SOC analyst careers
What is a SOC analyst?
Have you ever wondered what a SOC analyst is, how you can get your first SOC job or how much a SOC analyst makes? Here is a quick overview of the career path and its exciting job outlook.
SOC analysts work in an organization's security operations center (SOC) and are sometimes referred to as cybersecurity analysts. Their primary duty is monitoring and responding to cyber threats and other alerts. According to the Bureau of Labor Statistics, there were 141,200 security analysts in 2020 and another 47,100 will be needed by 2030.
$93,888
Average U.S. salary
33%
Projected career growth through 2030
Entry-level
Common first cybersecurity role
What does a SOC analyst do?
A junior SOC analyst is one of the primary entry-level roles within cybersecurity. SOC analysts are responsible for monitoring, investigating and reporting incidents from security information and event management (SIEM) systems. SOC analysts also monitor firewall, email, web and DNS logs to identify and mitigate intrusion attempts.
SOC analyst roles and responsibilities
The extent of a SOC analyst's duties — and the number of analysts working in the SOC — is dependent on the organization's size, industry and cybersecurity maturity. Smaller organizations may have a single analyst on staff, while large enterprises may employ 100 or more cybersecurity analysts within their SOC.
Typical duties include:
- Review, prioritize and investigate SIEM alerts
- Document cyber incidents and implement incident response plans
- Follow patch management and vulnerability testing processes
- Assist with risk management, audit and compliance requirements
SOC analyst tools
SOC analysts monitor and analyze huge amounts of network traffic — far more than any single person can do manually. Thankfully, there are a number of free SOC analyst tools to help manage the workload.
- Wireshark: One of the most popular network protocol analyzers available
- Zeek: Free network security monitoring tool similar to Wireshark
- Suricata: Free intrusion detection system (IDS) and intrusion prevention system (IPS)
- Snort: A common network IDS many vendors build on top of
Not sure where to start? Watch Mike Meyers' video on How to use Wireshark for protocol analysis. Then read Mark Viglione's free intrusion detection ebook (coming soon).
SOC analyst career path FAQ
A junior SOC analyst is one of the primary entry-level roles within cybersecurity. There is a range of roles within a SOC, so junior analysts may work alongside more senior analysts, forensic investigators, incident responders, security engineers, security managers and more.
What does SOC analyst stand for?
What is a SOC?
Cybersecurity analysts and other cybersecurity professionals often work in a security operations center, also known as a SOC. The SOC is the central hub of an organization's cybersecurity function, and the people, processes and technology that make up the SOC are responsible for detecting, analyzing and responding to cyber incidents.
What is a SOC analyst?
SOC analysts are the people who use those tools to detect, analyze and respond to threats. Essentially, they are the cybersecurity first responders that are on the frontlines of a cybersecurity team.
What is a NOC analyst?
You may have also heard the term network operations center, also known as a NOC. A NOC is focused on the IT side of an organization's infrastructure rather than the security side. A NOC analyst and others on the NOC team are primarily responsible for maintaining uninterrupted service and optimizing network performance. Although both a NOC and SOC are related to business risk and organizational stability, they serve two different functions.
What are the different SOC analyst levels?
SOC analysts are often organized into tiers based on experience. How you define a SOC level 1 analyst vs. a SOC level 2 analyst can vary based upon the organization and how the SOC is structured. However, it's typical to have three tiers, plus management:
- SOC analyst tier 1 is a name for an entry-level SOC analyst or junior SOC analyst. Alerts that come from the SIEM usually flow to a tier 1 SOC analyst to prioritize and investigate.
- SOC analyst tier 2 is a more experienced position. They deal with perceived threats or challenging cases that are escalated from their tier 1 coworkers. They are sometimes referred to as cyber incident responders.
- SOC analyst tier 3 is a more senior position. They often have a more proactive role of hunting down and identifying threats vs. responding to known issues. Because of this, they are sometimes referred to as cyber threat hunters.
- SOC manager is the leader of the entire SOC team. They are responsible for setting the strategy, as well as hiring, training, reporting and communicating metrics to other stakeholders in the organization.
A SOC team may also include security engineers or security architects. Additionally, the roles within a SOC may have different names depending on the organization. For example, SOC analysts are often referred to as security analysts, cybersecurity specialists, incident analysts or cyber defense analysts.
What is a typical task for the SOC tier 1 analyst?
What do you need to learn to be a SOC analyst? The primary duty of a SOC analyst is to monitor network traffic for cyber threats, so typical duties revolve around using tools to collect, analyze, filter or restrict traffic to the network. Infosec Skills author Mike Meyers has a number of videos demonstrating these tools. See them in action below:
- How to use Wireshark for protocol analysis: Learn how to analyze network traffic with the free protocol analyzer Wireshark and sniffing tool tcpdump
- How to use Nmap and other network scanners: Learn how to use free network scanning tools like Nmap, Zenmap and advanced port scanner to discover what's on your network — or someone else's
- 4 network utilities every security pro should know: Command-line utilities are useful in a variety of scenarios. Learn how, and when, you can use Ping, Netstat, Traceroute and ARP
- How to configure a network firewall: Learn the basics of setting up a network firewall, including stateful vs. stateless firewalls, setting up access control lists and more
For more information, read our SOC analyst job description article.
What tools should I get used to as a SOC analyst?
As noted above, there are a number of free open-source tools that are commonly used by SOC analysts (see "SOC analyst tools" and "What is a typical task for the SOC tier 1 analyst?"). When employed as a SOC analyst, you may also encounter popular commercial tools, such as:
- Solarwinds Security Event Manager
- Solarwinds Log Analyzer
- Splunk Enterprise Security
- LogRhythm NextGen SIEM
- Alienvault Unified Security Management
- Sumo Logic
- McAfee Enterprise Security Manager
- LogDNA
- Datadog
Since an entry-level SOC analyst's primary duty is to look at alerts and logs, you should get comfortable with network analysis tools, packet crafting tools, instruction detection and prevention tools, SIEM tools like Splunk, and logs from firewalls, email, web and DNS.
What hours do SOC analysts work?
Cybersecurity never stops, and many SOCs operate all day, every day, year-round. How the SOC schedule is set up may vary depending on an organization's size, reach and preferences. For example, a global organization may have teams spread across different time zones so that most analysts work a typical first-shift schedule. Other organizations may have SOC analyst night shifts and overnight shifts to ensure staffing 24 hours a day.
Some common SOC schedules for a week:
- Five, eight-hour shifts totaling 40 hours
- Four, 10-hour shifts totaling 40 hours
- Rotating 12-hours shifts (one example is the Panama schedule, which has four teams working 12-hour shifts on a 14-day schedule: 2 days on, 2 days off, 3 days on, 2 days off, 2 days on, 3 days off)
Some organizations may require more than 40 hours during certain circumstances (e.g., a major cyberattack) or require on-call shifts to help ensure continuous coverage.
Where can I find SOC analyst jobs?
Wondering where to find SOC analyst jobs? You can search all of the popular job boards for "SOC analyst" — or related names like "security analyst" or "cybersecurity specialist." Find hundreds of open jobs here: Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder.
There are also cybersecurity-focused job websites like infosec-jobs.com, ClearedJobs and others.
Cybersecurity groups and associations like ISSA, ISACA or Women in Cybersecurity are another great way to network and find potential job openings. You can also try attending local meetups or connecting with other cybersecurity professionals on popular cybersecurity discussion boards.
How much does a junior SOC analyst make? What does a senior SOC analyst earn?
According to salary.com, the average SOC analyst salary (base) in the United States in 2022 is $93,888, and the average base salary range for all SOC analysts falls between $79,968 and $112,461. When looking at total compensation, which includes annual incentives like bonuses, the average jumps to $100,200 and the range to between $83,851 and $125,131.
Payscale reports a wider range of pay, with entry-level security analysts earning total compensation of around $61,000 and the most senior (20+ years) security analysts earning $95,000.
Salary can also vary quite a bit based on job location, benefits and other factors. However, based on these reports a SOC analyst tier 1 salary can expect to fall somewhere in the range of $60,000 to $90,000.
Where can I find free SOC analyst training resources?
Paid training courses can be a great way to build your SOC analyst skills, but it's entirely possible to learn everything you need to know for free. Try exploring:
- SOC analyst blogs: Hundreds of personal and commercial blogs offer technical walkthroughs of free and paid tools, break down career journeys and provide other valuable resources
- SOC analyst podcasts: Weekly podcasts like Cyber Work provide insights from those in trenches about what it's like to actually work as a SOC analyst and other roles
- SOC analyst books: Rent popular cybersecurity books from your local library, whether you want to learn cybersecurity basics, find your career path, earn an entry-level certification or jump-start your SOC analyst career
- Social media: Follow thought leaders and connect with potential mentors on places like LinkedIn, Twitter, YouTube, TechExams and other platforms
How to get a SOC analyst job?
Hiring managers are looking for SOC analyst resumes that demonstrate a proactive desire to learn. So how can you become a SOC analyst if you don't have experience or a learning budget? Go get that experience! Create a side project. Find a SOC analyst internship. Volunteer. Build a home network to analyze traffic. Or find a mentor by joining a cybersecurity group.
SOC analyst requirements
Some organizations are shifting away from degree requirements and focusing on projects, experiences and certifications. However, a bachelor’s degree in computer science, cybersecurity or another technical field may still be required.
What are the basic requirements for a SOC analyst? At a minimum, you'll need an understanding of IT infrastructure and cybersecurity foundations. For more information on how to build that knowledge, watch Keatron Evans' live demo and Q&A, Getting started in cybersecurity.
SOC analyst certifications
Certifications are another way to either break into a cybersecurity analyst role or prove your worth as a more senior security analyst. Which certifications are needed for a SOC analyst? See a few popular options below:
- CompTIA Security+, the most popular entry-level cybersecurity certification in the world
- CertNexus CyberSec First Responder, which covers network defense and incident response
- Certified Cyber Threat Hunting Professional (CCTHP), which covers how to find, assess and remove threats
- EC-Council CEH, an entry-level penetration testing certification that covers how to perform a security assessment
SOC analyst interview questions and answers
Common security analyst interview questions include:
- How do you define risk, vulnerability and threat on a network?
- What is the CIA triad?
- Why do you need DNS monitoring?
- What is a DDoS attack? How is it mitigated?
- Explain SSL and TLS in your own words.
Read our cybersecurity analyst interview Q&A article for the answers. For even more guidance, download our ebook: Cybersecurity interview tips: How to stand out, get hired and advance your career.
SOC analyst training courses
Live SOC analyst boot camps and on-demand SOC analyst courses provide expert, guided instruction to build your knowledge and skills. A few popular options are listed below:
More cybersecurity career advice
Starting a cybersecurity career can feel daunting, but don't let that fear stop you from taking the leap, says best-selling author and Infosec Skills instructor Ted Harrington. “Every single person who has ever achieved excellence didn’t know anything at one point, but they set out with that mindset of curiosity. You can do it, and you can excel at it. Just don’t be scared and put in the work.”
Want more career advice? Watch the Cyber Work Podcast or read these popular articles:
- 7 steps to building a successful career in information security
- 10 reasons why you should pursue a career in information security
- Most valuable cybersecurity skills to learn in 2022
- Which cybersecurity certifications are best for your career?
- How to specialize in cybersecurity: Find your path and your passion
- Incident responder careers: What’s it like to work in incident response?
- Threat hunter
- 133 cyber security training courses you can take now — for free