What does a SOC Analyst do?
A SOC Analyst works the front line of cybersecurity operations. You watch the SIEM, triage alerts, and decide within minutes whether a signal is noise or a real intrusion. The job runs on shift coverage, so a Tier 1 or Tier 2 analyst rotates through days, nights, and weekends in most enterprises. I've watched new analysts burn out chasing every alert and seen the good ones learn to read a detection like a paragraph. You investigate, correlate events across endpoints and identity logs, and pass warm incidents to an IR lead when something crosses the threshold. The role rewards pattern recognition, documentation discipline, and a calm head under pressure.
A day in the role
Tuesday, 7:00 AM. You take the handoff from the overnight analyst. Three open tickets, one suspicious PowerShell execution flagged on a finance endpoint at 4:12 AM. You pull the parent process tree in Falcon, correlate with Sentinel sign-in logs, and find the user logged in from a corporate VPN range. Looks benign, probably an IT admin running a legit script. You document the decision, close the ticket, and move on. Mid-morning the SIEM lights up with a burst of failed authentications against an M365 admin account. Password spray. You check MFA status, confirm the account has conditional access enforced, and write up the finding for the identity team. Lunch at your desk. Afternoon is quieter. You tune a noisy Sysmon rule that fires on every Chrome update, then join the weekly purple team debrief. By 4:00 PM you document everything, brief the evening analyst, and log off.
Core responsibilities
- Triage SIEM alerts against known-good baselines and flag true positives within defined SLAs
- Investigate endpoint, network, and identity telemetry to confirm or rule out malicious activity
- Write incident tickets in ServiceNow or Jira with enough detail that the next shift can pick up cleanly
- Tune detection rules to reduce false positive volume without blinding the team to real threats
- Run enrichment lookups against threat intel feeds, VirusTotal, and internal CMDB data
- Escalate confirmed incidents to Tier 3 or IR following the runbook, not by memory
- Participate in purple-team exercises and retrospectives after significant detections
- Maintain shift handoff notes that cover open investigations, tuning changes, and watch items
Key skills
Tools you will use
Common pitfalls
- Closing alerts without documenting the reasoning, which leaves the next shift guessing
- Chasing every low-fidelity alert instead of triaging by business impact and confidence score
- Skipping MITRE ATT&CK mapping in tickets, which kills detection engineering feedback loops
- Memorizing the runbook loosely instead of following it step by step during real incidents
Where this leads
Natural next roles for experienced SOC Analysts.
Which certifications does a SOC Analyst need?
Professionals in this role typically hold or pursue these cybersecurity certifications. Visit our certification guides for cost, exam details, and career impact analysis.
Recommended Training
Cybersecurity certifications that accelerate the SOC Analyst path
Hiring managers most commonly ask for these cybersecurity certifications in SOC Analyst postings. Each link opens our internal certification guide with cost, exam format, renewal cycle, and career impact analysis.
Foundational certification for SOC Analyst roles
Security+ appears in the majority of SOC Analyst job postings and is DoD 8570 approved for federal and contractor positions.
View certification guide →Next step after Security+ for threat detection work
CySA+ covers security analytics, threat hunting, and incident response, aligning directly with day-to-day SOC responsibilities.
View certification guide →Recommendations reflect job posting frequency across SOC Analyst listings, not paid placement. DecipherU may earn a referral fee if readers enroll with a training provider through a linked certification guide. Verify current pricing and exam details with the certifying body before purchasing.
Career intelligence synthesized from Bureau of Labor Statistics, MITRE ATT&CK, O*NET, and community data using the DecipherU Methodology™, designed by Julian Calvo, Ed.D., M.S.
How much does a SOC Analyst make?
Salary estimates for SOC Analyst roles. Based on BLS OES median ($87,400) with experience-tier ratios derived from BLS OES percentile patterns for cybersecurity occupations, May 2024. Actual compensation varies by location, employer, and certifications. Source: BLS OES
Career progression
Personality fit (RIASEC)
The radar maps this role's top RIASEC dimensions to the Holland Code occupational profile published by O*NET, the US Department of Labor's occupational information network. Realistic-Investigative-Conventional patterns dominate technical cybersecurity roles; Enterprising-Social-Investigative patterns dominate sales and leadership tracks.
Holland Code fit based on O*NET occupational profile and DecipherU career data. Take the full RIASEC assessment →
How do I become a SOC Analyst?
Start by exploring the interview questions for this role, reviewing salary data by location, and taking the RIASEC career assessment to confirm this path matches your personality profile. Use the links below to access each resource.
Career resilience: SOC Analyst
Recession risk
Very Low
Cybersecurity employment grew through every downturn since 2008. Source: BLS OES historical data.
AI impact
Augments (not replaces)
AI automates alert triage but expands attack surface, creating more specialized roles.
Regulatory demand
SOX, HIPAA, PCI-DSS, and SEC cyber disclosure rules legally require security teams regardless of economic conditions.
Government/defense demand
Federal and defense contractor roles for this function carry 15-25% salary premiums and strong job security.
Cybersecurity is one of the few technical fields where employment has grown through every recession since BLS began tracking it. The data across four economic downturns shows a consistent pattern: demand surges during crises, not during booms.
Bridge to Applied AI
MLOps Engineer
MLOps Engineers apply the same operational discipline as SOC Analysts: shift coverage, alert triage, runbooks, and post-incident review. The artifacts they monitor are different (model performance metrics instead of SIEM alerts) but the practitioner mindset is shared.
Read the MLOps Engineer guide →Salary data is compiled from public sources including the Bureau of Labor Statistics and industry surveys. Actual compensation varies by location, experience, company, and negotiation. This information is for educational purposes only and does not constitute financial advice.