Quick Reference
SOC Tier 1 = Alert triage, initial investigation, escalation. Tier 2 = Deep incident analysis, threat hunting. Tier 3 = Expert threat hunters, forensics, advanced adversary response. SIEM = aggregates and correlates logs to generate alerts. EDR = endpoint detection and response — records and responds to host activity. SOAR = Security Orchestration, Automation, and Response — automates repetitive SOC tasks. MSSP = outsourced managed security service provider vs in-house SOC.
What Is a SOC?
A Security Operations Center (SOC) is a centralized team and facility responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats. The SOC is the operational heart of an organization's security program — it's where alerts are triaged, incidents are investigated, and threats are hunted proactively.
The SOC operates 24/7 in most mature organizations, working from a combination of automated tools (SIEM, EDR, IDS/IPS) and human analysis. The primary mission is to minimize the time between when an attack occurs and when it's detected and contained — often measured as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
SOC Tiers — T1, T2, T3
SOC analysts are organized into tiers based on skill level and the complexity of work they handle. Higher tiers don't take every alert — they receive escalations from lower tiers and focus on the most complex and critical investigations.
Tier 1
Alert Triage Analyst
The first line of defense. Monitors the SIEM dashboard, triages incoming alerts, and performs initial investigation to determine if an alert is a true positive (real threat) or false positive (benign activity that triggered a rule). Closes false positives and escalates confirmed or suspected incidents to Tier 2. Also handles routine tasks like running vulnerability scans and updating ticket queues. High volume, lower complexity work.
Tier 2
Incident Responder / Threat Analyst
Performs deep-dive analysis on escalated incidents. Reviews endpoint telemetry, network traffic, log data, and threat intelligence to understand the full scope of a compromise. Determines the attack vector, affected systems, and lateral movement. Develops containment and eradication strategies. Conducts proactive threat hunting during quieter periods using ATT&CK techniques as hunt hypotheses. Higher skill, lower volume.
Tier 3
Threat Hunter / SME / Forensics
The most experienced analysts. Handles APT-level incidents, advanced forensic investigations, and malware reverse engineering. Performs proactive threat hunting without waiting for alerts — looking for evidence of stealthy, long-term intrusions. Often involved in developing new detection rules, refining SIEM content, and improving SOC processes. May interface with law enforcement and executive leadership during major incidents.
💡 True Positive vs False Positive vs False Negative
True Positive (TP): Alert fired AND there was a real attack. Good detection — take action.
False Positive (FP): Alert fired but NO real attack. Benign activity matched a detection rule. Wastes analyst time; too many FPs lead to alert fatigue.
False Negative (FN): Real attack occurred but NO alert fired. The most dangerous outcome — the attacker goes undetected. This is the failure mode that SOC teams work hardest to minimize.
True Negative (TN): No alert AND no attack. Expected baseline state.
Core SOC Tools
📊
SIEM
Security Information & Event Management
Aggregates logs from across the environment (firewalls, endpoints, servers, cloud), correlates events across sources, and generates alerts. Provides the analyst's central dashboard. Also used for threat hunting queries and compliance reporting. Examples: Splunk, Microsoft Sentinel, IBM QRadar.
🔬
EDR
Endpoint Detection & Response
Agent installed on endpoints that records process execution, network connections, file changes, and registry modifications. Enables real-time detection, investigation, and response actions (isolate host, kill process, delete file) from a central console. Examples: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne.
⚙️
SOAR
Security Orchestration, Automation & Response
Automates repetitive SOC workflows using playbooks. Example: when a phishing email alert fires, SOAR automatically extracts IOCs, queries threat feeds, blocks the sender, and quarantines the email — without analyst intervention. Reduces MTTR and frees analysts for complex work.
🌐
Threat Intelligence Platform
TIP
Aggregates threat feeds (STIX/TAXII, OSINT, paid feeds), enriches alerts with IOC context, and integrates with SIEM and SOAR. Helps analysts quickly determine if an IP, domain, or hash is known malicious. Examples: ThreatConnect, Anomali, MISP.
🕵️
IDS / IPS
Intrusion Detection / Prevention
Network-based sensors that detect (IDS) or block (IPS) malicious traffic patterns. Signature-based (known attack patterns) and anomaly-based (deviations from baseline). Feeds alerts into SIEM. Placed at network perimeter and internally for lateral movement detection.
🍯
Honeypot
Deception Technology
Decoy system designed to attract attackers. Any interaction with a honeypot is inherently suspicious since legitimate users have no reason to access it. High-fidelity alert source — very few false positives. Also used to gather intelligence on attacker techniques.
In-House SOC vs MSSP
Organizations must decide whether to build their own SOC or outsource monitoring and response to a Managed Security Service Provider (MSSP). This is a common exam scenario framing.
| Factor | In-House SOC | MSSP |
|---|
| Cost | High upfront — staff, tools, facility, 24/7 coverage | Lower upfront — subscription model; costs scale with usage |
| Context | Deep knowledge of your specific environment, systems, and business | General expertise; less context about your internal systems initially |
| Speed | Faster response for incidents requiring internal coordination | May have slower response due to limited access or communication overhead |
| Talent | Hard to hire and retain skilled analysts, especially for 24/7 | Access to broad talent pool with specialized skills (forensics, threat intel) |
| Compliance | Full data control — easier for highly regulated industries | Data leaves your environment — potential compliance/data sovereignty concerns |
| Best For | Large enterprises with sensitive data and complex environments | SMBs, organizations without dedicated security staff, 24/7 coverage gaps |
The Alert Lifecycle
Every alert that enters a SOC follows a lifecycle from detection to closure. Understanding this flow is important for the exam and for anyone pursuing a SOC analyst role.
01
Alert Generated — SIEM, EDR, IDS/IPS, or another tool fires an alert based on a rule match or anomaly detection. The alert lands in the SOC ticket queue.
02
Triage (T1) — Tier 1 analyst reviews the alert. Checks the source IP, affected asset, rule that fired, and any immediate context. Determines whether this looks like a true positive or false positive.
03
Initial Investigation — If the alert looks real, the analyst pivots — queries SIEM for related events, checks EDR for endpoint activity, looks up IPs/hashes/domains in threat intel feeds. Establishes timeline of events.
04
Escalation (if needed) — Complex or confirmed incidents are escalated to Tier 2. Ticket is updated with all findings to date so the receiving analyst has full context.
05
Deep Analysis (T2/T3) — Full incident scope determined. Which systems are affected? What data may be at risk? How did the attacker get in? Is there lateral movement? ATT&CK framework used to map observed techniques.
06
Containment — Stop the bleeding. Isolate affected endpoints (EDR), block malicious IPs/domains (firewall/DNS), disable compromised accounts (AD/IdP), capture forensic images before evidence is destroyed.
07
Eradication & Recovery — Remove malware, close attack vectors, patch vulnerabilities exploited. Restore systems from known-good backups. Verify systems are clean before returning to production.
08
Lessons Learned / Post-Incident Review — Document what happened, what worked, what didn't. Update detection rules to catch the same technique earlier next time. SOAR playbooks updated. New IOCs fed back into threat intel platform.
📝 Key SOC Metrics for the Exam
MTTD (Mean Time to Detect): Average time between when an attack occurs and when the SOC detects it. Longer = more damage. Reduced by better detection coverage and threat hunting.
MTTR (Mean Time to Respond): Average time between detection and containment/resolution. Reduced by SOAR automation, practiced playbooks, and pre-authorized response actions.
Alert fatigue: When too many false positive alerts overwhelm analysts, causing them to miss real threats. Addressed by tuning detection rules and using SOAR to auto-close obvious false positives.
Exam Scenarios
A Tier 1 SOC analyst is reviewing an alert where an internal host is communicating with a known malicious IP address. The analyst verifies this is a real infection and escalates to Tier 2. What should the Tier 2 analyst do NEXT?
Conduct deep analysis to determine the full scope of the incident. Before containment, Tier 2 needs to understand the blast radius: which systems are affected, whether lateral movement occurred, what data may have been accessed or exfiltrated. Containing too early without full scope risks missing additional compromised systems. However, if data exfiltration is actively occurring, immediate containment may override this — context matters.
An organization's SOC is overwhelmed by thousands of low-quality alerts per day, and analysts are beginning to ignore alerts without thoroughly reviewing them. What is this condition called, and what tool can help address it?
Alert fatigue. When the volume of false positives is too high, analysts become desensitized and may miss real threats. SOAR (Security Orchestration, Automation, and Response) can help by automatically resolving obvious false positives through playbooks, enriching alerts before they reach analysts, and reducing the total ticket volume that requires human review. Better SIEM rule tuning also reduces noise at the source.
A small healthcare company lacks the budget to staff a 24/7 in-house SOC but needs continuous security monitoring to meet compliance requirements. What is the best solution?
Contract with a Managed Security Service Provider (MSSP). MSSPs provide 24/7 monitoring, detection, and response capabilities on a subscription basis — far more cost-effective for small organizations than building and staffing an in-house SOC. The healthcare company should evaluate the MSSP's compliance capabilities (HIPAA, for instance) and ensure a clear SLA defines response times and escalation procedures.
A SOC analyst wants to proactively search for evidence of attackers who may have bypassed automated detection. What activity is this?
Threat hunting. Unlike reactive alert triage, threat hunting is a proactive, hypothesis-driven process where analysts search for indicators of attacker activity that didn't trigger alerts. Threat hunters typically use the MITRE ATT&CK framework to form hypotheses (e.g., "if an attacker used living-off-the-land techniques with PowerShell, what would that look like in our logs?") and then query SIEM data to test those hypotheses. It's primarily a Tier 2/Tier 3 activity.
Related Articles