Article

A day in the life of a SOC analyst

October 21, 2022

The field of cybersecurity isn’t exactly new, but it still hasn’t shaken some common misconceptions. 

“It’s difficult, at least here in India, to say, ‘I’m working in cybersecurity,’” says Srinivas, Pluralsight SOC Analyst. “Most people will think about that hoodie-wearing figure.” 

The reality is so much more than that (though we’re all for wearing comfy hoodies). In this post, we break down common misconceptions about SOC analyst jobs, explain what a typical day in the role looks like, and offer actionable advice for anyone looking to take on this title themselves.

Note: Throughout this blog post series, we refer to certain cybersecurity skill sets as "roles." We’ve done this to ensure we cover all security roles and align with the functions of the Cybersecurity Framework and  NICE Framework. Each organization may define these roles and responsibilities differently, and there can be many variations of specific title names. 

Learn about a SOC analyst’s job

What does a SOC analyst do?

SOC analysts, or Security Operations Center analysts, monitor, investigate, and resolve cyber security attacks and alerts. If needed, they escalate incidents to managers, incident responders, and other security analysts. While exact responsibilities differ from organization to organization, SOC analysts stand on the front lines of cyber defense.

What are the three levels of SOC analyst?

SOC analysts often fall into different “levels” that determine what they do on the job on a day-to-day basis.

Level 1

Level One (L1) analysts focus mainly on alert triaging, or identifying and reviewing alerts to determine if they need to take additional action. 

“If a suspicious process occurs that triggers an alert, we will check the alert and go through different logs,” explains Srinivas. They’ll do whatever they need to do to remedy the situation based on the alert type.

Level 2

Sometimes, that calls for escalating an alert to the Level Two (L2) analysts. These analysts typically handle escalated incidents and other functions:

  • Perform alert fine-tuning to cut down on irrelevant alerts or false positives
  • Add/on-board new log sources into the SIEM (Security Information and Event Management) system
  • Administer and maintain different tools
  • Implement new use cases to strengthen cyber defenses

Level 3

Level Three (L3) security analysts typically take on similar responsibilities and handle any escalation from L2 analysts. They also communicate with clients and management as needed. 

An organization might use a different kind of structure, though. “It's not like everybody will just sit in front of a system and do alert triaging,” says Srinivas. “There are a lot of things we need to maintain or install and a lot will differ depending on how the job, team, or organization is structured.”

What does a day in the life of a SOC analyst look like?

SOC analysts typically begin their day by checking a list of news, alerts, and systems, sometimes even before the work day properly begins. 

“Normally, the first thing I’ll do is go through some blogs like BleepingComputer and Threatpost. This way, I’ll know about any hacks, ransomware, or anything related to security,” says Srinivas. “Then, in the office, the first thing I check is my email and communication channels in Slack to see if anybody needs help.”

Once a SOC analyst completes this cursory review of major communication channels, they dive into a series of deeper level checks to probe the organization’s security:

Phishing emails

3.4 billion phishing emails are sent each day, and it’s often the SOC analyst’s job to identify them before they can cause harm. Whenever a user flags a suspicious email, the SOC analyst steps in to analyze it and determine whether it’s a legitimate email, harmless spam, or a true phishing threat.

Vulnerabilities and dependencies

SOC analysts can take on vulnerability management responsibilities to identify shifting weak points and continually strengthen cyber defenses. Once they identify a vulnerability, they’ll provide a recommended course of action and sync with other teams as needed. With various system and environment dependencies in mind, they might recommend remediating, mitigating, or accepting the vulnerability depending on its severity.

SOC analysts also keep an eye on the news. If threat actors compromise other companies, they need to understand these new tactics to shore up their own organization’s defenses. In some cases, they’ll also follow up with business users to see if any of their systems were compromised and if there are any dependencies they should know about. 

Alerts of all kinds

Monitoring cybersecurity across all aspects of an organization requires a variety of tools. “But it is difficult going through different tools separately, so we will mostly use a SIEM,” Srivinas says.

A Security Information and Event Management (SIEM) system is a centralized location for most system and network logs. SOC Analysts will check these tools and any alerts that were triggered. By prioritizing alerts based on their severity, they’ll work their way through the queue.

What happens when a SOC analyst identifies an alert?

The first step is to confirm whether the alert is a false positive or a true positive. If it’s a false positive, the analysts will close the case and fine tune the alert rule (if required) so it doesn’t flag harmless actions in the future.

In the case of a true positive, the analysts will quickly jump into action. They may also contact other teams for clarification about things relevant to alerts or blocking an IP address. If they need to escalate an alert to other teams or leaders, they’ll do that, too.

Responding to alerts is an iterative process. “Once we start getting the alerts, we will fine-tune them. If we can remove the extra stuff, it will give us more true positives. Rule-defining—even in an established SOC environment—is a continuous process,” says Srinivas.

How do you get a SOC analyst job?

No two days in cybersecurity are the same. “The thing that is so secure today may be compromised tomorrow,” Srinivas says. “Each day, you’ll interact with something new.” 

For this reason, a deliberate approach to learning can help anyone preparing for a job as a SOC analyst:

Build a solid cybersecurity foundation

It’s the SOC analyst’s job to respond to a wide range of alerts and incidents, which is why it’s important to build foundational knowledge. “As a beginner, it’s good to learn networking, Linux, and any part of the cloud,” Srinivas advises. 

Once you’ve gained some cloud computing knowledge, expand your skill set. The more you know, the better equipped you’ll be to resolve any incident. Web application security and programming courses like Python and Shell Scripting with Bash, for example, can be helpful depending on your organization’s needs.

Cement your knowledge with certifications

Entry-level certifications will give you a good base to build on (and can give your resume an extra boost, too). But you don’t want to go into these certification exams unprepared. Prep courses and hands-on labs can give you the knowledge and practice you need to ace the exams and earn your certifications. 

When it comes to specific entry-level certifications, there are a few to check out:

Sidenote: What is a SOC analyst’s salary?

Before you drop money on course-prep and certifications, you probably want to know the average SOC analyst’s salary. According to Glassdoor, the average salary for a SOC analyst job in the United States is $84,506 per year. Keep in mind that this is just an average. Actual compensation may vary based on experience, certifications, and other qualifications.

Get hands-on experience

“Having a certification is good, but it's not mandatory if you've already done hands-on work,” Srinivas confides.

As helpful as theoretical knowledge is, it can only take you so far in hands-on cybersecurity jobs. If you can leverage lab environments and sandboxes to explore concepts practically, you’ll learn your way around real-world situations and gain confidence in the process. 

“It's all about the hands-on,” says Srinivas. “We have a lot of sites today, like TryHackMe, Hack the Box, and A Cloud Guru that will give you hands-on experience. You can just make a subscription or log in, and learn in a practical way.”

Stay calm, stay curious

When incidents arise, it can be easy to panic, and transfer that panic to others in the organization. But staying calm is the key to resolving any issue. If you can clearly state the issue, without disrupting or interrupting the other teams, you possess a valuable soft skill for SOC analyst jobs. 

Srinivas’s last piece of advice for cybersecurity jobs? Use your curiosity to your advantage. The threat and cyber defense landscape is always changing. Even once you’ve gained foundational knowledge, keep learning. 

Srinivas says, “Spend at least one or two hours learning each day. Keep separate time for learning something new.”

Want to learn more about what it takes to be a SOC analyst? Check out our role-based learning path!