Career roadmap

SOC Analyst

How to become a SOC Analyst (Security Operations Centre) in the UK — from £28k Tier 1 in an MSSP to £75k Detection Engineer in scale-up tech.

Year-by-year milestones

  1. Year 0 (entry)Tier 1 SOC Analyst£26k–£34k

    Monitor SIEM, triage low-severity alerts against playbooks, escalate to Tier 2.

  2. Year 1–2Tier 2 SOC Analyst£35k–£50k

    Investigate complex incidents, write detection rules (KQL, Sigma, Splunk SPL), own threat hunts.

  3. Year 2–4Tier 3 / Detection Engineer£55k–£80k

    Build detection content, tune SIEM, run purple-team exercises, mentor Tier 1/2.

  4. Year 4+SOC Lead / Incident Response Manager£80k–£110k

    Own the SOC operating model, vendor relationships, SOC shift rotation, IR runbooks.

SOC Analysts triage security alerts, hunt threats, and respond to incidents. The role is the most common entry point into hands-on cyber and the foundation for detection engineering, incident response, and threat intelligence specialisations. ## Career milestones ### Year 0 (entry) — Tier 1 SOC Analyst _Salary: £26k–£34k_ Monitor SIEM, triage low-severity alerts against playbooks, escalate to Tier 2. ### Year 1–2 — Tier 2 SOC Analyst _Salary: £35k–£50k_ Investigate complex incidents, write detection rules (KQL, Sigma, Splunk SPL), own threat hunts. ### Year 2–4 — Tier 3 / Detection Engineer _Salary: £55k–£80k_ Build detection content, tune SIEM, run purple-team exercises, mentor Tier 1/2. ### Year 4+ — SOC Lead / Incident Response Manager _Salary: £80k–£110k_ Own the SOC operating model, vendor relationships, SOC shift rotation, IR runbooks. ## Core skills - SIEM (Splunk, Sentinel, Elastic, QRadar) - EDR (CrowdStrike, Defender XDR, SentinelOne) - KQL / Splunk SPL / Sigma rule authoring - MITRE ATT&CK fluency - Windows + Linux event log analysis - Network forensics (Wireshark, Zeek) - Python or PowerShell scripting - Incident response lifecycle (NIST 800-61r2) ## Recommended certifications - `security-plus` - `azure-security` - `aws-security` ## First 90 days in the role Master your SIEM and EDR consoles. Read every closed incident from the last 6 months — that is your fastest path to recognising what 'normal' looks like. Build a personal 'detection ideas' notebook from the day you start. ## Common pitfalls Staying stuck in Tier 1 for >18 months. The escape velocity is detection authoring — pick a MITRE technique per week, build a Sigma rule, and propose it to your SOC lead. By month 6 you should have 10 rules in production with your name on them.

Frequently asked questions

Do I need a degree to be a SOC analyst?

No. UK MSSPs (NTT, BT, Orange, Quorum Cyber) hire on Security+, home lab, and a coherent CV story. Apprenticeship routes also strong.

How do I get my first SOC job with no experience?

Build a home SIEM (free Sentinel tenant + Atomic Red Team), publish 3–5 detection write-ups on Medium/GitHub, and apply to MSSP graduate schemes. Conversion rate from MSSP > in-house is high.

Is SOC work shift-based?

Most 24/7 SOCs (MSSP, banks) yes — typical 4-on-4-off rotations. Smaller in-house SOCs often run 9-6 with on-call.

What is the SOC analyst to detection engineer jump?

Roughly 18–30 months of consistent detection authoring. Most detection engineers came from Tier 2/3 SOC.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related