SOC analyst Education & career guide

busy security operations center at work monitoring systems

What is an SOC Analyst?

As defined by IBM, a security operations center (SOC) is a "team of IT security professionals who constantly monitor a company or organization's IT infrastructure to detect cyber security threats or events in real time and address them as quickly and effectively as possible." An SOC may also research and maintain the company's security technology program and find ways to improve the company's security and impenetrability on an ongoing basis.

The benefit of an SOC is that it consolidates security tools, best practices and response to incidents into one location. The goal is improved preventative measures and security policies, faster threat detection and a more effective and cost-efficient response to any external threats. An SOC can also improve customer relationships and strengthen a company's compliance with any national and global privacy regulations.

How a security operations center works

The SOC focuses on recovery and remediation. Once an incident is contained, the SOC first works to annihilate the threat then to restore the compromised assets to their prior state. In the event of a data breach or ransomware attack, recovery may also involve moving to backup systems and resetting passwords and credentials.

To prevent a breach recurrence, the SOC uses any new intelligence gained from the incident to better address vulnerabilities, update processes and policies, choose new cyber security tools or change its current response plan. At a higher level, the SOC team may also try to discover if an incident signifies a new or changing cyber security trend that the team needs to be aware of and prepare themselves.

It's also the SOC's job to ensure all applications, security systems and processes comply with data privacy regulations. Regulations and laws that require compliance may include:

  • Global Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)

If a breach or compliance violation does occur, the SOC makes sure that users, regulators, law enforcement and other parties are notified in accordance with regulations and that all incident data is preserved for evidence, auditing and future prevention.

What role do SOC analysts play?

SOC analysts are different from cyber security analysts and some other analysts in that a cyber security analyst may work alone or be the only person in a company in the role, while SOC analysts are normally part of a large, dedicated team that act as the last line of defense against cyber crime.

SOC analysts are normally part of a large, dedicated team that act as the last line of defense against cyber crime.

Without them, hackers may not be brought to justice. SOC analysts are also different from security investigators and incident responders, as these are usually the first line of defense against cyber security threats or incidents. SOC analysts detect, investigate and prioritize real or assumed threats, and they identify the impacted hosts, endpoints and users and take the appropriate action to mitigate and contain its impact.

A typical SOC analyst job description

Some of an SOC analyst's responsibilities may include:

  • Monitoring and managing an organization's security systems and profile
  • Sifting through false positives and detecting potential real threats
  • Conducting routine maintenance and updates
  • Developing and maintaining security policies and procedures
  • Keeping a current asset inventory in and outside of the data center
  • Providing security training to employees and incident response drills to SOC team
  • Responding to security incidents and threats
  • Analyzing logs, network traffic and data to identify potential threats and vulnerabilities
  • Performing regular vulnerability assessments and tests
  • Providing threat intelligence reports and manage log data
  • Designing and implementing security solutions
  • Staying current on industry trends, solutions and threats including usage of SIEM solutions and AI

Skills and qualifications

Despite a degree not always being mandatory for SOC analysts, there are skills and abilities that are needed to perform the duties of the job. While the technical skills can be learned in bootcamps and certification programs, the soft skills are basic inherent traits and abilities that align with the duties and sense of urgency on the job:

Technical skillsSoft skills
Network monitoringExcellent communication skills
Intrusion detectionAnalytical thinking skills
Incident response and resolutionTeam player
Penetration testingMulti-tasker
Log analysisWriting skills
Basic programmingOrganizational and time management skills

Education and SOC analyst certification

The most common way to enter the SOC analyst career field is to earn a bachelor's degree in computer science, computer engineering or another related area, such as cyber security. A bachelor's degree is generally desired, though you could become an SOC analyst in other ways that would allow you to gain the knowledge you need. 

Ways to enter the field without a degree

Entry-level role:
Roles such as an incident responder or QA tester can help you gain practical experience on the job. You can learn from others in your organization, attend events and offer your skills to the SOC team.
Research internships at local technology companies, or companies who utilize an SOC. See if your school's program offers internships, whether paid or unpaid, as these provide an opportunity to get hands-on experience and network with potential employers.
Bootcamps are a great way to get the skills you need to work as an SOC analyst quickly. Bootcamps are designed to give you the knowledge and skills to prepare you for entry-level cyber security roles and focus specifically on the skills you'll need to do the job. That's why they are shorter than degree programs and cost less. You will learn exactly what you need to know without any peripheral skillsets added.
Practical studies:
Hands-on training, realistic simulations and scenario-based exercises allow you to apply your knowledge and skills in a controlled environment. Through practical studies and hands-on labs, SOC analysts can gain experience in log analysis, incident response and threat detection, preparing them for real-world challenges.
One example of a certification program is the Certified Cyber Defender (CCD) training offered by CyberDefenders. CCD training is a hands-on program that equips you with practical skills against the "real-world threats defenders experience in their networks and the tools used to defend against them." You will learn defense strategies, threat-hunting techniques, adversary detection and how to investigate security intrusions and perform forensic analysis.

Professional certifications and what they provide

Earning certification is a great way to showcase your expertise or advance your skillset—even if you already have a degree in a related field. Here are some common SOC analyst professional credentials:

Certified Information Systems Security Professional (CISSP): To become certified as a CISSP, you will need at least five years of full-time employment as a security analyst in two or more of the eight domains covered in the CISSP, such as cryptography and software development security. Experience substitution is available for those with college degrees and additional credentials if these are approved by the (ISC).

Certified Intrusion Analyst (GCIA): The GIAC Intrusion Analyst (GCIA) certification validates the knowledge of network and host monitoring, traffic analysis and intrusion detection. GCIA certification holders have the skills needed to configure and monitor intrusion detection systems, and to read, interpret and analyze network traffic and related log files.

CompTIA Security+: CompTIA Security+ is a global certification that validates the skills necessary to perform core security functions and pursue an IT security career. It is intended for entry-level or early career cyber security professionals. It is recommended that you have two years of experience in IT administration with a security focus before taking this exam, though it is not a requirement for the certification the exam.

Tiers and progression

The SOC itself is comprised of different tiers, each contributing a specific service to the goal of securing systems, hardware, software and operations. Here is a look at the three different tiers you may work in:

Tier 1 is the triage tier of the SOC. Entry-level SOC analysts are typically the least experienced analysts as well as incident responders, and their primary function is to monitor event logs for suspicious activity. When they feel something needs further investigation, they gather as much information as possible and escalate the incident to Tier 2.

Tier 2 in the SOC is the investigative level. Tier 2 personnel are responsible for investigating security incidents and determining the root cause of the incident. 

Tier 3 focuses on threat detection and hunting. This is where most SOC analysts work. This tier analyzes logs, network traffic and other data sources to identify potential threats and vulnerabilities. Tier 3 personnel are also responsible for providing detailed threat intelligence reports and recommendations for remediation. The most experienced analysts support incident response and spend their remaining time sifting through forensic data for threats that detection software may not have flagged.

One goal of the SOC is to spend less time on the due diligence required in Tier 3, so if Tier 1 and Tier 2 successfully execute their purpose and function, having to perform fewer Tier 3 fire drills will be the actual result.

Advancing your career

As an SOC analyst gains more experience, they may want to consider advancing into the following types of roles:

The SOC manager, who runs the team, oversees all security operations, and reports to the organization's CISO (chief information security officer).

Security engineer positions, who build out and manage the organization's security architecture. Much of their work involves evaluating, testing, recommending, implementing and maintaining security tools and technologies. Security engineers also work with development or operations teams to make sure the organization's security architecture is included in application development cycles.

Director of Incident Response is a leadership role responsible for communicating and coordinating incident response.

SOC manager:
The SOC manager runs the team, oversees all security operations, and reports to the organization's CISO (chief information security officer.
Security engineer:
Engineers build out and manage the security architecture. Much of their work involves testing, recommending, implementing and maintaining security tools and technologies. Security engineers also work with development or operations teams to make sure the company's security architecture is upgraded in application development cycles.
Director of incident response:
This directorship a leadership role responsible for communicating, coordinating and implementing the incident response plan.

SOC Analyst salary and compensation

As an SOC analyst your salary will be dependent upon several factors: where you live, where you work, your education and the level of analyst you have attained. That said, ZipRecruiter also notes that SOC analysts may be open to receiving bonuses and profit sharing, depending upon the organization they work for. The U.S. Bureau of Labor Statistics does not specifically report salaries for SOC analysts, but they do maintain data on Information Security Analysts, who they say earn a median annual salary of .

ZipRecruiter says the top five states people search for SOC analyst jobs are New York, Washington, Florida, Connecticut and New Jersey. The BLS reports the following five states with the highest level of employment for security analysts are: Virginia, California, Texas, Florida and Maryland. Here are national salaries, including the lowest and highest 10% in the field by state, according to the BLS:

Information Security Analysts
hero-widget-desktop-graph hero-widget-desktop-graph






Median Hourly Wage$54

Job growth31.5%

Total Employment163,690

State Median Salary Bottom 10% Top 10%
Alabama $105,180 $53,680 $165,980
Alaska $93,960 $68,220 $141,470
Arizona $106,360 $60,110 $158,300
Arkansas $83,370 $47,300 $135,280
California $134,830 $72,590 $203,110
Colorado $109,610 $64,240 $172,420
Connecticut $119,270 $84,190 $162,960
Delaware $127,670 $85,910 $174,690
District of Columbia $123,140 $84,300 $177,240
Florida $106,440 $63,710 $164,920
Georgia $117,020 $70,730 $168,580
Hawaii $107,060 $64,810 $174,350
Idaho $103,450 $54,840 $148,460
Illinois $108,510 $64,180 $161,250
Indiana $85,190 $49,740 $132,210
Iowa $104,750 $52,930 N/A
Kansas $96,960 $60,320 $128,850
Kentucky $88,820 $43,800 $156,000
Louisiana $85,580 $56,380 $129,640
Maine $85,300 $60,310 $124,650
Maryland $131,260 $74,930 $203,470
Massachusetts $113,610 $64,610 $173,290
Michigan $98,620 $55,030 $155,930
Minnesota $109,760 $71,920 $158,940
Mississippi $81,140 $50,110 $131,990
Missouri $84,140 $40,100 $133,330
Montana $81,080 $51,990 $159,630
Nebraska $96,050 $61,670 $133,050
Nevada $95,710 $64,250 $161,590
New Hampshire $133,680 $82,220 $189,750
New Jersey $130,210 $82,900 $173,310
New Mexico $123,240 $70,220 $165,170
New York $133,100 $76,450 $215,550
North Carolina $117,860 $76,100 $175,320
North Dakota $84,900 $50,220 $130,850
Ohio $103,470 $60,060 $155,900
Oklahoma $95,360 $54,020 $139,680
Oregon $119,990 $66,590 $172,380
Pennsylvania $99,200 $49,220 $148,170
Rhode Island $104,200 $71,840 $164,470
South Carolina $105,000 $56,620 $139,750
South Dakota $101,130 $70,400 $129,790
Tennessee $95,740 $62,240 $164,810
Texas $110,270 $69,040 $162,800
Utah $103,570 $60,110 $174,920
Vermont $79,780 $51,330 $132,050
Virginia $130,130 $80,170 $181,280
Washington $133,120 $82,420 $181,550
West Virginia $86,340 $37,370 $141,760
Wisconsin $104,520 $61,450 $138,620
Wyoming $92,890 $51,280 $123,880

Source: U.S. Bureau of Labor Statistics (BLS) 2022 median salary; projected job growth through 2032. Actual salaries vary depending on location, level of education, years of experience, work environment, and other factors. Salaries may differ even more for those who are self-employed or work part time.

And here are median salaries for the top 10 metropolitan and city areas ranked by highest pay:

Metro Area Median Annual Salary
San Jose-Sunnyvale-Santa Clara, CA $158,650
Midland, MI $141,400
Idaho Falls, ID $136,620
Charlotte-Concord-Gastonia, NC-SC $136,460
New York-Newark-Jersey City, NY-NJ-PA $136,010
Trenton, NJ $135,590
Seattle-Tacoma-Bellevue, WA $134,700
Portsmouth, NH-ME $133,680
Bridgeport-Stamford-Norwalk, CT $133,030
Washington-Arlington-Alexandria, DC-VA-MD-WV $132,640

Challenges, rewards and the future

The challenges facing SOC analysts are great and singular: how do you stay one step ahead of the cyber criminal and keep data secure? As cyber crime advances and becomes more sophisticated, the SOC analyst must stay ahead of trends and technologies. As technology continues to advance, SOC analysts must understand how to best leverage its use to thwart threats and breaches.

The use of AI and machine learning in threat detection, cloud security and IoT (Internet of Things) security are just a few of the evolving areas within the field. Keeping abreast of these trends and continually learning relevant skills will ensure that SOC analysts remain effective in addressing and thwarting future cyber security threats.

Summing up

If you're certain that earning the education to become an SOC analyst is for you, you already know you have a huge responsibility ahead of you. No matter if you select certifications, bootcamps or full-fledged accredited degree programs to enter the field, by the time you complete your required learning the cyber universe will have already moved on, resulting in a never-ending challenge and quest.

You'll never stop learning as an SOC analyst, and you'll need to be ready to stay steps ahead of the cyber criminal mindset at all times. If you have the stamina and will to tackle what is sure to be a relentless yet rewarding career field, you'll perform a service that will keep individuals and organizational data safe from harm. All you need to do to get started is click Find Schools to begin researching bootcamps and education programs.

Published: November 8, 2023

Written and reported by:

The Cyber Security Education Team

Explore Cyber Security Careers