The Shape of the Day
Most SOCs run 24×7 in three shifts. A typical 9-hour shift looks roughly like this:
- Handover (15 min). Review what the previous shift left open — active investigations, escalations, watch items.
- Queue triage (2–3 hrs). Work the alert queue. Most alerts are noise. The job is to separate the signal fast.
- Deep dives (2–4 hrs). The handful of alerts that aren't noise become investigations — pivot through logs, query EDR, check identity events, build a timeline.
- Reporting & tickets (1–2 hrs). Document findings, hand off to other teams, update detection rules to suppress recurring noise.
- Spikes. Real incidents take over the day. Everything else stops.
The Tooling You Live In
The exact stack varies, but most SOC analysts spend the day across roughly the same categories:
- SIEM (Splunk, Sentinel, Elastic, Chronicle) — alert source and search workbench.
- EDR/XDR (CrowdStrike, SentinelOne, Defender) — endpoint visibility and isolation.
- Identity provider (Okta, Entra ID) — sign-in logs, OAuth grants, conditional access.
- Cloud audit logs (CloudTrail, Activity Log, Audit Logs).
- Ticketing (Jira, ServiceNow) — case management.
- SOAR — automation for the repetitive playbook steps.
The Skill That Actually Matters
"The best SOC analysts aren't the ones who know the most tools. They're the ones who can build a coherent story from fragments."
Modern attacks rarely show up as "one alert says malware." They show up as: a slightly unusual login geo, an OAuth grant to an unfamiliar app, a script that ran at 2am, an outbound DNS query to a young domain. None of those alone are a finding. Stitched together, they're the breach.
The skill — call it investigative judgment — is built by reps. Watching how senior analysts pivot. Reading public IR write-ups. Doing CTFs. There's no shortcut.