- Tier 1 SOC Analyst – alert triage, false positive filtering, first-line investigation. Entry point for most analysts. $55K to $85K.
- Tier 2 SOC Analyst – deep incident investigation, threat intelligence application, containment decisions. $80K to $115K.
- Tier 3 / Threat Hunter – proactive hunting for undetected threats, advanced incident response, tool optimisation. $110K to $150K.
- Threat Intelligence Analyst – adversary research, IOC enrichment, CTI report production. $90K to $140K.
- Malware Analyst – reverse engineering malware samples to understand attacker tools and inform detection. $95K to $145K.
- Digital Forensics Analyst – evidence collection, preservation, and incident reconstruction for investigation and legal proceedings. $80K to $125K.
- Vulnerability Management Analyst – continuous scanning, prioritisation, and remediation tracking across the attack surface. $75K to $120K.
- SOC Manager – team oversight, performance management, incident coordination, executive reporting. $120K to $175K.
- Security Architect – security programme design, infrastructure strategy, zero trust implementation. $150K to $220K.
A Security Operations Center is not one job. It is a team of people with distinct skills, operating at different levels of depth and urgency, covering different parts of the threat landscape. A Tier 1 analyst and a malware reverse engineer both work in the SOC. They share almost no daily responsibilities.
Most articles on SOC roles list positions without explaining how they connect, what career progression looks like, or what the role actually demands day to day. This guide covers all nine key SOC team roles with salary data, honest day-to-day descriptions, key certifications, and how each role fits into the team structure.
How SOC teams are structured: the tier framework
SOC roles are organised by depth and specialisation, not just seniority. The operational tier structure handles the ongoing work of monitoring, detection, and response. Specialist roles support the operational tiers with specific technical expertise. Leadership and architecture roles set direction and ensure the team has what it needs to function.
| Role | Tier / level | Primary responsibility | Salary range (US) | Key cert |
|---|---|---|---|---|
| Tier 1 SOC Analyst | Operations | Alert triage and initial investigation | $55K to $85K | Security+ |
| Tier 2 SOC Analyst | Operations | Deep incident investigation and response | $80K to $115K | CySA+, GCIH |
| Tier 3 / Threat Hunter | Operations | Proactive threat hunting and advanced IR | $110K to $150K | GCIH, GCTI |
| Threat Intelligence Analyst | Specialist | Adversary research and CTI production | $90K to $140K | CTIA, GCTI |
| Malware Analyst | Specialist | Reverse engineering malware samples | $95K to $145K | GREM, GCFE |
| Digital Forensics Analyst | Specialist | Evidence collection and incident reconstruction | $80K to $125K | GCFE, GCFA |
| Vulnerability Management Analyst | Specialist | Continuous vulnerability identification and tracking | $75K to $120K | Security+, GWAPT |
| SOC Manager | Leadership | Team oversight, reporting, and strategy | $120K to $175K | CISSP, CISM |
| Security Architect | Architecture | Security programme design and infrastructure strategy | $150K to $220K | CISSP, SABSA |
AI-powered SIEM platforms and automated triage tools are absorbing the most repetitive Tier 1 tasks: false positive filtering, alert enrichment, and basic IOC lookups. This is not eliminating Tier 1 roles. It is shifting them toward investigation and escalation judgment rather than queue management. The analysts who thrive are those who develop investigation skills, not just alert-processing speed.
The 9 SOC team roles explained
1 Tier 1 SOC analyst: alert triage specialist
Tier 1 is where most cybersecurity careers begin and where the SOC’s first line of detection operates. Tier 1 analysts monitor SIEM dashboards, review incoming alerts, determine whether each alert represents a genuine threat or a false positive, enrich confirmed alerts with contextual data, and escalate verified incidents to Tier 2.
On a typical shift, a Tier 1 analyst may review 100 to 300 alerts. The skill being tested is not speed. It is accuracy: correctly identifying the 2 to 5 genuine incidents buried in a queue of false positives without missing something real or wasting Tier 2’s time on noise.
- Core tools: SIEM (Splunk, Sentinel), EDR dashboards, threat intelligence lookups (VirusTotal, MISP)
- Key skills: Log analysis, alert triage, IOC enrichment, SIEM query writing, clear escalation documentation
- Entry certification: CompTIA Security+. Appears in 70%+ of Tier 1 job postings.
- Honest challenge: Alert fatigue is real. 80% of SOC analysts report high stress, concentrated at this level (Exabeam research). The repetitive nature of the role is the primary driver of burnout and turnover in SOC teams.
2 Tier 2 SOC analyst: incident responder
Tier 2 analysts receive escalated alerts from Tier 1 and conduct deeper investigation. Where a Tier 1 analyst determines whether something is real, a Tier 2 analyst determines what it is, how far it has spread, and what to do about it. This means pivoting across tools, corroborating evidence across multiple log sources, applying threat intelligence to understand adversary intent, and making containment decisions.
The quality of Tier 2 work directly determines how much damage a breach causes. Slow or inaccurate investigation means longer dwell time, more lateral movement, and more data exfiltrated before containment begins.
- Core tools: EDR (CrowdStrike, SentinelOne), SIEM, SOAR playbooks, threat intelligence platforms
- Key skills: Incident timeline reconstruction, lateral movement analysis, containment decisions, MITRE ATT&CK technique mapping
- Certifications: CompTIA CySA+, GIAC GCIH
3 Tier 3 SOC analyst / threat hunter
Tier 3 analysts are the most experienced operational staff in the SOC. They handle the most complex escalated incidents, but their most important function is what they do when there are no escalations: proactive threat hunting.
Threat hunting operates on the assumption that attackers are already inside the network and have not yet triggered any alerts. The hunter forms a hypothesis based on threat intelligence, for example that a known threat actor targeting the organisation’s industry uses a specific lateral movement technique, and then searches systematically for evidence of that behaviour in the environment. Most hunts find nothing. The ones that find something prevent breaches that automated detection would have missed entirely.
- Core tools: EDR threat hunting interfaces, SIEM query environments, threat intelligence feeds, network analysis tools
- Key skills: Hypothesis-driven hunting methodology, MITRE ATT&CK framework depth, advanced SIEM and EDR querying, vulnerability assessment
- Certifications: GIAC GCIH, GIAC GCTI, OSCP for those with offensive security depth
4 Threat intelligence analyst
Threat intelligence analysts research adversaries: who they are, what techniques they use, what infrastructure they operate, and what targets they prefer. They transform raw data from feeds, dark web sources, and industry reports into actionable intelligence that tells the rest of the SOC team what to look for and why.
Their output directly improves every other role. Better threat intelligence means better SIEM detection rules, more targeted threat hunts, more informed incident response decisions, and more accurate vulnerability prioritisation.
- Core tools: Recorded Future, MISP, OpenCTI, MITRE ATT&CK Navigator, Maltego
- Key skills: Adversary profiling, IOC analysis, CTI report writing, dark web research, MITRE ATT&CK framework
- Certifications: CTIA (Certified Threat Intelligence Analyst), GIAC GCTI
5 Malware analyst / reverse engineer
Malware analysts dissect malicious software to understand how it works. They receive samples from incident responders, threat hunters, or public malware repositories and analyse them in isolated environments using static analysis (examining the code without running it) and dynamic analysis (executing the malware in a sandbox and observing its behaviour).
The output of malware analysis feeds back into every other SOC function: new detection signatures, updated threat intelligence, improved incident response playbooks, and vendor vulnerability disclosures when the malware exploits previously unknown software flaws.
- Core tools: IDA Pro, Ghidra, x64dbg, Any.run, Cuckoo Sandbox, YARA rule writing
- Key skills: Assembly language reading, dynamic analysis in sandboxes, YARA rule creation, packer identification
- Certifications: GIAC GREM (Reverse Engineering Malware), GCFE
- Honest note: This is the highest technical floor of any SOC role. Assembly language comfort is a prerequisite, not an aspiration. It is not an entry-level position.
6 Digital forensics analyst
Forensics analysts investigate confirmed breaches to reconstruct exactly what happened: how the attacker got in, what systems they accessed, what data they touched, and how long they were there. They collect and preserve evidence following strict chain-of-custody procedures, produce forensic timelines, and support legal proceedings when breach data is needed for regulatory notifications or criminal investigations.
The critical principle in forensics is evidence integrity. Any action on a compromised system that modifies data can invalidate the entire forensic record. Forensics analysts must work in ways that preserve the original state of evidence even while extracting information from it.
- Core tools: Autopsy, Volatility (memory forensics), FTK Imager, KAPE, Velociraptor
- Key skills: Disk and memory forensics, Windows registry analysis, timeline reconstruction, legal evidence handling
- Certifications: GIAC GCFE (Computer Forensics Examiner), GIAC GCFA, EnCE
7 Vulnerability management analyst
Vulnerability management analysts run the continuous process of finding, prioritising, and tracking the remediation of security weaknesses across the organisation’s environment. They scan systems and applications, interpret results using CVSS scores and exploit availability data, work with IT teams to schedule and verify patches, and report on the overall vulnerability posture over time.
The most important skill here is prioritisation, not enumeration. A large organisation generates thousands of vulnerability findings per scan cycle. Knowing which vulnerabilities represent genuine, exploitable risk right now, using real-world threat data from sources like the CISA Known Exploited Vulnerabilities catalogue, is what separates effective vulnerability management from producing long lists that no one acts on.
- Core tools: Nessus (Tenable), Qualys, Rapid7 InsightVM, CISA KEV catalogue
- Key skills: CVSS interpretation in context, patch prioritisation methodology, remediation tracking, risk communication to non-technical teams
- Certifications: CompTIA Security+, GWAPT for web application focus
8 SOC manager
The SOC Manager does not investigate alerts. They ensure the team that does is organised, resourced, trained, and performing effectively. Responsibilities include hiring and retention, shift scheduling, process design, performance measurement, incident coordination during major events, and reporting to the CISO or executive leadership on the SOC’s operational health.
The best SOC managers came up through the analyst tiers. They understand the work because they did it. That background gives them credibility with the team, the ability to evaluate analyst performance accurately, and the technical vocabulary to communicate with both analysts and executives. Managers who came from non-technical backgrounds consistently struggle with the credibility gap.
- Key responsibilities: KPI reporting (MTTD, MTTR, alert volume, false positive rate), staffing decisions, escalation path design, vendor relationship management, crisis communication
- Certifications: CISSP, CISM (Certified Information Security Manager)
9 Security architect
The security architect sits above the operational tier and designs the security programme itself: the frameworks, infrastructure, and controls that the rest of the SOC operates within. They determine how systems connect securely, define security standards for the organisation, evaluate and select security tools, and ensure that the overall security posture aligns with business risk appetite and regulatory requirements.
In 2026, security architects with cloud-native and zero trust architecture experience are in the highest demand. Every organisation accelerating cloud migration needs architects who can design security controls for environments that do not have a traditional perimeter.
- Key responsibilities: Security strategy development, tool selection and integration design, threat modelling, zero trust architecture implementation, compliance framework alignment
- Certifications: CISSP, SABSA, CCSP for cloud architecture focus
How to break into a SOC team
Most SOC careers start at Tier 1. The path from there follows two tracks: depth (moving through the tiers toward Tier 3 and specialist roles) or breadth (moving into management or architecture after building operational experience).
- Start with CompTIA Security+. The universal baseline. Achievable in 6 to 8 weeks. Appears in 70%+ of Tier 1 postings.
- Build hands-on SIEM experience. Splunk’s free training tier and TryHackMe’s SOC Level 1 path provide structured practical exposure before your first role.
- Document your investigations. Every lab exercise should produce a written case study. Ten documented investigations on GitHub demonstrate capability in interviews more effectively than any certification alone.
Explore the Metana Cybersecurity Bootcamp
Structured curriculum, 1:1 mentorship, hands-on labs, and a job guarantee. Land a role paying at least $50,000 within 180 days or get your full tuition back.
Explore at metana.io/cybersecurity-bootcamp →FAQ
What are the main roles in a SOC team?
A SOC team includes three operational tiers (Tier 1 triage analysts, Tier 2 incident responders, Tier 3 threat hunters), four specialist roles (threat intelligence analyst, malware analyst, digital forensics analyst, vulnerability management analyst), and two leadership roles (SOC manager and security architect). Not every SOC has all nine; smaller teams combine roles or outsource specialist functions.
What is the difference between a Tier 1 and Tier 2 SOC analyst?
A Tier 1 analyst determines whether an alert is real or a false positive, enriches confirmed alerts, and escalates genuine incidents. A Tier 2 analyst investigates those escalated incidents in depth: determining scope, identifying affected systems, applying threat intelligence, and making containment decisions. Tier 1 filters. Tier 2 investigates and responds.
How much do SOC team members earn?
Salaries range from $55K to $85K for Tier 1 analysts up to $150K to $220K for security architects. Tier 2 analysts earn $80K to $115K. Specialist roles like malware analysts and threat intelligence analysts earn $90K to $145K. SOC managers earn $120K to $175K. All figures reflect U.S. base compensation in 2026 and vary significantly by location and employer.
What certification should a SOC analyst get first?
CompTIA Security+ is the universal starting point. It appears in over 70% of SOC analyst job postings, is recognised by the U.S. Department of Defense, and is achievable in 6 to 8 weeks of focused study. After 1 to 2 years of experience, CompTIA CySA+ or GIAC GCIH is the logical next step for analysts moving toward Tier 2 and incident response roles.
Do all SOC teams have all 9 roles?
No. Small SOC teams of 5 to 10 people typically combine roles: analysts handle both Tier 1 and Tier 2 responsibilities, and specialist functions like malware analysis or digital forensics are outsourced to incident response retainer firms. Large enterprise and government SOCs are more likely to have dedicated headcount in every role category. The nine roles represent the complete SOC structure at full maturity.


