. Its counterpart is the red team, which simulates real attacks under signed authorization. The two only get better together when they close the loop — and that loop is what "purple team" names. In a purple-team exercise, the red team runs a specific technique and says so in real time; the SOC checks whether the detection fired, and if it didn't, the detection engineer writes one on the spot. It's the fastest way a SOC improves: instead of waiting weeks for a red-team report, defenders find out immediately which of their detections have holes. Purple team is usually a practice, not a permanent desk — but it's where detection engineers, hunters, and CTI earn their keep.
Shift work, on-call, and the human cost
Threats don't keep office hours, so most mature SOCs run 24x7. There are two common ways to cover the clock. The first is rotating shifts — analysts cycle through days, evenings, and nights, which means someone is always awake but also always working against their circadian rhythm. The second is follow-the-sun: teams in different time zones each work their own daytime and hand off at the boundaries, so nobody works nights, but it requires multiple regional teams and airtight handovers.
Be honest about the cost. Tier 1 in particular carries real burnout risk: high volume, repetitive triage, night shifts, and the weight of "if I miss one, it's a breach." SOC turnover is notoriously high for exactly these reasons. The teams that keep people rotate them off pure triage, automate so humans handle judgment rather than volume, cap consecutive night shifts, and treat progression to T2 as a real, visible path. A posting that's all night shifts with no growth story is a signal.
Getting in, and a realistic path up
Tier 1 is one of the most accessible genuine entry points in security, which is exactly why it's competitive. What gets people hired mirrors the wider field: solid networking and Linux fundamentals, a documented home lab, hands-on practice on TryHackMe or Hack The Box (especially blue-team labs), and the ability to explain your reasoning out loud. A first SIEM query language and familiarity with ATT&CK put you ahead of most applicants. Our how to learn cybersecurity guide covers the groundwork.
A realistic trajectory: 6–18 months at Tier 1 to get fast and trustworthy, then Tier 2 as you start owning investigations, then a fork — hunting, detection engineering, IR, DFIR, CTI, or platform engineering — based on where you kept gravitating. Leadership is a separate branch, not the only "up." It's a sequence, not a fixed clock.
On salary, an honest note: compensation for these roles varies enormously by country, cost of living, sector, company size, and seniority — a Tier 1 salary in one market can exceed a Tier 3 salary in another. Anyone quoting a single global number is guessing. Check real, current sources for your region instead: public aggregators such as Glassdoor and Levels.fyi, recruiter salary guides like the Robert Half guide, and industry studies such as the annual ISC2 Cybersecurity Workforce Study. Look at your city and your seniority, not a headline figure.
The roles at a glance
| Role | Tier / layer | Focus | Typical tools | Common next step |
|---|---|---|---|---|
| SOC Analyst L1 | Tier 1 | Alert triage and monitoring | SIEM, EDR console, ticketing, intel lookups | Tier 2 analyst |
| SOC Analyst L2 | Tier 2 | Investigation and first-line response | SIEM + EDR at depth, SOAR, ATT&CK | Hunting / detection / IR |
| SOC Analyst L3 | Tier 3 | Hard cases, hunting, mentoring | Full stack, sandboxes, analysis tooling | DFIR / detection lead / leadership |
| Incident Responder | Response | Command, contain, eradicate, recover | EDR, IR frameworks, NIST 800-61 | IR lead / SOC manager |
| Threat Hunter | Tier 3 / hunt | Proactive, hypothesis-driven search | Data lake, EDR telemetry, ATT&CK | Senior hunter / research |
| Detection Engineer | Engineering | Detection-as-code: build/tune rules | Sigma, SIEM rules, Git/CI, emulation | Detection lead / security eng |
| SIEM Engineer | Platform | Data pipelines, parsing, uptime | SIEM, log shippers, SOAR, IaC | Security architect / platform |
| CTI Analyst | Intelligence | Who targets us, how, and what to do | TI platforms, feeds, ATT&CK | Senior CTI / threat research |
| DFIR / Forensics | Response | Deep forensic reconstruction | Forensic suites, Volatility, imaging | Senior DFIR / consulting |
| SOC Manager | Leadership | People, process, metrics | Metrics dashboards, planning tools | Head of SecOps / CISO track |
One alert, three desks: a worked example
Here's how a single detection travels through the building. At 02:14 the EDR fires: Microsoft Word spawned powershell.exe with an encoded command. It lands in the Tier 1 queue.
[ALERT] EDR-1188 severity: medium host: FIN-WKS-042 user: j.doe
parent: WINWORD.EXE -> child: powershell.exe
cmdline: powershell -nop -w hidden -enc SQBFAFgAKABOAGUAdwAt...
Tier 1 claims it. Office spawning hidden, encoded PowerShell is a classic macro-malware pattern, not a benign scheduled task. T1 does first-pass enrichment — the user is in Finance, it's the middle of the night, and this host has no history of scripting — decodes the command enough to see it's reaching out to a URL, and escalates within minutes with clean notes. T1 does not touch the machine; that's not their call.
Tier 2 picks it up and investigates. They pull the full process tree, see PowerShell spawn a child process making a repeating outbound connection to an unfamiliar domain — a command-and-control beacon. This is a confirmed true positive. T2 has the authority to act: they isolate FIN-WKS-042 through the EDR (network-contained but still reachable for analysis), disable the user's sessions, block the domain, and open a formal incident. Then they check whether any other host has talked to that domain — and two have. Scope is now unknown, an attacker may be live, so T2 escalates to Tier 3 / IR.
Tier 3, IR, and the specialists take it from here in parallel. The incident responder takes command and coordinates containment across all three hosts. A threat hunter sweeps the estate for the same TTPs to make sure they've found every affected machine, not just the ones that beaconed. DFIR images the first workstation's memory to recover exactly what the initial payload did and whether credentials were stolen. The CTI analyst matches the domain and tooling to a known phishing campaign and provides more indicators to search for. Finally, the detection engineer writes a new, tighter Sigma rule for this exact Office-to-encoded-PowerShell pattern, tests it, and ships it — so next time, it fires louder and earlier. One alert, and nearly every role in the SOC touched it.
