The work, in one sentence each

A SOC analyst watches an enterprise's security alerts, separates the noise from the signal, escalates the signal to the correct responder, and writes down what they did and why. Every other description of the role is a longer version of that sentence.

NIST SP 800-61 Revision 2 codifies the incident handling lifecycle in four phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. A Tier 1 analyst lives inside Phase 2 (Detection and Analysis) and supports Phase 3 (Containment). They rarely own the full lifecycle in their first 12 months. Recognizing that scoping matters: the role description that says 'manage the full incident lifecycle' is not a Tier 1 role, regardless of what the job posting calls it.

BLS OES 2024 publishes Information Security Analyst (occupation code 15-1212) median annual wage at $124,910 nationally. That number includes senior practitioners with 10+ years of experience and skews high for the entry level. The same series projects 29 percent growth from 2024 to 2034 (the BLS 2024-2034 cycle, replacing the prior 33 percent 2023-2033 figure), much faster than average, which is the data point that gets quoted in career-change marketing. The growth number is real and verifiable from BLS, but it does not mean entry-level roles are easy to land; it means the field will absorb more senior analysts over the decade.

What hiring managers say they want and what the job demands diverge predictably. Job postings call for two to five years of experience for entry-level roles because HR copy gets reused. Hiring managers will hire candidates with documented home-lab work, a Security+ cert, and the ability to read a Sysmon log. A Tier 1 SOC analyst's first year of work is structured alert triage with documented runbooks; the cognitive challenge is not technical depth but pattern recognition under time pressure. Pattern recognition is what your portfolio should demonstrate.