SOC Hierarchy & Roles

First responder. Watches the queue. Performs initial triage on every alert.

Owns the runbook: validates the alert, gathers context, decides escalate vs close.

Average time per alert: 5–15 minutes. Burns out fastest if alert quality is poor.

Career path: → T2 within 12-18 months.

Takes escalations from T1. Performs deep correlation across multiple data sources.

Owns the incident end-to-end: investigation, containment, communications.

Pivots through Splunk, EDR, email gateway, identity logs, threat intel.

Proactive — hunts for adversaries that no rule has caught yet.

Builds new correlation searches, tunes false positives, runs adversary emulation.

Owns the detection backlog and the engineering side of the SOC.

Incident Responder — leads major incidents, runs IR playbooks, coordinates legal/comms.

Threat Intelligence Analyst — produces intel, tracks actors, drives priority intel requirements.

Detection Engineer — codifies hunts into reliable rules; owns CI/CD for detections.

SOAR / Automation Engineer — builds playbooks that automate enrichment and response.

SOC Manager — owns SLAs, capacity, training, vendor management, reporting.

1) Log generated → 2) Forwarded → 3) Indexed in Splunk → 4) Correlation search fires → 5) Notable Event in Incident Review → 6) T1 triage → 7) Escalate or close → 8) T2 investigates → 9) Containment / Eradication → 10) Lessons learned & detection improvement.

Every shift handover passes: open tickets, active incidents, watchlist IOCs, pending approvals.

Quality handovers prevent dropped balls during the most dangerous hours (after-hours / weekends).