Skip to content
Breachfolio
CYBERSECURITY · SOC

SOC team roles and tiers explained.

Inside a SOC: the tier model, every role from Tier 1 analyst to SOC manager, how alerts escalate, shift work, and the realistic path in and up.

July 17, 202612 min read

A Security Operations Center looks like one thing from the outside: a room full of screens and people watching alerts. From the inside it's a layered machine, and every layer is a different job with a different skill set, a different day, and a different next step. "SOC analyst" is not one role — it's the entrance to at least six or seven of them. This is a map of who does what, what escalates between them, and how a real career moves through the building.

If you're still deciding whether the defensive side is your lane, our red, blue and purple team breakdown and the cybersecurity roadmap and careers guide cover the fork above this one. This article assumes you've already pointed at "blue team, SOC" and want to know what's inside.

Tier 1 — TriageMonitor & first responseTier 2 — InvestigationDeeper analysis & IRTier 3 — HuntingThreat hunting & advanced
How work escalates through the SOC tiers.

The tier model: how a SOC is layered

Most SOCs organize analysts into tiers — usually three. Tiers exist to protect the two scarcest resources in the building: attention and expertise. You don't want your best incident responder reading login-failure alerts all day, or a first-week analyst deciding to pull a production server off the network. Tiers route each piece of work to the cheapest level that can safely handle it, and escalate only what needs a more expensive brain.

Tier 1 — triage and monitoring

The front door. Tier 1 works the alert queue: every detection the SIEM, EDR, and other tools throw off lands here first. The job is fast, disciplined triage — is this a false positive, a benign true positive, or something real? T1 follows playbooks, does first-pass enrichment (who is this user, is this IP known-bad, is this a normal login hour), and either closes the alert or escalates it with notes. Volume is high and the clock is always running.

Tier 2 — investigation and response

Tier 2 takes what T1 escalates and actually investigates it. That means pivoting across data sources, reconstructing what happened on a host, deciding whether an incident is real, and taking first containment actions — isolating a machine, disabling an account, blocking a domain. T2 is where "an alert" becomes "an incident with a timeline." They also feed the SOC's improvement loop, flagging noisy rules and gaps back to the engineers.

Tier 3 — threat hunting and advanced analysis

Tier 3 is the senior technical layer: threat hunting, deep analysis of the hard cases, reverse-engineering suspicious binaries, and handling the incidents T2 can't close alone. Crucially, T3 doesn't just wait for escalations — they go looking for what the alerts missed, forming hypotheses ("if an attacker were living off the land here, what would it look like?") and hunting through data to prove or kill them.

What escalates, and when

The rule of thumb: work moves up a tier when it exceeds the current tier's authority, knowledge, or time budget. T1 escalates when an alert can't be closed from the playbook, when enrichment points at a real threat, or when containment is needed that T1 isn't authorized to perform. T2 escalates to T3 or a dedicated responder when the scope is unknown, multiple hosts are involved, the attacker is still active, or the case needs forensics or malware analysis. Good SOCs also track what doesn't escalate — a rule generating 500 alerts a week that all close as false positives is a detection-engineering problem, not a staffing one.

The roles, one desk at a time

SOC Analyst — Tier 1

What they do: monitor and triage alerts against playbooks, escalate the real ones. A day: claim the next alert in the queue, check the process tree or login context, confirm it's a scheduled task everyone forgot about, close it, repeat — punctuated by the occasional one that makes the hair stand up and gets written up for T2. Key skills: networking and OS fundamentals, calm pattern recognition, clear written notes, resistance to alert fatigue. Tools: the SIEM, the EDR console, a ticketing system, threat-intel lookups like VirusTotal. Progress: get fast and accurate, learn one query language deeply, then move to T2.

SOC Analyst — Tier 2

What they do: investigate escalations end to end and run first-line response. A day: pick up a T1 escalation about suspicious PowerShell, pull the full process tree and network connections, correlate against other hosts, confirm a live beacon, isolate the endpoint, and open a proper incident. Key skills: log correlation across sources, attacker tradecraft (the MITRE ATT&CK framework becomes a daily reference), scripting to speed up the boring parts. Tools: SIEM + EDR at depth, SOAR playbooks, packet and log analysis. Progress: specialize toward hunting, detection engineering, or dedicated incident response.

SOC Analyst — Tier 3 / Senior Analyst

What they do: own the hardest investigations, mentor lower tiers, and hunt proactively. A day: half spent closing a nasty multi-host case, half spent running a hypothesis-driven hunt for credential theft that no rule currently catches. Key skills: deep systems internals, malware triage, the ability to work without a playbook. Tools: everything in the stack plus sandboxes and analysis tooling. Progress: into threat hunting, DFIR, detection engineering, or SOC leadership.

Incident Responder (IR)

What they do: take command when something is confirmed bad and coordinate containment, eradication and recovery. A day: during an incident, run the response — assign tasks, keep the timeline, decide when to isolate versus watch, brief leadership; between incidents, write and rehearse playbooks. Key skills: cool head under pressure, structured methodology, communication with non-technical stakeholders. Tools: EDR for containment, forensic and IR frameworks; the NIST SP 800-61 incident-handling guide is the standard reference. Our first 24 hours of an incident checklist is this role in practice. Progress: IR lead, DFIR consultant, or SOC manager.

Threat Hunter

What they do: assume a breach the tools missed and go find it. Hunting is proactive and hypothesis-driven, not alert-driven. A day: pick a technique from ATT&CK, translate "what would this look like in our telemetry?" into queries, sift the results, and either hand a finding to IR or hand a new detection idea to the engineers. Key skills: attacker mindset, fluency in the SIEM query language, statistics and baselining. Tools: the data lake, EDR telemetry, notebooks, ATT&CK. Progress: senior hunter, detection engineering, or research.

Detection / Content Engineer (detection-as-code)

What they do: build and maintain the detections that make the whole SOC work — the rules that decide what becomes an alert. Modern teams treat these as detection-as-code: rules live in version control, get code-reviewed and tested like software, and ship through a pipeline. A day: write a new rule in a format like Sigma, test it against real and simulated data, measure its false-positive rate, and retire a rule that's become noise. Key skills: deep detection logic, ATT&CK mapping, Git and CI, and enough software discipline to keep hundreds of rules maintainable. Tools: Sigma, the SIEM's rule engine, Git, adversary-emulation tools like Atomic Red Team. Progress: detection lead or security-engineering roles.

SIEM Engineer / SOC Platform Engineer

What they do: keep the platform alive and fed. If the detection engineer writes the rules, the SIEM engineer makes sure the data those rules need is actually flowing, parsed, and normalized. A day: onboard a new log source, fix a broken parser that silently dropped a field, tune ingestion so the licensing bill doesn't explode, keep dashboards and integrations working. Key skills: the SIEM platform in depth, data pipelines, regex and parsing, infrastructure and automation. Tools: the SIEM, log shippers and collectors, SOAR, infrastructure-as-code. Progress: security architecture or platform/DevOps-leaning security engineering. See our SIEM, SOAR and EDR toolstack guide for how these pieces fit.

Threat Intelligence Analyst (CTI)

What they do: answer "who might target us, how, and what should we do about it before they do." CTI turns raw reporting into decisions — feeding indicators to detections, prioritizing patching by what's actually being exploited, and briefing leadership. A day: track a threat group's shift in tooling, map their TTPs to ATT&CK, push new indicators into the SIEM, and write a short assessment the SOC and executives can both use. Key skills: analytical writing, source evaluation, geopolitics-meets-malware breadth, avoiding indicator overload. Tools: threat-intel platforms, open-source feeds, ATT&CK, structured frameworks. Progress: senior CTI, threat research, or advising strategy.

DFIR / Forensics Analyst

What they do: the deep forensic side of response — acquire and analyze disk and memory images, reconstruct exactly what an attacker did, and produce findings that can stand up to scrutiny (sometimes in court). A day: image a compromised laptop, carve the memory dump for injected code, build a minute-by-minute timeline from artifacts, and document the chain of custody. Key skills: filesystem and OS internals, evidence handling, meticulous documentation. Tools: forensic suites, memory-analysis frameworks like Volatility, disk imaging tools. Progress: senior DFIR, consulting, or expert-witness work.

SOC Manager / Lead

What they do: run the operation — people, process, and metrics. They own staffing and shift coverage, the metrics that prove the SOC works (mean time to detect and respond), the escalation paths, and the relationship with the rest of the business. A day: less hands-on-keyboard, more shift planning, incident post-mortems, hiring, vendor calls, and defending the budget. Key skills: leadership, calm during major incidents, translating technical risk into business language, and protecting the team from burnout. Progress: head of security operations, then CISO-track roles.

Where the SOC meets the red team: purple teaming

The SOC is the blue team's home. Its counterpart is the red team, which simulates real attacks under signed authorization. The two only get better together when they close the loop — and that loop is what "purple team" names. In a purple-team exercise, the red team runs a specific technique and says so in real time; the SOC checks whether the detection fired, and if it didn't, the detection engineer writes one on the spot. It's the fastest way a SOC improves: instead of waiting weeks for a red-team report, defenders find out immediately which of their detections have holes. Purple team is usually a practice, not a permanent desk — but it's where detection engineers, hunters, and CTI earn their keep.

Shift work, on-call, and the human cost

Threats don't keep office hours, so most mature SOCs run 24x7. There are two common ways to cover the clock. The first is rotating shifts — analysts cycle through days, evenings, and nights, which means someone is always awake but also always working against their circadian rhythm. The second is follow-the-sun: teams in different time zones each work their own daytime and hand off at the boundaries, so nobody works nights, but it requires multiple regional teams and airtight handovers.

Be honest about the cost. Tier 1 in particular carries real burnout risk: high volume, repetitive triage, night shifts, and the weight of "if I miss one, it's a breach." SOC turnover is notoriously high for exactly these reasons. The teams that keep people rotate them off pure triage, automate so humans handle judgment rather than volume, cap consecutive night shifts, and treat progression to T2 as a real, visible path. A posting that's all night shifts with no growth story is a signal.

Getting in, and a realistic path up

Tier 1 is one of the most accessible genuine entry points in security, which is exactly why it's competitive. What gets people hired mirrors the wider field: solid networking and Linux fundamentals, a documented home lab, hands-on practice on TryHackMe or Hack The Box (especially blue-team labs), and the ability to explain your reasoning out loud. A first SIEM query language and familiarity with ATT&CK put you ahead of most applicants. Our how to learn cybersecurity guide covers the groundwork.

A realistic trajectory: 6–18 months at Tier 1 to get fast and trustworthy, then Tier 2 as you start owning investigations, then a fork — hunting, detection engineering, IR, DFIR, CTI, or platform engineering — based on where you kept gravitating. Leadership is a separate branch, not the only "up." It's a sequence, not a fixed clock.

On salary, an honest note: compensation for these roles varies enormously by country, cost of living, sector, company size, and seniority — a Tier 1 salary in one market can exceed a Tier 3 salary in another. Anyone quoting a single global number is guessing. Check real, current sources for your region instead: public aggregators such as Glassdoor and Levels.fyi, recruiter salary guides like the Robert Half guide, and industry studies such as the annual ISC2 Cybersecurity Workforce Study. Look at your city and your seniority, not a headline figure.

The roles at a glance

Role Tier / layer Focus Typical tools Common next step
SOC Analyst L1 Tier 1 Alert triage and monitoring SIEM, EDR console, ticketing, intel lookups Tier 2 analyst
SOC Analyst L2 Tier 2 Investigation and first-line response SIEM + EDR at depth, SOAR, ATT&CK Hunting / detection / IR
SOC Analyst L3 Tier 3 Hard cases, hunting, mentoring Full stack, sandboxes, analysis tooling DFIR / detection lead / leadership
Incident Responder Response Command, contain, eradicate, recover EDR, IR frameworks, NIST 800-61 IR lead / SOC manager
Threat Hunter Tier 3 / hunt Proactive, hypothesis-driven search Data lake, EDR telemetry, ATT&CK Senior hunter / research
Detection Engineer Engineering Detection-as-code: build/tune rules Sigma, SIEM rules, Git/CI, emulation Detection lead / security eng
SIEM Engineer Platform Data pipelines, parsing, uptime SIEM, log shippers, SOAR, IaC Security architect / platform
CTI Analyst Intelligence Who targets us, how, and what to do TI platforms, feeds, ATT&CK Senior CTI / threat research
DFIR / Forensics Response Deep forensic reconstruction Forensic suites, Volatility, imaging Senior DFIR / consulting
SOC Manager Leadership People, process, metrics Metrics dashboards, planning tools Head of SecOps / CISO track

One alert, three desks: a worked example

Here's how a single detection travels through the building. At 02:14 the EDR fires: Microsoft Word spawned powershell.exe with an encoded command. It lands in the Tier 1 queue.

[ALERT] EDR-1188  severity: medium  host: FIN-WKS-042  user: j.doe
parent: WINWORD.EXE  ->  child: powershell.exe
cmdline: powershell -nop -w hidden -enc SQBFAFgAKABOAGUAdwAt...

Tier 1 claims it. Office spawning hidden, encoded PowerShell is a classic macro-malware pattern, not a benign scheduled task. T1 does first-pass enrichment — the user is in Finance, it's the middle of the night, and this host has no history of scripting — decodes the command enough to see it's reaching out to a URL, and escalates within minutes with clean notes. T1 does not touch the machine; that's not their call.

Tier 2 picks it up and investigates. They pull the full process tree, see PowerShell spawn a child process making a repeating outbound connection to an unfamiliar domain — a command-and-control beacon. This is a confirmed true positive. T2 has the authority to act: they isolate FIN-WKS-042 through the EDR (network-contained but still reachable for analysis), disable the user's sessions, block the domain, and open a formal incident. Then they check whether any other host has talked to that domain — and two have. Scope is now unknown, an attacker may be live, so T2 escalates to Tier 3 / IR.

Tier 3, IR, and the specialists take it from here in parallel. The incident responder takes command and coordinates containment across all three hosts. A threat hunter sweeps the estate for the same TTPs to make sure they've found every affected machine, not just the ones that beaconed. DFIR images the first workstation's memory to recover exactly what the initial payload did and whether credentials were stolen. The CTI analyst matches the domain and tooling to a known phishing campaign and provides more indicators to search for. Finally, the detection engineer writes a new, tighter Sigma rule for this exact Office-to-encoded-PowerShell pattern, tests it, and ships it — so next time, it fires louder and earlier. One alert, and nearly every role in the SOC touched it.

Frequently asked questions

What is the difference between a SOC analyst Tier 1 and Tier 2?
Tier 1 triages: they work the alert queue against playbooks, decide what's a false positive, do first-pass enrichment, and escalate the real ones — fast, high-volume, front-line work. Tier 2 investigates what T1 escalates end to end, pivoting across data sources to confirm whether it's a genuine incident, and takes first containment actions like isolating a host or disabling an account. In short, T1 decides whether something is worth a closer look; T2 does the closer look and starts responding.
Do you need a degree to work in a SOC?
No. A degree can help you get past some HR filters, but it is not a hard requirement, and plenty of SOC analysts come from IT support, self-study, or career changes. What consistently matters more is demonstrable ability: solid networking and Linux fundamentals, a documented home lab, hands-on practice on blue-team labs, familiarity with a SIEM query language and MITRE ATT&CK, and the ability to explain your reasoning clearly. Reason about a scenario well and you'll beat a degree with no applied skill.
What's the difference between a SOC analyst and an incident responder?
A SOC analyst mostly works the ongoing flow — monitoring, triaging, and investigating alerts as they arrive, day in and day out. An incident responder is called in (or steps up) once something is confirmed to be a real incident, and their job is to take command of it: coordinate containment, eradication, and recovery, keep the timeline, and brief stakeholders. Analysts often escalate to responders. Many people become incident responders after time as a Tier 2 or Tier 3 analyst, so the roles overlap in skill but differ in focus and timing.
What does a threat hunter actually do?
A threat hunter proactively looks for attackers that the automated detections missed, rather than waiting for alerts. They start from a hypothesis — often based on a MITRE ATT&CK technique — such as "if someone were stealing credentials here, what would that look like in our telemetry?", translate it into queries across the SOC's data, and sift the results. A hunt ends one of two useful ways: it surfaces a real intrusion to hand to incident response, or it produces a new detection idea for the engineering team. It's a senior, curiosity-driven role built on deep knowledge of both attacker tradecraft and the organization's own data.
Is SOC analyst a good entry-level job?
Yes, with eyes open. Tier 1 is one of the most accessible genuine entry points into security, it exposes you to real attacks and the whole defensive toolstack fast, and it opens clear paths into hunting, detection engineering, incident response, and more. The trade-offs are real too: it can be high-volume and repetitive, and 24x7 SOCs involve shift work and night rotations that drive burnout and turnover. The good ones automate the grind, rotate people off pure triage, and treat progression to Tier 2 as a real path — look for those.
What's the difference between a detection engineer and a SOC analyst?
A SOC analyst consumes detections — they respond to the alerts the rules generate. A detection engineer builds and maintains those rules: they decide what should become an alert in the first place, write and tune the detection logic (increasingly as "detection-as-code," version-controlled and tested like software), map coverage to MITRE ATT&CK, and retire rules that have turned into noise. Analysts live in the alert queue; detection engineers live in the rules and pipelines that create it. Many detection engineers started as analysts, which is exactly why they know which alerts were useful and which were just noise.