Many cybersecurity professionals kick off their careers at Security Operations Centers (SOC) – the command hubs keeping organizations safe against cyber threats.
And for good reason! SOCs are a fantastic entry point into the field due to the "boots on the ground" nature of the work. As a SOC analyst, you'll learn the essential tools of the trade and get first-hand experience monitoring for and responding to threats.
But what are these roles like in real life? To get the inside scoop on life as a SOC analyst, we spoke with:
💼 What SOC analysts do day-to-day
😊 How happy are SOC analysts with the job?
💃 What type of people thrive?
👍 Pros
👎 Cons
🌍 Impact
⚖️ Work-life balance
🤸♂️ Flexibility
🤝 The people
⬆️ Your managers
🧭 Values alignment
👫🏽 Diversity
⚓ Job stability
🌱 Learning & development
🌟 Job outlook
💵 Pay
📈 Career progression
4. Where can I find internships?
Most SOC analysts spend the majority of their day watching screens, much like how a security guard sits in front of screens to look out for suspicious activity. Because of the number of applications you need to use, you'll typically have 2-3 screens to watch.
On the screen, alerts will pop up every second that say things "John in HR logged in to work" or "Sally in Finance went to a bad site and got a virus." You'll need to determine if there are any alerts you might need to look into further, since they may be a sign of a potential breach.
80% of my time is looking at screens to monitor the network and determine if an alert is a real alert.
10% is meetings.
10% is projects. For example, At an MSSP I worked for, one of our clients was rolling out Multi-Factor Authentification, so I helped out with that. I also helped a client construct the workflow for their ticketing process (basically the process that a SOC analyst would follow when you have an alert and need to open a ticket about it) so that customers that we monitored for so we can pass audits. Not all organizations have a workflow.
– SOC analyst in government and MSSPs
If you work for a SOC at a smaller organization, you might have a wider range of work.
- 30% of my day was looking at screens.
- 30% was spent examining potential phishing emails.* Phishing emails are sneaky messages designed to trick you into giving away personal information or unknowingly download harmful software. For instance, you could get an email pretending to be from Netflix, luring you with a free gift card if you click on a link and give your account details. Anyways, we had a tool where users at the company could report phishing emails and we'd look into them.
- 40% was emails, meetings, project work, and documentation. There's a healthy amount of project work in cybersecurity. A common project would be reviewing our "block lists" (lists of IP addresses that we block) to make sure they're up-to-date. Documentation involves documenting incidents, findings, and actions taken.
As a Tier 1 analyst, that last 40% involves learning new things and digging deep into investigations.
As a Tier 2 analyst, there was more "figuring out why something isn't working." For example, if someone at the company says their endpoint security tool (think: antivirus) is using 90% of their CPU and they can't get any work done, I go and troubleshoot the problem.
– Former SOC analyst in defense and fintech
Security operations are a grind. It's like a security helpdesk or like a call center. It's very front-line and in the trenches, responding to alerts so that they don't turn into bigger issues.
– Former SOC analyst in defense and fintech
It's not for everybody. A lot of people get burned out. And a lot of people see SOCs as a springboard to other areas of cybersecurity. But personally, I love it! I love that it's fast-paced and I'm never bored. I like the threat-hunting and the documentation. And you learn so much about threat actors and their motives.
The only thing I didn't enjoy was when I worked at a SOC for a government body. You can't use your phone at work. You need to leave it in the car. But that has more to do with working for the government than working in a SOC.
– SOC analyst in government and MSSPs
I think it's great for younger people since you have lots of energy and you're hungry to learn. But I definitely grew out of that phase!
– Former SOC analyst in defense and fintech
Anybody who has attention to detail and has the drive. It doesn't matter what age you are. I've worked with people who have been way older than me and people way younger than me.
– SOC analyst in government and MSSPs
I think there are people who enjoy SOC work. These would be people who enjoy the "no two days are the same" life.
– Former SOC analyst in defense and fintech
One of my favorite experiences so far was a time when an organization I worked for got compromised. It was very chaotic but we got the systems back up and running in an hour. Normally it takes much longer than that, but we worked together to pull it off. I think people who find it exciting to put out fires would like the job a lot. Also, when I work under pressure, I just get a sense of accomplishment which I can't explain!
– SOC analyst in government and MSSPs
Working at a SOC is an amazing learning experience in that you get exposed to all things security. You're going to be able to view so much security data. You'll also get to investigate and learn operating systems and processes at a deep level. Things will click and will start making sense. You'll have epiphanies.
SOCs are like your General Education courses in college. You'll be exposed to all things security, and you'll be able to discover what you're interested in in terms of your career. For instance, do you like network security? SIEM? Incident response?
So I'd never dissuade anyone from working in a SOC!
– Former SOC analyst in defense and fintech
It's an exciting job. You get to learn how to think like a criminal, like all the different ways they can manipulate a server. Stuff like this really keeps you sharp.
– SOC analyst in government and MSSPs
Looking into alerts feels like a puzzle. Just as it's satisfying to complete a puzzle, it feels great to get to the bottom of an alert. If I'm reaching the end of a shift but I'm in the middle of an investigation, I actually want to keep going!
– SOC analyst in government and MSSPs
It's very rewarding knowing that you help protect an organization.
No organization is 100% safe, as there's always going to be some vulnerabilities and we can't stop people from trying to break in. But what we can do is stop threat actors from getting access to the organization's assets (whatever data they're trying to protect).
Whenever we're able to keep our assets secure during an incident, that means the safeguards we put in place worked, it feels great, because that means we're doing a good job.
– SOC analyst in government and MSSPs
I was lucky to work for a 9-to-5 SOC job at a small company, but a lot of SOC work is shift work. A lot of the jobs are contract positions or contract-to-hire positions.
– Former SOC analyst in defense and fintech
If you're not full-time and you work a contract position, that could be daunting. They may only have a night shift available, for instance.
– SOC analyst in government and MSSPs
The gravity of the work makes it inherently stressful. On top of that, there's also stress from the metrics (being measured on the quantity of your work).
In security, we have KPIs (metrics) that get reported to executives. So if you're an analyst and you're not closing as many tickets as your colleagues, it can be stressful. The job can really take a mental toll.
Depending on the SOC you work at, you may be tracked on how many alerts you close, how long you take to close them, and even how long it takes you to see an alert and click into it! There are some crazy metrics. It can be micromanaged. So your job satisfaction will really depend on where you work.
– Former SOC analyst in defense and fintech
Alert fatigue is a big thing. You can get burned out by all the alerts coming through, so you need to know how to filter those so you're not overwhelmed by a bunch of unimportant alerts hitting your screen.
– SOC analyst in government and MSSPs
I definitely felt like I was making an impact.
I worked at a SOC for a defense contractor making armored vehicles for militaries all over the world. You realize you're protecting the data of the vehicles that are keeping soldiers across the world safe from harm.
So I felt I was making a difference at the SOC largely because of the company, but there's a sense of accomplishment no matter where you work. Whenever you find a clue (maybe there's a potential infection) and you dig into it and eradicate it, you make a tangible impact. You feel like you did a job well done.
– Former SOC analyst in defense and fintech
I feel like I make a great deal of impact at SOCs. We're first responders. We're like EMTs who arrive at the scene of an accident. That's the kind of work we do.
– SOC analyst in government and MSSPs
My work-life balance was good as a SOC analyst. There will be some times where you'll be brought into an investigation late at night but overall it was good.
This is in contrast to my work-life balance in incident response - one of the higher-level SOC roles, which as the title implies, involves responding to security incidents like breaches. This means lots of late nights, early mornings, and even all-nighters.
– Former SOC analyst in defense and fintech
I work four days on, three days off. When I'm off, I'm off. I don't check emails. I spend time with family and spend time on personal life, so I feel like I have a very good work-life balance.
– SOC analyst in government and MSSPs
Most organizations I've worked for didn't care as long as I got the work done.
For instance, I've never worked somewhere where I had to take my doctor's appointments using PTO or vacation. When I was an analyst, I'd always give two weeks' notice for an appointment so it's in my boss' calendar.
During COVID, we got to work remotely but there's been a push to return to the office. Employers are forcing SOC analysts to work from the office three times a week. The full remote positions are going to be more rare and competitive.
– Former SOC analyst in defense and fintech
This is different for every organization but I'm able to take vacations when I need it.
Also, all of my SOC positions have allowed me to work from home. Only the government one required me to be on-site.
– SOC analyst in government and MSSPs
Most of your day is collaborating with your teammates, bouncing ideas off other analysts. Even as a Tier 2 analyst, I'd ask Tier 1 for a second opinion. There's a lot of back-and-forth and looking over each other's shoulders.
If you have a project, you'd interface with other people. For instance, I'd have to interface with the server administrators or the network engineers on projects, which would be coordinated by the project management office.
– Former SOC analyst in defense and fintech
We're all a team. Everybody has their days, but at the end of the day, if there's a situation, we all have each other's back.
During your interviews, you'll get to talk to multiple staff members. This is when you can scope out whether this is a team you want to join. Just look at their chemistry and how they interact with each other. Ask people, "How do you like working here?"
– SOC analyst in government and MSSPs
At a SOC, all the analysts (regardless of what tier you are) report to a SOC manager.
My SOC managers have been largely good. Sometimes, you get a micro manager but usually they were hands-off as long as you show up, do your job, and try to be better in everything you do.
– Former SOC analyst in defense and fintech
Sometimes you have managers that aren't as easy to work with. You just have to make sure you know why you're there and what boundaries you don't want crossed. But this applies to any job.
For the most part, I've had good relationships with my managers. As long as you know you have a job to do, and you do it, you should be fine.
– SOC analyst in government and MSSPs
I do feel that my work aligns with my values. The reason is because I would want whoever I’m entrusting my data with to treat it as their own.
I feel great that I can give due care to all my company's customers' and employees' data and protect it as my own, which is what I would expect of a custodian of my data.
– Former SOC analyst in defense and fintech
My values in life include honesty and integrity. So I definitely think my SOC work aligns with my values.
You have to have integrity in cybersecurity. You have to be honest. If you make a mistake, you own up to it. If there's something you don't know, you need to know to ask for help. The quicker you own up to these things, the quicker another person can help you and you can learn.
– SOC analyst in government and MSSPs
Generally, diversity has been good, considering women in STEM make up such a small percentage of the workforce.
Overall, cybersecurity is a heavily older male-dominated industry. Starting out in the 2010s, it wasn't so good, but it's getting better. There's more awareness and more effort especially with DEI initiatives.
– Former SOC analyst in defense and fintech
The diversity has gotten better. When I first started, there weren't a lot of women, but it's more diverse now. My manager's manager is female, for instance. Within my team, there are 6 females and 2 males. Six years ago when I started, there would've been a lot more males than females.
– SOC analyst in government and MSSPs
A lot of SOC positions are contract. If a company falls on hard times (or they don't like you), they can easily make you go away. On the other hand, if you are a full-time hire of a company, the stability is good.
– Former SOC analyst in defense and fintech
If you work a contract position, you're not employed long-term with the company. At the end of the year, the company will decide whether to extend the contract or not. If you're really good, they might try to fit you into the budget and extend the contract, but that doesn't always happen.
– SOC analyst in government and MSSPs
Regulated industries include banking, government contracting and healthcare. Companies in these industries need to have a cybersecurity program in place, so you won't need to worry about getting laid off.
– Former SOC analyst in defense and fintech
SOCs are very expensive to set up and run, so many companies these days are outsourcing their security operations oversees.
The one time I was worried about losing my job was when a public company I worked for got bought out by a private equity company. They wanted to cut costs and one of their ideas was to offshore the whole cybersecurity team to Kosovo. I switched to a different company as soon as I could after hearing about this.
– Former SOC analyst in defense and fintech
SOCs are an amazing learning experience. The most valuable thing I gained was in-depth understanding of how computers work. Working at a SOC, you'll see all sorts of data come in, which will help you gain a full picture of a cybersecurity program. This will enable you to know how the different disciplines in cybersecurity work together when something goes wrong and is key to being a conscientious and prudent cybersecurity professional.
It's not a given but a lot of companies will pay for you to get certifications. If you have two job offers, definitely take the one which pays for the certifications, as they can be pretty expensive.
That said, there's a limit to what you can learn at a SOC. You're only going to do so much at a SOC. If you're fluent with all the tools your team has access to and there aren't any other tools to learn, then there isn't much more to learn. There's a "career limit" too in terms of your title and financial goals.
– Former SOC analyst in defense and fintech
Continuing education is a required part of working in this field because:
- What you learned five years ago is different from today, so you have to stay in the know.
- You need to keep learning to keep your certifications. I go to a lot of virtual townhall meetings on different topics, like AI or advanced SOC skills. These events count towards the hours you need to put in to renew your certification. Otherwise they expire!
Companies know that these trainings are part of the job, so they're generally understanding if you need to attend a training during the work day. (That said, you don't want to totally check out for like four days even if you're at a conference. You still want to log in when you can to see how things are going with your team!)
– SOC analyst in government and MSSPs
The Bureau of Labor Statistics predicts that cybersecurity analyst jobs will grow 32% (much faster than average).
That said, there's a bit of a mismatch in the job market since employers generally want experienced cybersecurity professionals (it's hard to entrust your security to someone without experience) and most students don't have experience. Check out our best tips on breaking into cybersecurity[LINK].
SOC pay depends on a lot of factors, including your region, the state of the economy, the amount of competition for entry-level roles. When the economy is bad and there's a lot of people competing for jobs, the pay tends to be lower.
Here's what our SOC analysts have observed. Some discrepancies may also be due to regional diff
From what I've seen and heard, starting salary these days at SOCs is $65k-85k. You can expect the standard book of benefits: health/vision/dental insurance, retirement plan matching, etc.
A lot of publicly traded companies will give bonuses, which could be anywhere from $4,000 to $12,000, depending on whether you hit your goals and whether the company met its goals.
Some start-ups do spot bonuses as well, like "Thanks for doing well in that project, here's a $1,000 spot bonus."
You'll also get a yearly percentage salary increase of 3-7%.
– Former SOC analyst in defense and fintech
The money is really good! Let's just say the first year, you could be making 6 figures ($85-100k.) When you work a contract, you won't get a bonus, but if you're an employee, you'll get an annual bonus, which is usually 4% of your salary.
– Former SOC analyst in defense and fintech
At a SOC, you generally start as a Tier 1 analyst, then move up to a Tier 2 and Tier 3 roles with experience. From there, you can move into a SOC management position or specialize.
But the levels will also depend on the size of your organization.
I worked at a small SOC where there were just two full-time staff and an intern. Tier 2 was the highest level we had. But at larger organizations, it usually goes up to Tier 3 and there may even be very strict experience requirements for each tier.
– Former SOC analyst in defense and fintech
As a Tier 1 SOC analyst, you're the organization's first line of defense. You're responsible for the initial triage - this involves sorting through an ocean of security alerts generated by systems to separate false from real alerts.
As a Tier 2 SOC analyst, you sit above the Tier 1 analysts, who come to you when there's something they need to escalate.
At Tier 2, I became more of a point of escalation. This meant that:
- If a junior analyst was investigating an alert and couldn't figure something out, they would come to me.
- If they found something that was a true positive (e.g. active malware infection), they would immediately escalate that to me. We would then take action (e.g. cut network access, wipe the machine).
Tier 2 also involves mentoring and hiring interns and junior analysts but not in a managerial kind of way.
At Tier 2, I also became the owner of the tools we used. This includes SIEM tools (which is where all your security data gets sent to) and endpoint security tools (think: MacAfee antivirus but at a much more enterprise-level). As the owner of the tools:
- You're the one people turn to when they have a problem with the tool.
- You're the one attending meetings with the vendor. This includes biweekly or monthly meetings where they'll check in with you to see if you have any issues. It also includes support calls where you're experiencing an error with the tool and you need the vendor to help you troubleshoot through it.
– Former SOC analyst in defense and fintech
If you reach the level of a Tier 3 analyst, your role includes actively searching for online threats. This uppermost tier also requires you to play a part in policy development. Your tasks would consist of spotting security gaps, reinforcing cyersecurity defenses, and making necessary changes in cybersecurity policies.
At this point, you can take either the managerial route or the individual contributor route. It also depends on your company.
- The managerial route would involve becoming a shift supervisor or SOC manager, where you'd actually manage people.
- Individual contributor route: A lot of time, people in SOC will move towards incident response or endpoint security or networking.
In my case, I decided to specialize in incident response, which is like the highest level of SOC analyst and the most stressful job I've ever had.
You need to be skilled in investigating, multitasking, and time management. Imagine a Russian IP address trying to break in and actually comproming a computer. The timer's running. You need to stop the bleeding and bandage it up before we make headlines in the news for a customer data breach or ransomware.
The incident response plan is activated. You're doing your best to clean up the incident and people from all directions are barking at you for updates every five minutes. It's a very neurotic experience.
– Former SOC analyst in defense and fintech
You can find plenty of internships on Prosple. We have a vast selection of internships curated for students like you. Just filter 'til you find the right fit!