Cybersecurity & IT

Skill areas

Cybersecurity & IT

SOC Analyst

A Security Operations Centre (SOC) Analyst is responsible for the continuous monitoring, detection, and response to cybersecurity threats across an organisation's infrastructure. Working within a SOC — which may operate 24/7 — analysts triage security alerts, investigate incidents, contain threats, and document findings. They work with SIEM platforms, endpoint detection tools, network monitoring systems, and threat intelligence feeds to identify and respond to attacks in real time. SOC Analysts are typically tiered (L1, L2, L3) by experience and responsibility. L1 analysts handle initial alert triage; L2 analysts conduct deeper investigation and correlation; L3 analysts lead complex incident response and may contribute to threat hunting. The role demands strong technical knowledge of networks, operating systems, and attacker techniques, as well as the ability to work calmly under pressure during active incidents.

Career information

Everything you need to know about this role

Salary, eligibility, background, qualifications, and where people typically work.

Expected salary range

£25,000–£40,000 (L1/L2, UK). L3 and senior SOC roles £40,000–£65,000+. MSSP roles often include shift allowances.

Eligibility limits

Right to work in the UK required. Many SOC roles — particularly in government, defence, and critical infrastructure — require Security Clearance (SC) or Developed Vetting (DV). SC eligibility typically requires 5 years UK residency; DV requires 10 years. DBS checks are standard. Shift work (including nights and weekends) is common in 24/7 SOC environments. No formal licence required for commercial roles.

Understand eligibility rules →

History and context

Security Operations Centres became standard practice in large enterprises and government agencies through the 2000s, modelled on military command-and-control structures. The surge in organised cybercrime, ransomware-as-a-service, and nation-state attacks through the 2010s and 2020s made the SOC model essential for any organisation with significant digital assets. The role of SOC Analyst formalised alongside the growth of SIEM technology — platforms like Splunk, IBM QRadar, and Microsoft Sentinel created a new category of security professional trained in log analysis and alert management. In the UK, the National Cyber Security Centre (NCSC) has driven adoption of SOC capabilities across government and critical national infrastructure. Commercial SOC services (MSSPs) have also created significant demand for analysts who can work across multiple client environments. Automation and AI are changing the SOC landscape — reducing low-level alert fatigue and shifting analyst focus toward higher-complexity investigation.

Typical qualifications

Common paths: cyber or IT degree, industry certs (e.g. CompTIA Security+, CySA+, vendor SIEM training), and hands-on labs or internships. Employers value log literacy, calm communication, and strict chain-of-custody habits.

View qualification guide →

Career path3 sample paths

Where this role can take you

Realistic progression routes, linked roles, and typical UK timelines for your next move.

Overview

SOC analysts monitor, detect, and respond to security events—often on rotating shifts in MSSPs, banks, or critical infrastructure. Progression leads to senior SOC, threat hunting, detection engineering, or security management. In financial services, lateral moves into fraud or risk are realistic when you understand transaction abuse and control frameworks. Security analyst roles are projected to grow roughly 29% through 2034 in the US alone — nearly three times the average for all occupations.

Progression opportunities

Tier-1 SOC work emphasises alert triage and playbooks; tier-2 and senior roles add investigation depth, threat intelligence, and tuning. Many leave shift work for detection engineering, DFIR consultancies, or cyber risk in second line. Fraud analyst roles value SOC experience with account takeover and mule patterns; risk analyst roles value incident metrics and control failings. Burnout is a real factor—plan rotations, upskilling, or internal moves every 2–3 years if nights are affecting health.

Typical timelines

Allow 18–24 months per SOC tier in the UK; senior SOC or team lead often sits at 4–6 years from junior cyber entry. GIAC GCIA/GCIH or equivalent vendor training helps; managers look for incident write-ups and mean-time-to-triage improvements. Certifications alone rarely skip tiers—demonstrate one complex incident you led across IT, HR, and legal before applying up.

Interview prep10 questions

Practise the questions you'll actually get asked

Study the most common interview questions for this role, with structured guidance and strong sample answers.

Common interview questions

Answer guidance, sample responses, and tips for each question.

Ranked by how often this question appears across real interviews.

Question 1 · #1
OpeningEasy
Tell me about yourself.
openingsocintroduction
Why they ask
SOC teams hire for shift reliability and communication; this opener shows your path into security operations.
What they want
Relevant background, labs, certifications, and why SOC fits your skills and interests.
How to structure your answer
1. Current learning and experience
2. SOC-relevant skills (logs, networking, discipline)
3. Why this SOC role
4. Brief and structured
Sample answer
I am an IT support graduate who has spent the last year preparing for security operations through Security+ study, TryHackMe SOC learning paths, and a home lab where I ingest sample logs into a free SIEM trial. I worked on a university helpdesk logging malware and phishing tickets and escalating to IT security. I am disciplined, calm under pressure, and comfortable with shift patterns. I enjoy investigating alerts and documenting findings clearly. I am applying to your SOC because I want to grow from alert triage into skilled incident response while protecting your customers and infrastructure twenty-four seven.
Common mistakes
- Offensive-only hacking persona with no monitoring interest
- No mention of documentation or shifts
- Overclaiming senior IR experience
Bonus tips
- Mention comfort with repetitive high-stakes work
- Reference a specific log source you have practised with
- Show teamwork mindset for handovers
Question 2 · #2
MotivationEasy
Why do you want to work in a SOC?
motivationsocdefensive-security
Why they ask
SOC work is demanding; they need genuine interest in monitoring, investigation, and continuous learning.
What they want
Motivation for defensive operations, teamwork on shifts, and realistic view of alert queues.
How to structure your answer
1. What excites you about SOC work
2. Skills you bring
3. How you handle pressure and learning
4. Career growth interest
Sample answer
I want to work in a SOC because it is the front line of defence where analysis directly reduces harm. I like combining pattern recognition, structured procedures, and collaboration under time pressure. SOC work suits my detail-oriented nature and my willingness to document cases thoroughly for handover. I understand junior roles involve high alert volumes and false positives, and I see that as training to become a sharper analyst. Long term I aim to specialise in detection engineering or incident response, and this SOC offers the scale and mentorship to grow responsibly.
Common mistakes
- Expecting only exciting APT hunts daily
- Dismissing shift work or ticketing
- No defensive security framing
Bonus tips
- Ask about tier structure and mentoring
- Mention interest in purple teaming if genuine
- Show respect for process and playbooks
Question 3 · #3
TechnicalEasy
What is a SIEM tool?
siemloggingsoc-tools
Why they ask
SIEM is central to SOC workflows; you must explain its purpose even if you have limited hands-on time.
What they want
Definition, log aggregation, correlation, alerting, and analyst investigation role.
How to structure your answer
1. Define SIEM in plain language
2. What data it collects
3. How alerts are created
4. Analyst workflow on alerts
Sample answer
A SIEM—Security Information and Event Management tool—collects and normalises logs from sources such as firewalls, endpoints, cloud services, and identity systems into one searchable platform. It correlates events to detect suspicious patterns, for example many failed logins followed by a successful one from a new country. It generates alerts for analysts to triage, investigate, and escalate. Examples include Splunk, Microsoft Sentinel, and Elastic SIEM. As a SOC analyst I would use the SIEM to query timelines, tune false positives with senior staff, and document cases while following playbooks.
Common mistakes
- Naming SIEM as only antivirus
- No mention of logs or investigation
- Claiming SIEM replaces human analysts entirely
Bonus tips
- Mention a lab or trial where you ran a simple search
- Note compliance and retention if relevant
- Differentiate SIEM from SOAR briefly if you know it
Question 4 · #4
SituationalMedium
How would you investigate a phishing alert?
phishingtriageinvestigation
Why they ask
Phishing alerts are daily SOC bread and butter; they test structured triage and evidence gathering.
What they want
Validate alert, examine email headers and URLs safely, check user actions, contain, and document.
How to structure your answer
1. Confirm alert details and affected user
2. Analyse email indicators in sandboxed tools
3. Check clicks, credentials, or mailbox rules
4. Containment and user communication
5. Close with lessons and blocks
Sample answer
I would open the ticket and confirm the alert source—email gateway, user report, or SIEM rule. I would review headers, sender, URLs, and attachments using approved sandbox or OSINT tools without clicking live links on my own machine. I would check whether the user clicked, submitted credentials, or had mailbox rules added. If malicious I would follow playbook: isolate endpoint if needed, force password reset and MFA review, quarantine messages organisation-wide, and block indicators on proxy or email filters. I would notify the user with guidance, document IOCs and timeline, and escalate if widespread or BEC suspected.
Common mistakes
- Clicking links on production analyst workstation carelessly
- Closing ticket without user impact check
- Skipping organisation-wide search for same campaign
Bonus tips
- Mention BEC and executive targeting awareness
- Reference headers like SPF/DKIM at high level if asked
- Show chain-of-custody mindset for evidence
Question 5 · #5
TechnicalEasy
Difference between a false positive and true positive?
detectionalertssoc-fundamentals
Why they ask
Alert tuning and analyst judgement depend on understanding detection accuracy terminology.
What they want
Clear definitions, examples, and how false positives affect SOC workload and tuning.
How to structure your answer
1. Define true positive with example
2. Define false positive with example
3. Mention false negative briefly
4. How SOC manages trade-offs
Sample answer
A true positive is when an alert correctly identifies malicious or policy-violating activity—such as malware beaconing that we confirm and contain. A false positive is when the alert fires but investigation shows benign behaviour—like a vulnerability scanner triggering an exploit signature. False positives consume analyst time and can cause alert fatigue, so teams tune rules, enrich context, and prioritise high-fidelity detections. False negatives—real attacks missed—are more dangerous, so balance matters. I would document false positives with evidence to help detection engineers improve rules without silencing real threats.
Common mistakes
- Confusing false positive with false negative
- Saying all alerts should be ignored
- No link to tuning or documentation
Bonus tips
- Mention precision and recall conceptually if comfortable
- Give an example from a lab SIEM rule
- Show patience with tuning as a team sport
Question 6 · #6
SituationalMedium
What steps would you take during incident triage?
triageincident-responsesoc
Why they ask
Triage speed and quality determine whether incidents escalate correctly before damage spreads.
What they want
Prioritise, validate, gather context, contain if needed, escalate, document—following playbooks.
How to structure your answer
1. Assess severity and scope
2. Validate maliciousness
3. Gather key artefacts and timeline
4. Contain or escalate per playbook
5. Communicate and document
Sample answer
During triage I would classify severity using our matrix—considering asset criticality, data sensitivity, and active exploitation. I would validate whether the alert is a true positive using SIEM queries, endpoint data, and identity logs. I would build a short timeline: first seen, affected hosts and accounts, related IOCs. If active threat I would initiate containment steps I am authorised for—disable account, isolate host—while notifying the incident lead. I would preserve evidence, avoid destructive actions beyond playbook, and hand off a clear ticket summary. Throughout I would communicate status to the shift lead and update runbooks if gaps appear.
Common mistakes
- Deep-diving for hours without escalation on critical incidents
- Deleting logs during triage
- Working outside authorised actions
Bonus tips
- Mention MITRE tactics for structuring questions
- Practice writing executive one-liners for escalations
- Ask about severity matrix in the interview
Question 7 · #7
TechnicalMedium
Explain the difference between IDS and IPS.
idsipsnetwork-security
Why they ask
Network security basics help analysts understand alerts from perimeter tools and their limitations.
What they want
IDS detects and alerts; IPS can block inline; trade-offs with false positives and latency.
How to structure your answer
1. Define IDS and mode (passive monitoring)
2. Define IPS and inline blocking
3. Compare benefits and risks
4. SOC relevance for alerts
Sample answer
An Intrusion Detection System monitors network traffic or hosts and alerts on suspicious patterns but does not block traffic by default—it is typically out-of-band or passive. An Intrusion Prevention System sits inline and can automatically block or reset connections when rules match, which speeds response but risks disrupting business if rules are wrong. Both use signatures or behavioural analytics. SOC analysts may see IPS blocks as tickets requiring validation. Understanding the difference helps me interpret whether an event was merely observed or already prevented, and whether tuning is needed.
Common mistakes
- Saying IDS and IPS are identical
- Ignoring false positive impact on IPS
- Confusing with firewall only
Bonus tips
- Mention host-based IDS (HIDS) vs network (NIDS) if asked
- Relate to a lab packet capture exercise
- Note defence in depth—IPS is one layer
Question 8 · #8
SituationalHard
What would you do if you saw unusual outbound traffic?
networkexfiltrationinvestigation
Why they ask
Outbound anomalies may indicate C2 or data exfiltration; this tests prioritisation and investigation depth.
What they want
Validate baseline, identify host and process, contain if malicious, escalate, preserve evidence.
How to structure your answer
1. Confirm anomaly against baseline
2. Identify source host, user, and destination
3. Check threat intelligence and reputation
4. Contain and escalate per severity
5. Document IOCs and scope
Sample answer
I would verify the alert against normal baselines—backups, updates, or SaaS APIs can look unusual but be benign. I would identify the source IP, hostname, user, process if EDR available, destination IP or domain, volume, and timing. I would check threat intelligence and whether other hosts communicate similarly. If indicators suggest command-and-control or exfiltration I would escalate immediately and follow containment playbook such as isolating the host and blocking domains at the firewall pending senior approval. I would preserve logs, avoid rebooting prematurely, and scope lateral movement. I would document findings for handover and longer-term detection improvements.
Common mistakes
- Blocking without validation or approval
- Ignoring legitimate cloud service traffic
- Failing to scope other affected systems
Bonus tips
- Mention DNS and HTTPS beaconing awareness
- Ask what EDR and NetFlow tools the SOC uses
- Practice articulating urgency without panic
Question 9 · #9
BehaviouralMedium
What security labs or home projects have you completed?
labsprojectshands-on
Why they ask
Practical projects demonstrate initiative beyond certifications for entry-level SOC candidates.
What they want
Specific labs, what you learned, and how they map to SOC tasks—not vague interest.
How to structure your answer
1. Name platform or lab setup
2. What you built or practised
3. Skills gained relevant to SOC
4. What you plan next
Sample answer
I built a home lab with VirtualBox hosting a Windows client, Linux syslog server, and a Splunk free instance ingesting authentication and firewall sample logs. I practised writing searches for failed logins and created a simple detection that emails when thresholds exceed normal. On TryHackMe I completed the SOC Level 1 path covering phishing analysis, log investigation, and basic malware triage in isolated environments. I also documented each exercise in a personal wiki to reinforce learning. Next I plan to practise Sigma rules and connect a trial Sentinel workspace. These projects taught me patient log analysis and clear case notes.
Common mistakes
- Illegal activities presented as projects
- Vague I play with computers answer
- No link to monitoring or investigation skills
Bonus tips
- Offer to screen-share a sanitized notebook
- Quantify hours or modules completed
- Mention collaboration in CTF teams if applicable
Question 10 · #10
ClosingEasy
How do you stay updated on cybersecurity threats?
threat-intellearningclosing
Why they ask
SOC analysts must evolve with threat actors; continuous learning is non-negotiable on shifts.
What they want
Credible sources, routine, and application to detections or awareness—not passive scrolling.
How to structure your answer
1. Trusted intelligence sources
2. Regular learning habit
3. Sharing with team appropriately
4. Ongoing certifications or community
Sample answer
I maintain a weekly routine reading NCSC, CISA advisories, and vendor bulletins for technologies in my lab. I follow ATT&CK techniques to understand how detections map to behaviours. When a major CVE breaks, I read mitigation guidance and test understanding in my home lab if safe. I take notes on campaigns relevant to common sectors such as finance or SaaS. I plan to contribute concise threat summaries during shift handover when appropriate. I am studying Security+ and intend to pursue SOC-specific training as my role develops. Staying current helps me triage faster and ask better questions during incidents.
Common mistakes
- Only social media memes
- No operational link to work
- Claiming expertise after one article
Bonus tips
- Mention threat intel platforms the employer uses if known
- Show discipline to verify rumours
- Close with enthusiasm for the SOC mission

Back to Cybersecurity & IT or all industries.

History and context

Question 8 · #8

SituationalHard

What would you do if you saw unusual outbound traffic?

networkexfiltrationinvestigation

Why they ask

Outbound anomalies may indicate C2 or data exfiltration; this tests prioritisation and investigation depth.

What they want

Validate baseline, identify host and process, contain if malicious, escalate, preserve evidence.

How to structure your answer

Confirm anomaly against baseline
Identify source host, user, and destination
Check threat intelligence and reputation
Contain and escalate per severity
Document IOCs and scope

Sample answer

I would verify the alert against normal baselines—backups, updates, or SaaS APIs can look unusual but be benign. I would identify the source IP, hostname, user, process if EDR available, destination IP or domain, volume, and timing. I would check threat intelligence and whether other hosts communicate similarly. If indicators suggest command-and-control or exfiltration I would escalate immediately and follow containment playbook such as isolating the host and blocking domains at the firewall pending senior approval. I would preserve logs, avoid rebooting prematurely, and scope lateral movement. I would document findings for handover and longer-term detection improvements.

Common mistakes

Blocking without validation or approval
Ignoring legitimate cloud service traffic
Failing to scope other affected systems

Bonus tips

Mention DNS and HTTPS beaconing awareness
Ask what EDR and NetFlow tools the SOC uses
Practice articulating urgency without panic

Expected salary range

Eligibility limits

History and context

Typical qualifications

Overview

Progression opportunities

Typical timelines

Tell me about yourself.

Why do you want to work in a SOC?

What is a SIEM tool?

How would you investigate a phishing alert?

Difference between a false positive and true positive?

What steps would you take during incident triage?

Explain the difference between IDS and IPS.

What would you do if you saw unusual outbound traffic?

What security labs or home projects have you completed?

How do you stay updated on cybersecurity threats?

Expected salary range

Eligibility limits

History and context

Typical qualifications

Overview

Progression opportunities

Typical timelines

Tell me about yourself.

Why do you want to work in a SOC?

What is a SIEM tool?

How would you investigate a phishing alert?

Difference between a false positive and true positive?

What steps would you take during incident triage?

Explain the difference between IDS and IPS.

What would you do if you saw unusual outbound traffic?

What security labs or home projects have you completed?

How do you stay updated on cybersecurity threats?

Major employers

Why this path matters now

Sample career paths

Classic SOC track

Financial services fraud pivot

Cyber risk and governance

Related roles in this library

Career tips