What is a SOC (Security Operations Center)?

A Security Operations Center (SOC) is the operational nerve center for cybersecurity defense. SOC analysts watch security tools 24/7, investigate alerts, hunt for threats that didn't trigger alerts, and coordinate response when incidents happen.

What SOC analysts actually do

• Alert triage — sort real threats from false positives in the EDR, SIEM, and email security platforms
• Investigation — pivot through telemetry to determine scope, intent, and impact of suspicious activity
• Response coordination — isolate compromised endpoints, disable accounts, coordinate with the affected business units
• Threat hunting — proactively search for indicators of compromise that didn't trigger automated alerts
• Tuning — reduce false positive rates by adjusting detection rules to your environment

Tier structure

Mature SOCs use a tiered analyst model:

• Tier 1: Initial alert triage and basic investigation
• Tier 2: Deeper investigation, incident response, escalation handling
• Tier 3: Threat hunting, advanced incident response, malware analysis, forensic work

Internal SOC vs. outsourced

Building an internal 24/7 SOC requires minimum 6 analysts (3 shifts of 2), plus management and tooling. Annual cost: $1M-$3M. Most organizations under 1,000 employees outsource through MDR or MSSP services for a fraction of that cost. The signal-to-noise ratio actually improves with a good outsourced SOC because they see threats across hundreds of clients, so they recognize attack patterns earlier.