What Does a SOC Analyst Do?
Guide Published 7 Jul 2026

What Does a SOC Analyst Do?

What does a SOC analyst do all day? A clear breakdown of the tasks, tools, and career tiers, from a mentor who has trained people into the role.

The direct answer

A SOC analyst monitors an organisation's networks and systems for security alerts, investigates whether each alert is a real threat or a false positive, and either closes it or escalates it for deeper investigation and response. It's a defensive (blue team) role centred on logs, alerts, and a queue of tickets - not the Hollywood image of fast-typing hacking scenes.

Most of a SOC analyst's day is triage: a Security Information and Event Management tool (a SIEM - see my SIEM for beginners guide) flags something unusual, and the analyst works out whether it's a misconfigured server, a phishing click that didn't go anywhere, or a genuine compromise that needs immediate escalation.

The three tiers, and what changes at each one

TierFocusTypical tasksEscalates to
Tier 1Alert triageReviewing SIEM alerts, closing false positives, documenting tickets, following runbooksTier 2 for anything unclear or confirmed
Tier 2InvestigationDeeper log correlation, malware analysis basics, confirming and scoping incidentsTier 3 / incident response team for major incidents
Tier 3Threat hunting & responseProactively hunting for threats not caught by existing rules, leading incident response, tuning detection rulesWorks with management/legal on major breaches

Most people reading this are aiming at Tier 1 - it's the standard entry point, and my guide on how to become a SOC analyst covers how to get there.

A typical shift, task by task

  1. Start of shift handover - review what the previous shift flagged or left open.
  2. Work through the SIEM alert queue, prioritising by severity.
  3. Investigate each alert: check the source IP, the user account involved, whether the behaviour matches a known pattern.
  4. Close false positives with a documented reason (this documentation matters more than new analysts expect - it's what gets audited).
  5. Escalate genuine or ambiguous incidents to Tier 2 with your findings so far.
  6. Update tickets, run scheduled checks (patch status, failed login reports), and handle any ad hoc requests from other teams.
  7. End-of-shift handover to the next analyst.

If the team runs 24/7 coverage, this repeats across day, evening, and night shifts on a rota - worth asking about at interview if shift patterns matter to you.

What I tell my students

The biggest misconception I correct constantly: people expect SOC work to feel like the offensive side of security - actively "hunting hackers." Tier 1 work is closer to being a very well-informed triage nurse. Most alerts are noise. Your job is knowing which ones aren't, and that skill is built through repetition and pattern recognition, not raw technical brilliance. If you find repetitive, detail-heavy work boring, be honest with yourself about that before you commit - it matters more for job satisfaction than most study guides admit.

The flip side: this repetition is exactly how you learn fast. Six months of Tier 1 alert triage teaches you more about how real networks actually behave than a year of self-study courses, because you're seeing genuine traffic, genuine misconfigurations, and genuine (if rare) incidents.

I also tell students not to underestimate how much of the job is writing. Clear, concise incident notes are a skill in themselves, and a huge chunk of your reputation on a SOC team comes from how well you document what you found, not just whether you found it.

Tools you'll typically use

  • SIEM platforms - Splunk, Microsoft Sentinel, QRadar, or open-source options like Wazuh.
  • Ticketing systems - ServiceNow, Jira, or similar, for tracking and escalating incidents.
  • EDR tools - endpoint detection and response software (CrowdStrike, Defender for Endpoint, SentinelOne) for investigating individual machines.
  • Threat intelligence feeds - to check whether an IP or file hash is already known-bad.

If you're weighing up whether this career path suits you before committing time and money, book a trial lesson and we can talk through what a realistic week actually looks like based on your background.

FAQ

Is SOC analyst a stressful job?

It can be, particularly during a genuine incident or an unusually busy shift, but day to day it's steady, process-driven work rather than constant crisis. Shift patterns (including nights, at some employers) are often the bigger stressor than the technical content itself.

Do SOC analysts write code?

Not usually at Tier 1. Basic scripting (Python, PowerShell) becomes useful at Tier 2 and above for automating repetitive investigation tasks, but it's not a day-one requirement.

What's the difference between a SOC analyst and a penetration tester?

A SOC analyst defends and monitors; a penetration tester attacks systems with permission to find weaknesses first. Full comparison in blue team vs red team.

How do I know if SOC work is right for me?

If you like structured, methodical investigation work and don't mind repetition in service of getting good at pattern recognition, it's a strong entry point. If you're drawn to security purely because of offensive/hacking content you've watched online, it's worth understanding the day-to-day reality first - which is exactly what this article is for.

This article was generated with AI assistance and published to the Korra Studio knowledge base. Spotted an error? Let us know.

Field Notes

Ready to go deeper?

Turn these Field Notes into hands-on skills — deploy into the related Segments on DEFENSE_GRID.

bolt Create free account

Related Segments

arrow_backAll field notes grid_viewExplore the Operations Library