SOC analyst careers

What is a SOC analyst?

Have you ever wondered what a SOC analyst is, how you can get your first SOC job or how much a SOC analyst makes? Here is a quick overview of the career path and its exciting job outlook.

SOC analysts work in an organization’s security operations center (SOC) and are sometimes referred to as cybersecurity analysts. Their primary duty is monitoring and responding to cyber threats and other alerts. According to the Bureau of Labor Statistics, there were 141,200 security analysts in 2020 and another 47,100 will be needed by 2030.

$93,888

Average U.S. salary

33%

Projected career growth through 2030

Entry-level

Common first cybersecurity role

What does a SOC analyst do?

A junior SOC analyst is one of the primary entry-level roles within cybersecurity. SOC analysts are responsible for monitoring, investigating and reporting incidents from security information and event management (SIEM) systems. SOC analysts also monitor firewall, email, web and DNS logs to identify and mitigate intrusion attempts.

 

SOC analyst roles and responsibilities

The extent of a SOC analyst’s duties — and the number of analysts working in the SOC — is dependent on the organization’s size, industry and cybersecurity maturity. Smaller organizations may have a single analyst on staff, while large enterprises may employ 100 or more cybersecurity analysts within their SOC.

Typical duties include:

  • Review, prioritize and investigate SIEM alerts
  • Document cyber incidents and implement incident response plans
  • Follow patch management and vulnerability testing processes
  • Assist with risk management, audit and compliance requirements

SOC analyst tools

SOC analysts monitor and analyze huge amounts of network traffic — far more than any single person can do manually. Thankfully, there are a number of free SOC analyst tools to help manage the workload.

  • Wireshark: One of the most popular network protocol analyzers available
  • Zeek: Free network security monitoring tool similar to Wireshark 
  • Suricata: Free intrusion detection system (IDS) and intrusion prevention system (IPS)
  • Snort: A common network IDS many vendors build on top of

Not sure where to start? Watch Mike Meyers‘ video on How to use Wireshark for protocol analysis. Then read Mark Viglione’s free intrusion detection ebook (coming soon).

 

SOC analyst career path FAQ

A junior SOC analyst is one of the primary entry-level roles within cybersecurity. There is a range of roles within a SOC, so junior analysts may work alongside more senior analysts, forensic investigators, incident responders, security engineers, security managers and more.

  • What does SOC analyst stand for?
    • What is a SOC?
      Cybersecurity analysts and other cybersecurity professionals often work in a security operations center, also known as a SOC. The SOC is the central hub of an organization’s cybersecurity function, and the people, processes and technology that make up the SOC are responsible for detecting, analyzing and responding to cyber incidents.

      What is a SOC analyst?
      SOC analysts are the people who use those tools to detect, analyze and respond to threats. Essentially, they are the cybersecurity first responders that are on the frontlines of a cybersecurity team.

      What is a NOC analyst?
      You may have also heard the term network operations center, also known as a NOC. A NOC is focused on the IT side of an organization’s infrastructure rather than the security side. A NOC analyst and others on the NOC team are primarily responsible for maintaining uninterrupted service and optimizing network performance. Although both a NOC and SOC are related to business risk and organizational stability, they serve two different functions.

  • What are the different SOC analyst levels?
    • SOC analysts are often organized into tiers based on experience. How you define a SOC level 1 analyst vs. a SOC level 2 analyst can vary based upon the organization and how the SOC is structured. However, it’s typical to have three tiers, plus management:

      • SOC analyst tier 1 is a name for an entry-level SOC analyst or junior SOC analyst. Alerts that come from the SIEM usually flow to a tier 1 SOC analyst to prioritize and investigate.
      • SOC analyst tier 2 is a more experienced position. They deal with perceived threats or challenging cases that are escalated from their tier 1 coworkers. They are sometimes referred to as cyber incident responders.
      • SOC analyst tier 3 is a more senior position. They often have a more proactive role of hunting down and identifying threats vs. responding to known issues. Because of this, they are sometimes referred to as cyber threat hunters.
      • SOC manager is the leader of the entire SOC team. They are responsible for setting the strategy, as well as hiring, training, reporting and communicating metrics to other stakeholders in the organization.

      A SOC team may also include security engineers or security architects. Additionally, the roles within a SOC may have different names depending on the organization. For example, SOC analysts are often referred to as security analysts, cybersecurity specialists, incident analysts or cyber defense analysts.

  • What is a typical task for the SOC tier 1 analyst?
  • What tools should I get used to as a SOC analyst?
    • As noted above, there are a number of free open-source tools that are commonly used by SOC analysts (see “SOC analyst tools” and “What is a typical task for the SOC tier 1 analyst?”). When employed as a SOC analyst, you may also encounter popular commercial tools, such as:

      • Solarwinds Security Event Manager
      • Solarwinds Log Analyzer
      • Splunk Enterprise Security
      • LogRhythm NextGen SIEM
      • Alienvault Unified Security Management
      • Sumo Logic
      • McAfee Enterprise Security Manager
      • LogDNA
      • Datadog

      Since an entry-level SOC analyst’s primary duty is to look at alerts and logs, you should get comfortable with network analysis tools, packet crafting tools, instruction detection and prevention tools, SIEM tools like Splunk, and logs from firewalls, email, web and DNS.

  • What hours do SOC analysts work?
    • Cybersecurity never stops, and many SOCs operate all day, every day, year-round. How the SOC schedule is set up may vary depending on an organization’s size, reach and preferences. For example, a global organization may have teams spread across different time zones so that most analysts work a typical first-shift schedule. Other organizations may have SOC analyst night shifts and overnight shifts to ensure staffing 24 hours a day.

      Some common SOC schedules for a week:

      • Five, eight-hour shifts totaling 40 hours
      • Four, 10-hour shifts totaling 40 hours
      • Rotating 12-hours shifts (one example is the Panama schedule, which has four teams working 12-hour shifts on a 14-day schedule: 2 days on, 2 days off, 3 days on, 2 days off, 2 days on, 3 days off)

      Some organizations may require more than 40 hours during certain circumstances (e.g., a major cyberattack) or require on-call shifts to help ensure continuous coverage.

  • Where can I find SOC analyst jobs?
    • Wondering where to find SOC analyst jobs? You can search all of the popular job boards for “SOC analyst” — or related names like “security analyst” or “cybersecurity specialist.” Find hundreds of open jobs here: Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder.

      There are also cybersecurity-focused job websites like infosec-jobs.com, ClearedJobs and others.

      Cybersecurity groups and associations like ISSAISACA or Women in Cybersecurity are another great way to network and find potential job openings. You can also try attending local meetups or connecting with other cybersecurity professionals on popular cybersecurity discussion boards.

  • How much does a junior SOC analyst make? What does a senior SOC analyst earn?
    • According to salary.com, the average SOC analyst salary (base) in the United States in 2022 is $93,888, and the average base salary range for all SOC analysts falls between $79,968 and $112,461. When looking at total compensation, which includes annual incentives like bonuses, the average jumps to $100,200 and the range to between $83,851 and $125,131.

      Payscale reports a wider range of pay, with entry-level security analysts earning total compensation of around $61,000 and the most senior (20+ years) security analysts earning $95,000.

      Salary can also vary quite a bit based on job location, benefits and other factors. However, based on these reports a SOC analyst tier 1 salary can expect to fall somewhere in the range of $60,000 to $90,000.

  • Where can I find free SOC analyst training resources?

How to get a SOC analyst job?

Hiring managers are looking for SOC analyst resumes that demonstrate a proactive desire to learn. So how can you become a SOC analyst if you don’t have experience or a learning budget? Go get that experience! Create a side project. Find a SOC analyst internship. Volunteer. Build a home network to analyze traffic. Or find a mentor by joining a cybersecurity group.

 

SOC analyst requirements

Some organizations are shifting away from degree requirements and focusing on projects, experiences and certifications. However, a bachelor’s degree in computer science, cybersecurity or another technical field may still be required.

What are the basic requirements for a SOC analyst? At a minimum, you’ll need an understanding of IT infrastructure and cybersecurity foundations. For more information on how to build that knowledge, watch Keatron Evans’ live demo and Q&A, Getting started in cybersecurity.

SOC analyst certifications

Certifications are another way to either break into a cybersecurity analyst role or prove your worth as a more senior security analyst. Which certifications are needed for a SOC analyst? See a few popular options below:

 

SOC analyst interview questions and answers

Common security analyst interview questions include:

  • How do you define risk, vulnerability and threat on a network?
  • What is the CIA triad?
  • Why do you need DNS monitoring?
  • What is a DDoS attack? How is it mitigated?
  • Explain SSL and TLS in your own words.

Read our cybersecurity analyst interview Q&A article for the answers. For even more guidance, download our ebook: Cybersecurity interview tips: How to stand out, get hired and advance your career.

More cybersecurity career advice

Starting a cybersecurity career can feel daunting, but don’t let that fear stop you from taking the leap, says best-selling author and Infosec Skills instructor Ted Harrington. “Every single person who has ever achieved excellence didn’t know anything at one point, but they set out with that mindset of curiosity. You can do it, and you can excel at it. Just don’t be scared and put in the work.”

Want more career advice? Watch the Cyber Work Podcast or read these popular articles: