How to become a SOC analyst: Training, certifications and other resources

July 19, 2024 by

Daniel Brecht

Security Operations Center (SOC) analysts are in high demand due to cyber threats becoming more common, complex and sophisticated than ever before. Companies rely on teams of highly skilled frontline professionals who can leverage their analytical abilities and deliver innovative IT solutions by using various security measures to prevent or mitigate future attacks and protect the organization’s assets.

Whether it is a dedicated on-site IT team or a contracted provider with a remote 24/7 unit, SOCs monitor the network, are in charge of security and threat analysis, and ensure that the company’s network activity and digital assets are safe from unauthorized intrusions and breaches.

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

Meet with Us

What’s the role of SOC analysts?

SOC analyst is a job that works effectively in collaboration with other members of a team, often under the supervision of the CIO. These analysts are the first line of defense, actively monitoring the network for malicious activity and identifying threats and vulnerabilities that can pose severe risks to the organization's IT infrastructure. They also resolve security events from various log sources.

SOC team members have analytical and critical thinking skills to examine security flaws, as well as experience in using the latest tools and techniques, including security information and event management (SIEM) and endpoint detection and response (EDR).

Learn more about what a SOC analyst does at our dedicated SOC analyst career hub.

SOC analyst career progression

For a professional, a SOC is a great opportunity to embark on a career that allows for progression from a junior role as analyst to a senior position up to SOC manager and cybersecurity engineer.

• A SOC analyst monitors network activities and logs to detect cybersecurity-related events and incidents in real-time, determines the origin and tactics of a threat, and advises on how to remediate and further strengthen network defenses.
• A SOC manager oversees and coordinates the information sharing between a team of analysts and engineers during incident response and investigation to ensure they use the best methods to address all events of interest per established cybersecurity policies, standards, compliance and best practices.
• A cybersecurity engineer not only determines the severity of incidents and the required response but also recommends using new IT tools to improve the organization's defense capabilities.

Now, let’s examine what SOC analysts do in their daily activities and what is expected of them at various stages of their careers. 

Tier 1 SOC analyst

To begin their careers, SOC analysts typically monitor threat activity for every event logged so that SOCs can implement additional security measures when required.

Scanning employment sites for job opportunities reveals that junior analysts are often required to have one to two years of experience in incident handling or in cybersecurity in general. Some positions might require a formal university degree to become a SOC analyst but most list it only as a desirable qualification, along with a number of certifications, which are outlined below.

Knowledge and experience using one or more tools related to SIEM, phishing, endpoint logging, firewalls, intrusion detection and prevention systems, and network security managers are highly recommended. Specific tools include Splunk, Tanium, FireEye, CrowdStrike Security, Barracuda, WireShark, Bluecoat, FTK, Onion, Snort, Powershell and Python.

A number of skills are important for these positions, including analytical and critical thinking, multitasking and strong teamwork abilities, as well as the willingness (and availability) to work in shifts as most SOCs are manned 24/7. Good writing skills are also required. 

How to land a Tier 1 job in a SOC

A good way to stand out from other candidates is to have a certification that shows an employer you have the required knowledge and skills and the willingness to keep updated in the field. The best certifications for a SOC analyst that help at this career stage include the entry-level CompTIA Security+, an obvious choice, coupled with an EC-Council Certified Ethical Hacker (CEH)  because it covers the latest hacking tools and methodologies. ISC2 SSCP is also an option with its coverage of operational security.

Professionals should gain a good knowledge of network traffic analysis using tools like Wireshark and different security controls like EDR, IDPS, proxies and firewalls. They should also familiarize themselves with the role of SOCs and how it is evolving.

Free resources can help, including YouTube videos, focused cybersecurity analyst training courses, podcasts and forums where you can interact with those who are already working as analysts in SOCs. Concentrate on currently available tools and the latest trends, but also on basic skills like time management, organization and team communication. 

Tier 2 SOC analyst

These professionals employ the latest techniques and tools to detect, engage, and neutralize cyberattacks. In a SOC, tier 2 analysts respond to every incident and handle events by trying to determine the origin of the attack, which systems were affected and the extent of damage. They are also expected to provide suitable solutions to organizations to remediate threats.

Most job announcements list desirable requirements, including a college degree or a combination of job experience and security and network certifications.

Required experience normally includes work in vulnerability assessment, risk mitigation, access control, application security, firewall management, routers /switches management, web filtering, advanced threat protection, endpoint protection, data loss prevention and more. Some job opportunities actually include a project management component, with preference given to candidates with certifications like the Project Management Professional (PMP) and years of related work experience.

Applicants are also often required to have security skills related to firewalls, client/server, LAN and TCP/IP, and they need to be comfortable working with active directories, PKI, cloud solutions, multiple OS and proxy servers and scripting.

Again, availability for working in shifts is a must and communication (verbal and written) skills are needed to report all incidents properly.

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

Meet with Us

How to land a Tier 2 job in a SOC

When you are ready to transition to a higher-level position, you can prepare by studying and earning a SOC certification like CompTIA CySA+ that suits intermediate-level professionals, who not only need to know how to detect and respond to issues but also need to be well-versed in automation, threat hunting and IT regulatory compliance.

Skills and knowledge in vulnerability assessment and penetration testing can make a candidate for these positions stand out, which is why ISACA CISA and EC-Council incident handler (E|CIH) certifications are good choices. The latter, in particular, covers all stages of incident handling with a real-life scenario/hands-on approach that also covers fundamentals of computer forensics, recovery and post-incident activities.

In addition to technical preparation, it is important to focus on more advanced verbal and written communication skills and project management topics. This is also a good time to start acquiring supervision and guidance skills to prepare for more senior roles. 

Tier 3 SOC analyst

Senior SOC analysts conduct in-depth analysis to detect and defend against cyber threats and develop threat-hunting capabilities. They analyze threat intelligence sources and recruit team analysts to investigate and respond to the most complex, immediate threats.

Normally, tier 3 analysts are required to have five or more years of work in the information security/cybersecurity domain with a focus on security operations, incident response, cyber technical analysis, threat hunting and threat attribution assessment. Many positions also list experience in a management and leadership role as desirable.

Candidates for these positions should also have advanced knowledge of endpoint security, data loss prevention, identity and access management (IAM) solutions, PKI, database activity monitoring (DAM), strong authentication, network protocols and, in some cases, related industry standards such as PCI or HIPAA.

They are also asked to have advanced communication skills to interact with stakeholders at all levels and mentoring skills to provide SOC analyst training and guidance to other team members. Strong troubleshooting, analytical reasoning, and problem-solving skills, along with great organizational skills and the ability to work under pressure, are also commonly required traits.

How to land a Tier 3 job in a SOC

Securing a senior role involves proven managerial skills, as well as experience and advanced technical abilities. SOC certifications that help you stand out from the competition include:

• CompTIA CASP+, which covers both security architecture and engineering and how to implement solutions within policies and frameworks
• ISACA CISM, which is designed for information security managers and covers topics like governance, incident management operations and information security program management
• ISC2 CISSP, which covers a broad range of cybersecurity topics and is a bit more technical focused compared to the CISM

Technical and analytical skills at this point of the career are at advanced levels, with professionals well versed in topics like advanced intrusion detection or enterprise security risk management. Senior analysts can enhance their chances of getting hired by coupling their work experience with training in business communication, leadership, organizational and even training skills so as to be able to monitor and provide instruction to junior members of the team.

Top SOC analyst certifications

Are you wondering, "What certifications do I need to be a SOC analyst?" Here's a quick recap of some of the SOC analyst certifications that can enhance your chances of starting (or improving) a career in a security operations center (SOC) team, including:

• CompTIA Network+, which covers setting up, monitoring and securing a network
• CompTIA Security+, which is the most popular entry-level cybersecurity certification
• CompTIA CySA+, which covers the primary duties of a cybersecurity analyst
• CompTIA PenTest+, which covers offensive security and penetration testing best practices
• CompTIA CASP+, which is the most advanced technical certification CompTIA offers
• Certified Ethical Hacking (CEH), which a well-recognized hacking certification similar to PenTest+
• ISACA CISM, which is a popular security management certification
• ISC2 CISSP, which as broad certification like Security+ but more advanced

Various digital forensics and incident response (DFIR) certifications can also be beneficial, as well as the Project Management Professional (PMP) certification.

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

Meet with Us

Average SOC analyst salary

The pay you can expect from a job in a SOC can vary significantly depending on your experience, job duties, location and other factors. However, we recently did an analysis of common certifications and job roles, and those with CySA+ certification or aligned with the cybersecurity analyst job role had an average salary of $110,929. You can get more details in our CySA+ salary article. 

This number is based on public data from Payscale, Glassdoor and Salary.com. For more information on SOC analysts careers, visit our SOC analyst career hub.