What Is a SOC Analyst? Role, Skills, and Salary
A SOC analyst is a security professional who monitors an organization's systems for signs of compromise, investigates the alerts that detection tools raise, and responds to or escalates confirmed threats.
Your shift starts and the queue has 312 open alerts. By lunch it will have more. One of them is a service account authenticating from a country your company does not operate in, then touching file shares it has never touched before. The other 311 are a scanner that needs tuning, a sales rep on a holiday VPN, and an EDR rule that fires on a legitimate admin tool. Your job is to find the one that matters before it becomes a breach, and to do it again every hour. That is the work of a SOC analyst.
A SOC analyst is the person who reads the alerts a security operations center generates, decides which ones are real, and either closes them or escalates them. They are the human filter between a firehose of telemetry and the small number of events that deserve a response. When people talk about the cybersecurity skills shortage, this is the role they are mostly talking about.
This guide explains what a SOC analyst actually does day to day, how the Tier 1, 2, and 3 roles differ, the skills and tools the job demands, what it pays, the certifications and path into it, and the parts of the job nobody puts in the recruiter pitch. It is written for people who want to do the work or hire for it, not for a brochure.
What is a SOC analyst?
A SOC analyst is a security professional who monitors an organization's systems for signs of compromise, investigates the alerts that detection tools raise, and responds to or escalates confirmed threats. They work inside a SOC, the team and tooling that defends an organization around the clock, and they are the role that does the highest volume of hands-on detection and response work.
It helps to separate the analyst from the function. The SOC is the capability: people, process, and a stack of tools running 24/7. The SOC analyst is a person staffing that capability. A SOC has analysts at several levels, plus engineers who build the tooling and a manager who runs the team. The analyst is the one in the alert queue.
Day to day, the role answers three questions over and over:
- Is this alert a real threat or noise?
- If it is real, what is the scope, and how did it get in?
- Can I contain it myself, or does this need to go up the chain?
Everything a SOC analyst does is a variation on those three questions. The difference between a junior and a senior analyst is mostly how deep they can go on the second and third before handing off.
What does a SOC analyst do?

Strip away the titles and a SOC analyst runs one loop: monitor, triage, investigate, escalate or contain, then document. The reference points other writeups give as a flat list of duties are really stages in that loop.
Monitor the queue. Detection logic runs against telemetry from endpoints, servers, identity providers, network devices, and cloud platforms, and raises alerts in the SIEM and the consoles around it. The analyst watches that stream. The volume is the defining feature of the job: a busy SOC generates far more alerts than any person can deeply investigate, so the first skill is deciding fast what is worth attention.
Triage. For each alert, the analyst asks whether it is a true positive, a false positive, or a benign anomaly. This means pulling context: who is the user, is the host known, is this behavior normal for them, does the indicator match known-bad threat intelligence. Most alerts die here, correctly, as noise. The danger is tuning out and closing a real one because it looked like the last hundred.
Investigate. When an alert survives triage, the analyst scopes it. They pivot through the data to answer what the attacker touched, which credentials were used, which hosts are involved, and how the activity started. This is log analysis, endpoint inspection, and threat intelligence enrichment turning a single alert into the shape of an actual event.
Escalate or contain. A Tier 1 analyst who confirms something real escalates it to a higher tier with the evidence attached. A more senior analyst may contain it directly: isolate the host, disable the account, block the indicator, preserve evidence. Either way the goal is to stop the spread and hand the next person a clear picture, not a vague hunch.
Document. Every worked alert leaves a record: what fired, what the analyst found, what they did, and why. This feeds the case, the shift handover, and the detection tuning that should follow. Skipping it is how a SOC investigates the same false positive forever.
Around that loop sit recurring tasks: tuning noisy rules, enriching detections with new intelligence, writing up incidents, and feeding lessons back to the detection engineers. The loop is the job. The rest keeps the loop honest.
SOC analyst tiers: Tier 1, Tier 2, and Tier 3
Most SOCs organize analysts into tiers by depth of work, not by seniority for its own sake. The point is to route work to the right skill level so a senior investigator is not spending the day closing scanner noise. The tiers below are the common model. Small teams collapse them; large teams add specializations.
| Tier | Role | Core work | Escalates / owns |
|---|---|---|---|
| Tier 1 | Triage analyst | Monitors the queue, triages alerts, does initial enrichment, escalates real threats | Escalates anything confirmed or unclear to Tier 2 |
| Tier 2 | Incident responder | Investigates escalated alerts, scopes incidents, performs deeper forensics, drives containment | Owns confirmed incidents end to end; escalates major ones |
| Tier 3 | Threat hunter / senior analyst | Hunts threats the alerts miss, builds detections, handles the hardest forensic and malware work | Owns proactive detection and the toughest investigations |
Tier 1, the triage analyst. The front line and the entry point into the field. They live in the alert queue, make fast true-positive or false-positive calls, do basic enrichment, and escalate anything real or ambiguous. High volume, fast decisions, and the most common job title for someone breaking into security operations. The skill that separates a good Tier 1 is knowing when an alert deserves more than thirty seconds.
Tier 2, the incident responder. They take the escalations Tier 1 sends up. They dig into the data, perform incident response, determine root cause, scope the blast radius, and drive remediation. This is where an alert becomes a worked incident with a beginning, middle, and end. Tier 2 needs real investigation depth: log correlation, endpoint forensics, and the judgment to tell a contained problem from a spreading one.
Tier 3, the threat hunter and senior analyst. The most experienced practitioners. They do not wait for alerts. They form hypotheses about how an attacker could already be in the environment and go looking, using frameworks like MITRE ATT&CK to structure the hunt. They turn what they find into new detections, and they take the forensic and malware analysis work that is too hard for the tiers below. In many SOCs, Tier 3 overlaps with detection engineering and threat hunting as distinct specialties.
The tiers are a ladder as much as a structure. Most people start at Tier 1, move to Tier 2 as their investigation skills deepen, and branch toward Tier 3 hunting, detection engineering, or SOC management from there.
Skills you need to be a SOC analyst
The job is pattern recognition under volume. The skills that support it split into technical foundations and the softer ones that decide whether you last.
Log and SIEM analysis. The core skill. You read logs all day and run queries to pull the records that matter out of millions. Comfort with a SIEM query language and the discipline to build a search that answers a specific question is the difference between scoping an incident in ten minutes and in three hours.
Networking and operating system fundamentals. You cannot judge whether traffic or a process is malicious without knowing what normal looks like. TCP/IP, DNS, HTTP, common ports, Windows and Linux process and authentication behavior, the Windows event log: these are the ground truth you reason against.
Endpoint and incident response. Reading EDR telemetry, understanding the stages of an attack, and knowing the containment moves (isolate, disable, block, preserve) so you act correctly under pressure instead of freezing or overreacting.
Threat intelligence and frameworks. Using indicators and context to enrich an alert, and mapping observed behavior to MITRE ATT&CK techniques so an investigation has structure instead of guesswork.
Scripting. Python or PowerShell to automate the repetitive parts: parsing data, pulling enrichment, querying an API. Not software engineering, but enough to stop doing by hand what a script should do.
The soft skills decide the rest. Attention to detail keeps you from closing the one real alert in a flood of noise. Clear written communication makes your escalations and incident notes usable by the next analyst instead of a puzzle. Composure under pressure matters because the worst incidents arrive at the worst times. And a tolerance for repetition is honest to name: most of the queue is noise, and the analysts who burn out are often the ones who expected constant action.
SOC analyst tools
A SOC analyst works across a stack, not a single console. The integration between these tools matters more than any one of them, but the analyst-facing set is consistent across most SOCs.
| Tool | What the analyst uses it for |
|---|---|
| SIEM | Central log search and correlation; where most triage and investigation happens |
| EDR / XDR | Endpoint and cross-domain detection; process trees, isolation, and response actions |
| SOAR | Automated playbooks that handle repetitive response steps and enrichment |
| Threat intelligence platform | Enriching alerts with known-bad IPs, domains, and file hashes |
| Case management / ticketing | Tracking each alert and incident from open to closed |
The SIEM is where most of an analyst's day happens. EDR is where endpoint investigations and containment actions live. SOAR is the lever that decides whether the team scales: the more first-pass triage and enrichment it automates, the more the human analysts focus on the alerts that actually need judgment. The modern trend is consolidation, with AI handling more of the first-pass triage so analysts spend their attention where it counts.
SOC analyst salary
Pay tracks the tier. The U.S. Bureau of Labor Statistics does not break out "SOC analyst" as its own category; the closest official figure is Information Security Analysts, which had a median annual wage of $124,910 in May 2024. That category spans the whole field, so it sits above where most SOC analysts actually start.
By tier, the rough shape of the market looks like this:
| Tier | Typical experience | Approximate U.S. range |
|---|---|---|
| Tier 1 | Entry level | $55,000 - $80,000 |
| Tier 2 | Mid level (2-5 years) | $80,000 - $110,000 |
| Tier 3 | Senior (5+ years) | $110,000 - $150,000+ |
Treat these as directional. Salary aggregators disagree by tens of thousands of dollars depending on how they sample, and location, industry, clearance, and on-call expectations move the number more than the title does. The clearer signal is demand: the BLS projects employment of information security analysts to grow 29 percent from 2024 to 2034, far faster than average, with roughly 16,000 openings a year. The 2024 ISC2 Cybersecurity Workforce Study put the global workforce gap at nearly 4.8 million people, and SOC roles are among the hardest to fill and keep.
How to become a SOC analyst: certifications and path
There is no single route in, but the common one runs: build the fundamentals, prove hands-on skill, get an entry certification, land a Tier 1 role, and climb.
Foundations first. Networking and operating systems before anything security-specific. You cannot triage what you do not understand. CompTIA Network+ and a working knowledge of Windows and Linux are a reasonable floor.
Entry certifications. CompTIA Security+ is the most common starting credential and appears in a large share of entry-level postings. CySA+ (Cybersecurity Analyst+) is the logical follow-on because it targets the analyst skills directly: threat detection, data analysis, and response. For the incident-handling depth that Tier 2 work demands, the GIAC Certified Incident Handler (GCIH) is a respected, hands-on option.
The hard parts of the job
Any honest account of the role names the parts the recruiter pitch leaves out. These are operational realities, not reasons to avoid the work, but you should know them going in.
Alert fatigue. The defining problem of the modern SOC. Tools generate far more alerts than any team can investigate, and most are false positives. When the queue never empties, analysts start tuning out, and the one real alert in the flood gets missed. Tuning and risk-based alerting are the fix, and the work never fully ends.
The hours. Real attacks happen at 3 a.m. on holidays, so someone has to cover those hours. Shift work, on-call, and night rotations are common at Tier 1 and 2, and they are a real factor in burnout and turnover.
Repetition. Most of the queue is noise. Newcomers who expected constant action find a lot of the day is methodical, repetitive triage. The analysts who thrive are the ones who treat the repetition as a skill to sharpen, not a grind to endure.
The pressure of being the filter. You are the human deciding what is real. A missed alert can become a breach, and that weight is constant. It is also why the role builds judgment faster than almost any other in security: you make consequential decisions every single shift.
The constraint on every SOC is skill, not tooling. The platforms are the easy part to buy. Analysts who can read the data, separate signal from noise, and move fast under pressure are the hard part, and they are made by hands-on work, not by purchase orders.
The bottom line
A SOC analyst is the human filter in a security operations center: the person who turns a flood of alerts into the small number of real threats that get a response. The role runs a constant loop of monitor, triage, investigate, escalate, and document, and it ladders from Tier 1 triage up through Tier 2 incident response to Tier 3 hunting and detection. The pay is strong, the demand is structural, and the hard parts are real.
The thing that makes a SOC analyst good is not a certificate or a tool. It is the instinct to read data and find the one alert that matters, and that instinct is built by doing the work.
Frequently asked questions
Build the fundamentals, then build the defender mindset through practice, not theory. Blue team labs built on real attacks, like those on CyberDefenders, teach you to defend smarter, not harder, and an entry-level hands-on credential like the Certified CyberDefender Level 1 (CCD L1) turns that practice into proof. You reach interviews with real investigations to talk through, not just a certificate.
The technical core is log and SIEM analysis, networking and operating system fundamentals, endpoint and incident response, threat intelligence, and basic scripting in Python or PowerShell. The soft skills that decide who lasts are attention to detail, clear written communication, composure under pressure, and tolerance for repetitive work.
A SOC analyst monitors an organization's systems for security threats, triages the alerts that detection tools raise, investigates the real ones, and either contains them or escalates them to a higher tier. The core of the job is deciding, fast and accurately, which alerts are genuine threats and which are noise.
They overlap heavily and the titles are often used interchangeably. "SOC analyst" specifically means an analyst working inside a security operations center, focused on monitoring, triage, and incident response in the alert queue. "Security analyst" is a broader title that can also include vulnerability management, risk assessment, and security engineering work outside the SOC.
Tier 1 analysts triage the alert queue and escalate real threats. Tier 2 analysts investigate those escalations, scope incidents, and drive containment. Tier 3 analysts are senior practitioners who proactively hunt for threats the alerts miss, build new detections, and handle the hardest forensic and malware work.