At the center of any successful Security Operations Center (SOC) are people. Security professionals such as SOC analysts, SOC managers and engineers protect and secure an enterprise’s sensitive data and systems. But what roles make up a SOC team, and what responsibilities does each person have? Let’s explore how SOC teams work below.
WHAT IS A SOC TEAM?
The security operations center (SOC) team is made up of security professionals who are responsible for managing an organization’s security posture. The specific roles within a SOC may vary depending on the size and complexity of the organization, but there are some common SOC roles and responsibilities.
What does a SOC team do?
The SOC team is responsible for monitoring and maintaining an organization’s computer systems and networks to ensure they are secure and running smoothly. This can include tasks such as monitoring for security breaches, responding to security incidents, patching vulnerabilities, and implementing security policies and procedures. The SOC team may also be responsible for monitoring the performance of the organization’s systems and troubleshooting any issues that arise.
Common SOC Roles
Every SOC is different, based on the size, industry and maturity of the organization. Here are the top common SOC roles:
SOC Analyst – Tier 1, 2 and 3
The job of a security analyst – also called SOC analyst – is to monitor an organization’s networks and systems for potential security threats, and respond to those threats as needed. They often use tools such as security information and event management (SIEM) systems and threat intelligence feeds to identify and assess potential threats. Analysts may also work closely with other teams, such as the incident response team, to resolve those threats.
SOC analysts can also utilize a Security Orchestration, Automation and Response (SOAR) platform to manage cases and gather information in one location.
There are typically three “tiers” of security analysts, based on experience and responsibilities:
Tier 1: A Tier 1 security analyst’s work focuses on alert triage and reporting. A typical day for Tier 1 SOC analysts is reviewing and categorizing security alerts and potential threats.
Tier 2: Tier 2 security analysts are incident responders. These analysts review and respond to alerts that can’t be handled by Tier 1 analysts.
Tier 3: The Tier 3 analyst is a qualified threat hunter. These SOC analysts proactively hunt and uncover complex threats within an organization.
Security Engineer
Security engineers design, implement and maintain the technical controls and defenses that are used to protect the organization’s assets and systems. This may include activities such as firewall and intrusion detection system configuration, access control implementation, and conducting security assessments and audits.
SOC Manager
The SOC Manager oversees the day-to-day operations of the SOC team and ensures that the organization’s systems and networks are secure and running smoothly.
Some of the specific responsibilities of a SOC Manager may include the following:
- Setting priorities and managing resources
- Developing and implementing security policies and procedures
- Monitoring the performance of security systems and networks
- Managing incident response processes
- Managing the team and communication with other departments
Chief Information Security Officer (CISO)
A Chief Information Security Officer (CISO) is a senior-level executive who oversees an organization’s cybersecurity strategy and operations, often including more than the SOC team. The CISO falls within the enterprise leadership team and reports directly to the CEO or other executive-level manager.
The specific responsibilities of a CISO may vary depending on the size and nature of the organization, but some common responsibilities may include the following:
- Developing and implementing the organization’s cybersecurity strategy and policies
- Monitoring and analyzing the organization’s security posture, and identifying areas for improvement
- Working with senior management and other stakeholders to ensure that the organization’s security practices align with its business objectives and priorities
- Advising the organization on best practices and emerging trends in cybersecurity, and recommending investments in new tools and technologies
Additional Roles
The above list is only some of the roles that can be found within a SOC team. There are a variety of other positions, especially in larger enterprise teams for advanced incident response and threat intelligence. Compliance roles are also seen within the SOC, such as compliance auditors. These team members ensure that an organization’s security practices and procedures comply with industry and federal security regulations.
Security Metrics for SOC Teams
There are various security metrics that a SOC team can use to measure the performance of their security processes. Here are a few examples:
- Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR): These metrics measure how long it takes for the SOC team to detect a security incident and how long it takes to respond to it.
- Dwell time: Dwell time is the duration a threat actor has undetected access in a network until their completely removed.
- False positive rate: This measures the percentage of alerts that are generated by security systems but are not actual security incidents. A low false positive rate is desirable as it means that the SOC team is not wasting time investigating non-issues.
- Compliance rate: This looks at the percentage of security controls that are in compliance with industry regulations and standards.
- Level of preparedness: This analyzes how effective your technology and tool implementation is. Avoid and eliminate gaps in controls that could be affecting your risk management program.
It’s important to note that SOC metrics should be tailored to the specific organization and its unique security needs. These metrics can help organizations measure their security posture, identify areas of improvement and track the effectiveness of their security measures over time.
No matter the size of the SOC team, these security professionals are critical to maintaining efficient and effective security operations and incident response. Both small and large SOC teams can benefit from extra help responding to the thousands of daily alerts. Options include outsourced support with a Managed Security Services Provider (MSSP) or implementing a security automation solution. Either way, SOC teams are a critical component of an organization’s security and need all the help they can get.

Download: Gartner SOC Model Guide
Download the Gartner SOC Model Guide to learn: how to select the best SOC model for your organization, the key components of the Gartner SOC framework, and how to gain organizational alignment when engaging with leaders enterprise-wide. Access this Gartner SOC report, courtesy of Swimlane.