SOC (Security Operations Center)
An organizational unit that monitors IT security 24/7, detects incidents, and responds to them. The SOC is the team—it uses SIEM as a technical detection platform and SOAR for automation. For detailed information on setting up a SOC, see the Security Operations Center article in the Wiki.
A Security Operations Center (SOC) is the operational heart of a company’s cybersecurity. “We have a SIEM” does not equal a SOC—a SIEM without analysts is like an alarm system without a security guard: it beeps, but no one responds. A true SOC combines people, processes, and technology to continuously detect and respond to security incidents.
Core SOC Functions
- Monitoring and Triage: Continuous monitoring of all security-relevant systems; separating alerts from false positives and prioritizing them by severity
- Incident Response: For confirmed incidents: containment, eradication, and recovery; communication with management and authorities
- Threat Intelligence: Integrate IOCs into monitoring; proactively address emerging threats
- Vulnerability Management: Coordinate vulnerability scanning; prioritize patches based on threat intelligence
- Detection Engineering: Develop new detection rules; fine-tune existing rules to reduce false positives; threat hunting
SOC Tier Model
Tier 1 - Alert Analyst (L1)
Review incoming alerts, perform triage (real or false positive?), execute standard playbooks, and escalate confirmed incidents. High alert volume, shift work.
Tier 2 - Incident Responder (L2)
In-depth analysis of escalated incidents; digital forensics (memory dumps, log analysis); coordinate containment and eradication; write IR reports. Requires malware analysis and EDR expertise.
Tier 3 - Threat Hunter and Detection Engineer (L3)
Proactive threat hunting without alert triggers; develop and validate detection rules; translate red team findings into detection rules; produce threat intelligence. Ratio: approx. 1 L3 per 4–6 L1/L2 analysts.
SOC Models
In-house SOC: In-house staff, maximum control, high costs (minimum investment: ~€500,000/year for a 24/7 SOC with 5 analysts)
Managed SOC / MSSP: Outsourcing to a Managed Security Service Provider. More cost-effective for SMEs, but requires clear SLAs for Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
Hybrid: Combination of internal resources (Tier 2/3 and escalation) and external MSSP (24/7 monitoring, Tier 1)
SOC Maturity Levels
| Level | Characteristics |
|---|---|
| Level 1 | Reactive only, manual processes, no standardization |
| Level 2 | SIEM implemented, initial playbooks, partial automation |
| Level 3 | Threat hunting, SOAR, defined KPIs |
| Level 4 | Proactive, fully automated responses, integrated threat intelligence |
KPIs for SOC Effectiveness
- MTTD (Mean Time to Detect): Time between the start of an attack and detection - Goal: Minutes/hours instead of weeks
- MTTR (Mean Time to Respond): Time between detection and containment
- False Positive Rate: Percentage of false alarms – too high leads to alert fatigue
- Alert Fatigue: Critical – more than 100 alerts/day for an L1 analyst is a quality issue
Detailed Guide: Building a SOC – Strategy, Tools, and Operations
