Home / Jobs / Security Operations Centre (SOC) Analyst
Mid-Level (2-5 years)

Security Operations Centre (SOC) Analyst

You're the person who spots the bad guys trying to get in, or already inside. Day-to-day, you'll be sifting through alerts, digging into suspicious activity, and making sure our systems are safe. It's a bit like being a digital detective, piecing together clues from all sorts of places to figure out what's really going on.

Job ID
JD-TECH-SEAN-002
Department
Technical Roles
NOS Level
Level 5-6 (equivalent to a Foundation Degree or HND)
OFQUAL Level
Level 5-6
Experience
Mid-Level (2-5 years)

Role Purpose & Context

Role Summary

The SOC Analyst is responsible for independently investigating security alerts and handling common incident types from start to finish. You'll be the first line of defence, really, diving deep into the noise to find the actual threats. This role sits right at the core of our security operations, making sure we react quickly and effectively when something goes wrong. You'll work closely with the wider IT and infrastructure teams, translating technical findings into clear actions they can take. When you do this well, we catch attacks early, minimise damage, and keep our customers' data safe. If things go sideways, well, that can mean significant disruption, data loss, or even regulatory fines – so the stakes are pretty high. The challenge here is cutting through the sheer volume of alerts and false positives to find the real threats, all while staying calm and methodical. The reward? Honestly, it's knowing you've protected the company, learned something new about how attackers operate, and kept us all a bit safer.

Reporting Structure

Key Stakeholders

Internal:

External:

Organisational Impact

Scope: This role directly impacts our ability to detect, respond to, and recover from cyber security incidents. A sharp SOC Analyst prevents minor issues from becoming major breaches, protecting our reputation, financial stability, and customer trust. You're essentially the eyes and ears of our digital perimeter, and your quick actions can save us millions.

Performance Metrics

Quantitative Metrics

  1. Metric: Mean Time to Acknowledge (MTTA)
  2. Desc: How quickly you pick up and start working on a critical alert after it's generated.
  3. Target: < 15 minutes for critical alerts; < 30 minutes for high severity
  4. Freq: Daily/Weekly
  5. Example: If a P1 alert drops at 10:00, you should be 'eyes on glass' and acknowledging it in the SIEM by 10:14 at the latest. We track this automatically, so no fudging the numbers!
  6. Metric: Alert Fidelity & Accuracy
  7. Desc: The percentage of alerts you close as 'true false positives' that are actually benign, versus those that should have been escalated or investigated further.
  8. Target: >98% accuracy rate on closing true false positives
  9. Freq: Monthly
  10. Example: Out of 100 alerts you closed as false positives last month, only 2 were later found to have been actual, albeit minor, security events. That's a 98% accuracy rate, which is what we're after.
  11. Metric: Tickets Closed per Shift
  12. Desc: The number of security incidents or alerts you investigate and resolve within a typical shift, compared to the team average.
  13. Target: Consistently meet or exceed team average (e.g., 15-20 alerts/shift)
  14. Freq: Weekly
  15. Example: If the team average for a shift is 18 alerts, you're expected to close around that many. We know some incidents take longer, but for routine stuff, we need you to keep the queue moving.
  16. Metric: Mean Time to Contain (MTTC) for Common Incidents
  17. Desc: How quickly you can contain a common threat (like a detected malware infection or a phishing attempt) once identified.
  18. Target: < 2 hours for known malware; < 1 hour for phishing emails
  19. Freq: Per incident / Monthly average
  20. Example: You identify a host infected with a known piece of malware. From that moment, you're expected to have the host isolated or the threat neutralised within two hours. This is crucial for stopping spread.

Qualitative Metrics

  1. Metric: Incident Investigation Quality
  2. Desc: The thoroughness and accuracy of your incident reports and investigation notes. Do they tell a clear story? Are all relevant details captured?
  3. Evidence: Your incident reports are clear, concise, and include all necessary details (IOCs, timestamps, actions taken, affected systems). Senior analysts rarely need to ask for more information. You've followed the IR playbook, no steps skipped. Your notes are so good, someone else could pick up the investigation and know exactly where you left off.
  4. Metric: Collaboration & Communication
  5. Desc: How effectively you work with other teams (IT, Network, Dev) during an incident, and how clearly you communicate technical details to non-technical folks.
  6. Evidence: IT Ops praises your clear instructions during host isolation. You're able to explain a complex attack chain to a manager without using jargon. You proactively share relevant findings with the team during shift handovers. You're not just 'throwing it over the wall' to another team; you're working with them to get it sorted.
  7. Metric: Proactive Identification & Tuning Input
  8. Desc: Your ability to spot patterns in alerts, suggest improvements to detection rules, or identify potential false positives that need tuning.
  9. Evidence: You flag a recurring benign alert pattern, suggesting a specific filter to reduce noise. You notice a new type of attack activity that isn't currently detected and raise it with the Senior Analyst. You're not just closing tickets; you're thinking about how to prevent them in the first place.
  10. Metric: Documentation & Knowledge Sharing
  11. Desc: How well you contribute to and maintain our internal knowledge base and playbooks.
  12. Evidence: You update a playbook after a tricky incident with new steps or lessons learned. You create a clear 'how-to' guide for a common investigation task. Other analysts refer to your documentation. Honestly, the easier you make it for the next person, the better.

Primary Traits

Supporting Traits

Primary Motivators

  1. Motivator: Problem Solving & Investigation
  2. Daily: You love the challenge of a good puzzle. Every alert is a mystery waiting to be solved, and you get a real kick out of piecing together the clues to understand an attack.
  3. Motivator: Learning & Skill Development
  4. Daily: The cyber security landscape changes constantly, and you're excited by that. You're always keen to learn about new threats, tools, and techniques, and you see every incident as a learning opportunity.
  5. Motivator: Making a Real Impact
  6. Daily: You want to feel like your work genuinely matters and that you're protecting something important. You understand the direct link between your actions and the company's security posture.

Potential Demotivators

Honestly, this job isn't for everyone, and we want to be upfront about the downsides. If you're someone who needs everything to be perfectly organised, or you get easily frustrated by repetition and bureaucracy, you might struggle here.

Common Frustrations

  1. The 'Alert Tsunami': You'll often feel like you're drowning in a sea of low-fidelity alerts from poorly configured tools. It's a nightmare trying to spot the one that actually matters amongst thousands of false positives.
  2. Tool Sprawl & 'Swivel-Chair' Analysis: You'll frequently find yourself manually copying and pasting an IP address or a hash between seven different browser tabs – your SIEM, EDR, TIP, VirusTotal, and so on – just to investigate one alert. Nothing's perfectly integrated, and it can be a real pain.
  3. The Politics of Escalation: There's a dread that comes with having to wake up a Director at 3 AM for a potential incident, especially knowing you'll face their wrath if it turns out to be a false alarm. It's a delicate balance.
  4. The Out-of-Date CMDB: You'll get a critical alert on 'PROD-SVR-012' and have zero context on what the server does, who owns it, or if the observed activity is business-as-usual. It makes investigations so much harder.
  5. Shift Work Burnout: The relentless cycle of day, swing, and night shifts can really wreak havoc on your health, social life, and ability to ever feel truly rested. It's a tough part of the job for many.
  6. 'We Told You So': It's immensely frustrating to watch the company get breached via a vulnerability your team flagged in a report six months ago, only for it to have been marked as 'Risk Accepted' by a business unit that didn't understand the real risk.

What Role Doesn't Offer

  1. A predictable 9-to-5 schedule every day (incidents don't care about your plans).
  2. An environment where every single alert is a genuine, high-priority threat (most are noise).
  3. The ability to completely ignore documentation or process (it's essential, even if tedious).
  4. A role where you only ever work on cutting-edge, novel attacks (you'll deal with a lot of mundane stuff too).

ADHD Positives

  1. The fast-paced, constantly changing nature of incident response can be highly engaging, offering novelty and high-stakes problem-solving that can suit an ADHD brain.
  2. Hyperfocus can be a superpower during a critical incident, allowing deep dives into complex data sets to quickly uncover crucial details.

ADHD Challenges and Accommodations

  1. Maintaining focus during routine alert triage or extensive documentation can be challenging. We can offer tools for structured note-taking and break up monotonous tasks.
  2. Managing multiple, simultaneous investigations requires strong organisational skills. We use clear ticketing systems and offer visual task management tools.
  3. Shift work can disrupt routines, which can be difficult. We aim for consistent shift patterns where possible and support flexible scheduling where team coverage allows.

Dyslexia Positives

  1. Strong visual-spatial reasoning, often associated with dyslexia, can be excellent for spotting patterns in logs or network traffic that others might miss.
  2. Thinking 'outside the box' to connect disparate pieces of information during an investigation can be a significant advantage.

Dyslexia Challenges and Accommodations

  1. Reading dense logs or writing detailed incident reports can be time-consuming. We encourage the use of screen readers, dictation software, and structured templates.
  2. Ensuring accuracy in written communication is key. We promote peer review for critical reports and offer grammar/spell-checking tools.
  3. Our SIEM and other tools are highly visual, which can be helpful. We also use colour-coding and clear formatting in our documentation.

Autism Positives

  1. A strong preference for logical, systematic work fits perfectly with methodical incident response playbooks and forensic analysis.
  2. Exceptional attention to detail can be invaluable for spotting subtle anomalies in data that indicate malicious activity.
  3. The ability to maintain calm and focus during high-stress situations, like a major incident, can be a huge asset.

Autism Challenges and Accommodations

  1. Unpredictable social interactions during incidents or cross-team collaboration can be a challenge. We encourage clear, direct communication and offer options for text-based communication (e.g., Slack, Teams) over calls.
  2. Sensory overload from a busy SOC environment (multiple screens, chatter) can be an issue. We can provide noise-cancelling headphones and offer quieter workspaces for focused tasks.
  3. Changes in routine or unexpected tasks can be difficult. We strive for clear communication about changes and provide as much notice as possible.

Sensory Considerations

Our SOC is typically a moderately busy environment, with multiple screens, some team chatter, and occasional phone calls during incidents. We do offer noise-cancelling headphones and have quieter focus zones for when you need deep concentration. The lighting is usually ambient, with adjustable desk lamps available.

Flexibility Notes

We believe in creating an inclusive environment. If you have specific needs or require adjustments, please talk to us. We're open to discussing flexible working arrangements or specific tools that can help you thrive.

Key Responsibilities

Experience Levels Responsibilities

  1. Level: SOC Analyst (Mid-Level)
  2. Responsibilities: Independently investigate and resolve Tier 2 security alerts, taking ownership from initial detection right through to closure. This means you'll be the one digging into the details, not just passing it on.
  3. Perform initial containment actions for identified threats, like isolating compromised hosts or blocking malicious IPs at the firewall. Getting this right, and quickly, is absolutely critical.
  4. Conduct basic threat hunting exercises using established methodologies. Don't just wait for alerts; go looking for the bad stuff based on threat intelligence or a hunch.
  5. Enrich alerts and incidents with relevant context from various sources – think threat intelligence platforms, asset management systems, and user directories. The more context, the better the decision.
  6. Document all investigation steps, findings, and actions taken in our incident management system. Yes, it's tedious sometimes, but future-you (and the auditors) will be grateful.
  7. Contribute to the continuous improvement of our detection rules and playbooks. If you spot a way to make things better or reduce false positives, speak up and help us refine it.
  8. Provide informal guidance and support to junior SOC Analysts, helping them get unstuck on trickier alerts or understand a new investigation technique. You'll be a sounding board for them.
  9. Supervision: You'll have weekly check-ins with your Senior or Lead SOC Analyst to discuss ongoing investigations, tricky cases, and development goals. For routine tasks, you're expected to work independently, but for anything novel or high-impact, you should definitely be escalating or consulting.
  10. Decision: You have the authority to make routine decisions within established guidelines and playbooks. For example, you can decide to isolate a host if it meets specific criteria in the playbook. Any decisions outside of these guidelines, or those with significant business impact (e.g., shutting down a critical application), must be escalated to a Senior Analyst or Manager for approval. You'll consult with your Lead on complex investigation paths or when you're unsure of the best next step.
  11. Success: You're successful when you consistently resolve common incidents efficiently and accurately, contribute to reducing false positives, and your investigation notes are clear and complete. If you're seen as a reliable pair of hands who can be trusted to get to the bottom of things, you're doing well.

Decision-Making Authority

Save 10-15 hours weekly: Supercharge your SOC investigations with AI

Let's be honest, a big chunk of a SOC Analyst's day is spent on repetitive tasks or sifting through mountains of data that often turn out to be noise. But what if you could offload a good portion of that to AI? Imagine focusing on the really interesting, complex threats, not the mundane stuff.

ID:

Tool: Alert Triage Autopilot

Benefit: This AI automatically investigates and closes up to 80% of those low-confidence, high-volume alerts – things like benign scanner activity or expected maintenance. For the alerts that actually matter, it enriches them with threat intelligence, asset context, and user behaviour data, so you start your investigation with the full picture, not just a raw log line. It's like having a pre-investigation done for you.

ID:

Tool: Anomaly Detection Co-Pilot

Benefit: Our AI learns the unique 'normal' baseline for every user, every server, and every application in our environment. It then flags subtle deviations – for example, an accountant's laptop suddenly running PowerShell at 3 AM, or a server accessing an unusual external IP. These aren't always known malicious signatures, but they're highly anomalous, giving you a head start on spotting novel threats that traditional rules might miss.

ID:

Tool: Instant Threat Briefing

Benefit: Got a new 50-page threat intelligence report? Just feed it into our AI model. It'll instantly provide a one-page summary of the key takeaways, extract all the technical Indicators of Compromise (IOCs) into a machine-readable list, and even draft a new detection rule for your SIEM based on the adversary Tactics, Techniques, and Procedures (TTPs) described. No more slogging through dense PDFs.

ID: ✍️

Tool: Incident Report Drafter

Benefit: After an incident, you'll have a pile of raw investigation notes, timestamps, and technical findings. Give these to the AI, and it will automatically structure this data into a formal incident report for your technical peers and a separate, non-technical executive summary for leadership. It ensures consistency, saves you a ton of time on formatting, and gets the information out faster.

Roughly 10-15 hours per week on repetitive tasks Weekly time savings potential
Integrated with your existing SIEM, EDR, and TIP Typical tool investment
Explore AI Productivity for Security Operations Centre (SOC) Analyst →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

These are the core human skills that underpin everything you do. Without these, even the best technical knowledge won't get you far in a SOC. We're looking for clear thinkers and good communicators, especially when things get hairy.

Functional Skills (Role-Specific Technical)

These are the specific technical skills and knowledge you'll need day-to-day. We're talking about understanding how attackers operate, how to use our tools, and how to make sense of all the data thrown at you.

Technical Competencies

Digital Tools

Industry Knowledge

Regulatory Compliance Regulations

Essential Prerequisites

Career Pathway Context

Think of these as the foundational building blocks. If you've been working in a junior SOC role, or perhaps in IT support with a strong security focus, you should have picked up most of these. We're looking for someone who can hit the ground running on common incident types, not someone who needs to be taught the basics from scratch.

Qualifications & Credentials

Emerging Foundation Skills

Advancing Technical Skills

Future Skills Closing Note

These aren't just 'nice-to-haves'; they're becoming essential for anyone wanting to build a long, impactful career in security operations. We'll support you with training and resources, but the drive to learn has to come from you. It's an exciting time to be in this field, and we want you to grow with it.

Education Requirements

Experience Requirements

You'll need at least 2-5 years of hands-on experience in a Security Operations Centre (SOC) or a similar incident response role. This isn't an entry-level position; we need someone who's already comfortable with the basics and can hit the ground running on common incident types. We're looking for practical experience in alert triage, incident investigation, and initial containment actions.

Preferred Certifications

Recommended Activities

Career Progression Pathways

Entry Paths to This Role

Career Progression From This Role

Long Term Vision Potential Roles

Sector Mobility

The skills you gain as a SOC Analyst are highly transferable across almost any industry. Every company needs to defend itself, so you'll find opportunities in finance, healthcare, government, tech, and more. This role is a fantastic launchpad for a diverse career in cyber security.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths