What is a SOC Analyst?

image of abstract art for cybersecurity

A SOC Analyst — Security Operations Center (SOC) analyst — is often called the “first line of defense” against cyberthreats. Learn what a SOC analyst does and how to become one here.

Reading Time 6 mins

Cybercrime is a bigger problem than ever, costing American businesses and everyday people more than $4.2 billion in 2020 alone. Defending an enterprise from cybercriminals is a round-the-clock job, and businesses are increasingly centralizing their core security functions into a single place: a Security Operations Center (SOC).

What is a SOC Analyst?

SOC Analyst stands for Security Operations Center (SOC) analyst. A SOC analyst is often called the “first line of defense” against cyberthreats. SOC Analysts monitor live security events and possible breaches, and report them to relevant teams. Given the nature of a suspected breach, they need to be ready to collaborate with teams around the globe in real-time, providing critical data to help stay ahead of hackers.

There are two types/tiers of SOC Analysts:

  • Level 1 (Tier I) – Focuses on triaging incident alerts as they come in, assessing their urgency, and reporting them to Level 2 SOC Analysts and other SOC team members.
  • Level 2 (Tier II) – Reviews information gathered by Level 1 SOC Analysts, and gathers new information, to determine the scope of the breach.

What does a SOC Analyst do?

The most important day-to-day job for a SOC Analyst is to monitor security access for potential malicious behavior. A SOC will typically run an intrusion detection system (IDS) that will trigger automatic alerts when certain suspicious behaviors occur, but these alerts need to be monitored and assessed to weed out false positives.

The SOC Analyst will also manually review network logs, e-mails that have been tagged as phishing, and other information as it becomes available. And when there’s any cause for suspicion, the analyst will report the activity to their superior so that the entire SOC team can review it and respond if necessary. 

Even when there is no active threat, they’ll be performing risk analysis across the network to identify potential vulnerabilities. 

What qualifications and skills should a SOC Analyst have?

A SOC Analyst’s specific skill requirements will vary based on their company’s systems and security challenges, but there are core qualifications, skills, and certifications that employers may look for when evaluating potential analysts to join their teams. 

Education & Training of a SOC Analyst

A SOC Analyst is expected to have a firm understanding of computer and networking fundamentals. Common undergraduate degrees will be in computer science, information technology, or another related field. 

If going back to school for an undergraduate degree isn’t possible for you, consider a cybersecurity bootcamp. You can get the training you need to get into cyber in as little as 15 weeks. 

Certifications can also be a great way to demonstrate hard skills if you come from an unconventional educational or work background. However, many certifications will require candidates to have at least one year of experience in a network admin or security field, due to the importance of the hard skills learned ‘on the job’. 

The Certified SOC Analyst (CSA) program is a common certification in the field, and involves an intense three-day curriculum to ensure that a candidate has truly mastered their skill set. It has been designed for individuals seeking to become a Tier I or Tier II analyst, as well as for professionals in those roles seeking to validate their skillset.

Skills of a SOC Analyst

A SOC Analyst is expected to have mastered the basics of a network environment in order to be able to do their job correctly. Not only do they have to use their judgment to assess threats based on incomplete information, but they are under time pressure to escalate issues and assist with their remediation. 

Skills like these are best acquired through direct experience. Here are some of the hard skills you’ll be expected to master as a SOC Analyst.

Tier I SOC Analyst (Level 1) skills

Tier I SOC Analysts should have a mastery of the Windows and Mac OS operating system environments. Additionally, Tier I SOC Analysts are expected to have strong skills in Linux and Unix for system administration purposes.

Tier I SOC Analysts will also be expected to demonstrate mastery of key programming languages, including Python, C, C#, Java, Perl, and Ruby on Rails. This range of languages ensures they can comfortably navigate network and software applications and web applications, tracking the full security and access process across the network.

Tier II SOC Analyst (Level 2) skills 

Tier II SOC Analysts will probably have worked as a Tier I analyst already, and have a strong mastery of the skills listed above. 

They will also be good communicators who can quickly help team members understand the scope and severity of a potential threat so that resources can be reallocated in a timely manner. This includes ongoing documentation of the issue so that it may be analyzed at a later date.

In addition to the day-to-day skills demonstrated above, Tier II SOC Analysts will be experts at mapping issues throughout a network, reverse engineering attacks, performing trend analysis, creating audit reports, and implementing complex solutions to ensure the security of the network on an ongoing basis.

What tools do SOC Analysts use?

Every SOC will have its own dedicated tool set, ranging from industry-wide applications to proprietary tools developed by a company to best protect their security assets. But there are some basic network monitoring tools that every SOC Analyst will encounter throughout their career, such as Nagios and Argus.

Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a critical tool for monitoring ongoing network traffic. It can scan for known threats such as port scanning, and can be programmed to identify intrusion patterns learned from past SOC team incident responses. The most common IDS is Snort, an open source network-based system used across the industry.

Vulnerability scanners

An IDS evaluates network traffic, but a vulnerability scanner focuses entirely on analyzing your network for possible weak points, such as unpatched software or hardware. Note that separate tools will exist specifically for web vulnerabilities. As with an IDS, vulnerability scanners will be a fundamental part of any SOC tool kit. 

Penetration testing tools

Penetration testing, also known as “pen testing” or “ethical hacking”, involves a company attempting to breach its own security to help identify new or overlooked threats. The most commonly used tools in this space include Metasploit, a penetration testing framework, and Wireshark, a network protocol analyzer. 

How much does a SOC Analyst earn?

Here’s how much SOC Analysts earn, on average, across the United States:

Nationwide: $96,811 (ZipRecruiter)*

New York: $103,495 (ZipRecruiter)*

San Francisco: $103,495 (ZipRecruiter)*

Washington, DC: $103,495 (ZipRecruiter)*

*Salaries current in October 2021.

How to become a SOC Analyst?

Ready to begin your journey towards becoming a SOC Analyst? Whether you’ve worked in network administration or cybersecurity already, or you are looking to upskill your professional abilities, consider the benefits of an immersive coding bootcamp such as the Cybersecurity Engineering bootcamp at Flatiron School

You can learn full-time or enjoy the customized pace of one of our flex programs – all while enjoying the benefits of a shared learning community, the support of passionate instructors, and the assistance of seasoned career coaches who can help you make the bridge from student to employee.

And if you’re looking for inspiration, check out the story of Jonathan G., who changed his career from being a waiter to working as a SOC Analyst after graduating from Flatiron School.

Ready to begin your journey? Book a 10-Minute Chat with one of our admissions reps today.

Disclaimer: The information in this blog is current as of May 4, 2022. Current policies, offerings, procedures, and programs may differ.

About Flatiron School

More articles by Flatiron School