Understanding the three tiers of SOC analyst jobs

SOC analyst jobs are some of the most in-demand of any cyber security professionals. These individuals make up the front line of many businesses' defences, working as part of a security operations centre to monitor systems, spot vulnerabilities and investigate potential breaches.

However, not all SOC analyst jobs are alike. Within these categories, professionals are broadly split into three levels, or tiers. Each of these will have their own roles and responsibilities as part of the team, with their own skills and levels of experience required.

If you're looking to pursue a career as a SOC analyst, it's therefore vital you're familiar with the unique demands of each of these levels and where they stand within the wider security teams.

Tier 1 - Triage

The first step on the SOC analyst's career, tier 1 professionals are primarily responsible for monitoring systems and making the initial response to any flags or alerts that come in via support tickets or event logs. The key responsibility of these individuals is to review and categorise potential threats in order of priority. They should be able to dismiss any false alarms, while also gathering information and escalating the most urgent threats to tier 2 professionals.

While tier 1 analysts rarely actively deal with breaches, their role also typically includes running security scans, searching for vulnerabilities, reviewing the results and overseeing and configuring security monitoring tools. 

These professionals are typically the least experienced members of the SOC team, and may often be an individual's first cyber security role. Much of the experience learned here will help prepare you for more senior roles. Key skills that are vital for success as a tier 1 analyst include continuous monitoring abilities, attention to detail, strong decision-making, time management and good communication.

Tier 2 - Investigation

Tier 2 SOC analysts step in when their tier 1 colleagues flag suspicious activity that warrants a closer look. Their main role is to review the incoming threat intelligence, determine the nature of the incident and respond accordingly.

As part of this, they will be expected to quickly and accurately identify an incoming attack, spot which systems are being targeted or have already been compromised, and assess the scope of the damage. They are then expected to put in place recovery efforts and coordinate the response.

Tier 2 analysts are expected to have a much more in-depth technical knowledge than tier 1, while they can have a significant impact on the overall success of cyber security defences. Key requirements for these individuals include strong incident management skills, ability to work under stress and time pressure, discipline and analytic thinking.

Tier 3 - Threat hunting

Typically the most senior professionals within the SOC team, tier 3 analysts spend much of their time actively looking for emerging threats and vulnerabilities. Unlike tier 1 analysts, whose monitoring role relies on them reviewing incoming data, tier 3 analysts will look for threats that may have slipped past initial defences without raising any red flags.

They will also seek to find any weaknesses in their firm's systems, using the latest threat intelligence, running penetration tests and reverse engineering malware to discover how they work and what weakness they are looking to take advantage of. 

When called upon, they can also use their knowledge and experience to assist tier 2 professionals with complex incident responses, so will be expected to have a wide range of skills, but a strong knowledge of malware detection, ethical hacking and data analysis are all must haves.  

Most firms will focus the majority of their time and resources on tier 1 and 2, and so may only have a few tier 3 analysts. Therefore, if you're looking to advance from tier 1 and 2 to this level, you'll need to demonstrate a high level of expertise to recruiters.

Learn more about SOC analysts jobs and browse our latest vacancies in your area here.