Skip to main content

Skillber v1.0 is here!

Learn more

SOC Operations

Checking access...

A Security Operations Center (SOC) is a centralised team that monitors, detects, analyses, and responds to security incidents. Building and operating a SOC requires structured processes, the right tooling, and skilled analysts.

SOC Models

ModelDescriptionBest ForExample
Internal SOCFully in-house teamLarge enterprises, critical infraBank, government
MSSPManaged Security Service ProviderSMB, no in-house expertiseSmall retailer
HybridInternal + MSSP co-managedMid-size, growingTech startup
Virtual SOCDistributed team, remoteGlobal organisationsSaaS company
Co-ManagedMSSP handles Tier 1, internal handles Tier 2-3Any sizeRegional hospital

Staffing Models

24/7 SOC Staffing (Follow-the-Sun):
└─ Americas: 8 AM - 6 PM ET (onsite)
└─ EMEA: 8 AM - 6 PM CET (onsite)
└─ APAC: 8 AM - 6 PM SGT (onsite)
└─ Handover between shifts overlaps by 30 minutes
Staffing Ratios:
└─ 24/7 SOC: 5-6 analysts per seat (to cover shifts + PTO + sick)
└─ Business hours SOC: 1.5 analysts per seat
└─ Recommended: 1 analyst per 1,000 EPS (events per second)
└─ Minimum viable 24/7 SOC: 8-10 analysts total
Tier Distribution:
└─ Tier 1: 50% of team (monitor, triage)
└─ Tier 2: 30% of team (investigate, contain)
└─ Tier 3: 20% of team (hunt, forensics, advanced analysis)

SOC Tier Structure

Tier 1 — Triage (Monitor & Alert)

Role: SOC Analyst L1
Experience: 0-2 years
Key Skills: SIEM navigation, alert triage, basic investigation
Certifications: Security+, GSEC, or equivalent
Responsibilities:
└─ Monitor SIEM dashboards continuously
└─ Acknowledge and triage alerts within 15 minutes
└─ Classify alerts: True Positive, False Positive, Benign
└─ Document findings in ticketing system
└─ Escalate confirmed incidents to Tier 2
└─ Update alert documentation and runbooks
Metrics:
└─ Time to acknowledge: < 15 minutes (target: < 5 minutes)
└─ Time to triage: < 30 minutes
└─ False positive identification rate: > 90%
└─ Alerts processed per shift: 50-200 (varies by environment)

Tier 2 — Investigation (Analyse & Contain)

Role: SOC Analyst L2
Experience: 2-5 years
Key Skills: Forensic analysis, malware analysis, network forensics, cloud forensics
Certifications: CISSP, GCIH, GCFA, or equivalent
Responsibilities:
└─ Investigate escalated incidents in depth
└─ Perform containment actions (block IP, quarantine host, disable account)
└─ Determine scope of compromise
└─ Gather forensic evidence for legal proceedings
└─ Write incident reports
└─ Update detection rules based on investigation findings
Metrics:
└─ Time to investigate: < 4 hours (standard), < 1 hour (critical)
└─ Containment time: < 2 hours
└─ Investigation completion rate: > 95%
└─ Quality score (peer review): > 90%

Tier 3 — Advanced (Hunt & Forensics)

Role: SOC Analyst L3 / Threat Hunter
Experience: 5+ years
Key Skills: Advanced forensics, malware reverse engineering, threat intelligence, scripting
Certifications: GREM, GXPN, OSCP, or equivalent
Responsibilities:
└─ Proactive threat hunting (not waiting for alerts)
└─ Malware reverse engineering
└─ Advanced forensic analysis (memory, disk, network)
└─ Detection engineering (create new correlation rules)
└─ Threat intelligence integration
└─ Mentor L1/L2 analysts
└─ Post-incident root cause analysis
Metrics:
└─ Hypotheses tested per week: 5-10
└─ New detection rules created: 2-5 per month
└─ Time to root cause: < 1 week
└─ Mentor sessions: 2+ per week

SOC Processes

Shift Handover

Mandatory Handover Items:
└─ Active incidents (status, next steps, pending actions)
└─ Open investigations (findings, leads)
└─ Ongoing maintenance (updates, patching, testing)
└─ New threat intel received during shift
└─ SIEM health issues (data source outages, high latency)
└─ Scheduled activities for next shift (pen tests, maintenance windows)
└─ Escalation contacts on-call
Handover Format:
└─ Time: 30-minute overlap minimum
└─ Written: Handover document in ticketing system
└─ Verbal: Walk-through of active incidents
└─ Confirmation: Both shifts sign off on handover

Escalation Matrix

Alert Severity → Escalation Path:
P1 (Critical — active breach):
└─ 0 min: SIEM alert fires
└─ 5 min: Tier 1 acknowledges
└─ 15 min: Tier 2 engaged
└─ 30 min: Incident Commander assigned
└─ 60 min: CISO notified
└─ 4 hours: Legal / PR notified (if data breach)
└─ 24 hours: Board notified (if material)
P2 (High — suspicious activity):
└─ 0 min: Alert fires
└─ 15 min: Tier 1 acknowledges
└─ 1 hour: Tier 2 investigates (if not resolved by Tier 1)
└─ 4 hours: Incident determined yes/no
P3 (Medium — policy violation):
└─ 0 min: Alert fires
└─ 1 hour: Tier 1 acknowledges
└─ 8 hours: Investigation complete
P4 (Low — informational):
└─ Next business day: Review and disposition

SOC Tooling

Essential SOC Tools:
SIEM: Splunk, Elastic Security, Azure Sentinel, QRadar
└─ Log aggregation, correlation, alerting
EDR: CrowdStrike, SentinelOne, Defender for Endpoint
└─ Endpoint detection, process telemetry, remote containment
Ticketing: ServiceNow, Jira Service Management
└─ Incident tracking, workflow, SLA management
Threat Intel: MISP, Recorded Future, VirusTotal
└─ IOC feeds, enrichment, threat scoring
SOAR: Splunk SOAR, Palo Alto XSOAR, Torq
└─ Playbook automation, orchestration
Forensics: FTK Imager, Volatility, Autopsy
└─ Disk/memory acquisition, analysis
Network: Wireshark, Zeek, Suricata
└─ Packet capture, protocol analysis, IDS
Collaboration: Slack/Teams, Confluence
└─ Communication, documentation

SOC Metrics (KPIs)

KPIFormulaTargetReports To
MTTD (Mean Time to Detect)Time from compromise to detection< 1 hour (critical), < 24 hours (standard)CISO
MTTR (Mean Time to Respond)Time from detection to containment< 2 hours (critical), < 8 hours (standard)SOC Manager
Alert VolumeTotal alerts received per dayN/A (track trend)SOC Manager
False Positive RateFalse positives / Total alerts< 30%Detection Engineering
Escalation RateEscalated to Tier 2 / Total alerts10-20%SOC Manager
Time to TriageAverage time for Tier 1 triage< 15 minutesTeam Lead
SIEM CoverageCritical sources sending logs / Total critical sources> 95%SIEM Admin
Analyst SatisfactionSurvey score> 4/5HR / SOC Manager

Building a SOC: Timeline

Month 1-2 — Foundation:
└─ Define SOC scope (what systems, what threats)
└─ Hire SOC manager
└─ Select SIEM platform
└─ Define initial use cases (top 10 detection rules)
Month 3-4 — Build:
└─ Deploy SIEM
└─ Onboard critical log sources (firewall, AD, EDR, cloud)
└─ Hire Tier 1 analysts
└─ Create initial runbooks
Month 5-6 — Operate:
└─ Go live with Tier 1 (monitoring hours)
└─ Tune rules based on real data
└─ Establish shift schedule
└─ Create escalation procedures
Month 7-9 — Expand:
└─ Hire Tier 2 analysts
└─ Onboard additional log sources
└─ Implement SOAR for common playbooks
└─ Extend to 24/7 if required
Month 10-12 — Mature:
└─ Hire Tier 3 (threat hunting)
└─ Implement UEBA
└─ Tabletop exercises
└─ External audit

Key Takeaways

  • SOC tiers separate monitoring (T1) from investigation (T2) from hunting (T3) — each requires different skills and experience levels
  • A 24/7 SOC requires 5-6 analysts per seat for complete coverage — plan staffing accordingly
  • Shift handover is the most critical process — a 30-minute overlap with written + verbal handover prevents incidents from falling through the cracks
  • Escalation paths must be time-bound: P1 = 5min acknowledge, 15min T2, 30min incident commander, 60min CISO
  • MTTD and MTTR are the most important SOC metrics — measure, trend, and improve them
  • Alert volume without tuning destroys SOC effectiveness — a well-tuned SIEM generates fewer but higher-quality alerts
  • Building a SOC takes 12+ months — start with monitoring critical sources, then expand coverage, then add hunting
  • Tooling is secondary to process — a SOC with great tools but no process will fail; a SOC with good process and basic tools will succeed
  • MSSP/co-managed models provide SOC capabilities without full in-house buildout — suitable for many organisations
  • Burnout is high in SOC roles (2-3 year average) — rotation, training, and career paths are essential for retention