An Actionable Incident Response Plan Template

A quickstart guide to creating a robust incident response plan – designed specifically for companies with cloud-based deployments.

The SOC Team Roster: Roles & responsibilities

A security operations center (SOC) team is a group of highly skilled professionals responsible for scanning IT environments and identifying and remediating cybersecurity threats and incidents

Wiz Experts Team
7 minutes read

What is a SOC team? 

A security operations center (SOC) team is a group of highly skilled professionals responsible for scanning IT environments and identifying and remediating cybersecurity threats and incidents. An essential cog in an enterprise’s IT ecosystem, SOC teams proactively strengthen a company’s overall security posture, mitigate potent cyber threats, and respond to security incidents. 

According to IBM, enterprises with high-level skills shortages suffered data breach costs of $5.74 million in 2024, 7.1% higher than in 2023. On the other hand, companies with low-level skill shortages faced less expensive data breaches, with an average cost of $3.98 million. This highlights that without a strong SOC team in place, small security threats can become large-scale disasters, with companies potentially suffering millions of dollars in damages.

With a robust SOC team, enterprises can fortify their IT ecosystems from cyberattacks like malware, ransomware, DDoS, and phishing, and continuously address vulnerabilities and misconfigurations that may result in devastating security incidents.

What are the critical functions of a SOC team?

A SOC team handles several key responsibilities within an organization:

  • 24/7 monitoring: SOC teams surveil IT ecosystems, including networks, data, endpoints, identities, and applications, around the clock to identify suspicious activities, indicators of compromise (IoCs), and security threats. 

  • Threat hunting: Using various threat detection technologies and tools, SOC teams proactively hunt for potential risks and address them before they mature into security disasters.

Figure 1: Cloud event monitoring, an effective threat hunting activity
  • Incident triage: By cross-analyzing numerous business-specific contexts, SOC teams triage security incidents and employ a priority-based approach to address them.

  • Incident response: When security incidents occur, SOC teams implement comprehensive incident response plans to contain the incident, limit the blast radius, and fix compromised systems. 

SOC teams need to conduct root cause analysis as a critical part of their investigation to help determine the underlying reasons for a security incident, rather than just addressing the immediate symptoms.
  • Remediation: If security threats mature into cyber incidents, SOC teams act swiftly to restore normalcy to IT ecosystems by, e.g., patching vulnerabilities and misconfigurations, right-sizing overprivileged accounts, securing exposed data, and altering suboptimal security policies. 

  • Proactive optimization: Using insights gathered via cyber forensic processes, SOC teams constantly improve an enterprise’s security posture so similar incidents don’t happen in the future.

Blast radius analysis is a critical component of incident response within a SOC team. This analysis focuses on determining the extent and impact of a security incident across the organization's network and systems.

Who are the core members of a SOC team?

There are numerous roles responsible for realizing the above tasks.

Tier 1 SOC Analyst

Tier 1 analysts are the first line of defense, responsible for initial alert triage and reporting. They monitor security alerts and potential threats, categorizing and escalating issues as needed.

Responsibilities:

  • Collecting and reviewing raw data, alarms, and alerts

  • Determining alert criticality and enriching them with relevant data

  • Identifying false positives and high-risk events

  • Prioritizing alerts according to their criticality

  • Escalating problems to tier 2 analysts when necessary

  • Managing and configuring monitoring tools

Skills:

  • Basic understanding of security concepts and technologies

  • Familiarity with SIEM systems and threat intelligence feeds

  • Strong analytical and problem-solving abilities

  • Excellent communication skills

Potential Certifications:

  • CompTIA Security+

  • GIAC Security Essentials (GSEC)


Tier 2 SOC Analyst (Incident Responder)

Tier 2 analysts handle more complex security incidents and perform in-depth assessments. They review higher-priority incidents escalated by tier 1 analysts and develop strategies for containment and recovery.

Responsibilities:

  • Reviewing and responding to escalated security incidents

  • Conducting in-depth assessments using threat intelligence

  • Understanding attack scope and affected systems

  • Designing and implementing incident containment strategies

  • Transforming raw attack data into actionable threat intelligence

  • Escalating major issues to tier 3 analysts when needed

Skills:

  • Advanced knowledge of security technologies and incident response procedures

  • Strong analytical and problem-solving abilities

  • Proficiency in using various security tools and platforms

  • Excellent communication and teamwork skills

Potential Certifications:

  • Certified Information Systems Security Professional (CISSP)

  • GIAC Certified Incident Handler (GCIH)


Tier 3 SOC Analyst (Threat Hunter)

Tier 3 analysts are the most experienced members of the SOC team, handling major incidents and proactively identifying potential threats. They focus on advanced threat detection and mitigation strategies.

Responsibilities:

  • Handling major incidents escalated from tier 2

  • Performing or supervising vulnerability assessments and penetration tests

  • Proactively identifying potential threats, security gaps, and vulnerabilities

  • Recommending optimizations for security monitoring tools

  • Reviewing critical security alerts and threat intelligence from lower tiers

Skills:

  • Expert-level knowledge of cybersecurity concepts and technologies

  • Advanced threat hunting and forensic analysis capabilities

  • Strong leadership and mentoring abilities

  • Excellent problem-solving and critical thinking skills

Potential Certifications:

  • Certified Information Systems Auditor (CISA)

  • GIAC Security Expert (GSE)


SOC Manager

The SOC Manager oversees the entire SOC team and ensures effective incident management. They are responsible for the overall strategy, performance, and operations of the SOC.

Responsibilities:

  • Managing the SOC team, including hiring, training, and evaluating members

  • Developing and implementing security policies and procedures

  • Coordinating incident response efforts

  • Ensuring compliance with regulatory requirements

  • Reporting on SOC activities and performance to senior management

Skills:

  • Strong leadership and management abilities

  • In-depth knowledge of cybersecurity best practices and technologies

  • Excellent communication and interpersonal skills

  • Strategic thinking and decision-making capabilities

Potential Certifications:

  • Certified Information Security Manager (CISM)

  • GIAC Security Leadership (GSLC)


Security Engineer

Security Engineers maintain and optimize the SOC's security tools and infrastructure. They play a crucial role in implementing and managing the technical aspects of the organization's security posture.

Responsibilities:

  • Maintaining and optimizing security tools and infrastructure

  • Implementing security controls and technologies

  • Conducting security assessments and vulnerability scans

  • Developing and maintaining security documentation

  • Collaborating with other IT teams to ensure security best practices

Skills:

  • Strong technical knowledge of security systems and network infrastructure

  • Proficiency in scripting and automation

  • Familiarity with cloud security and DevSecOps practices

  • Excellent problem-solving and analytical skills

Potential Certifications:

  • Certified Information Systems Security Professional (CISSP)

  • Certified Ethical Hacker (CEH)

What are the benefits of having a SOC team?

The upsides of having a SOC team go beyond their basic functions. From ensuring adherence to regulatory standards to making sure your company is prepared for emerging threats, SOC teams offer numerous high-level benefits. Let's take a look at a few of them.

Robust incident response 

With a strong SOC team, businesses can respond to cyber incidents with confidence. According to The Independent, there were more than 290 million data leaks due to threat actors in 2023, highlighting the immediate need for robust SOC teams and incident response capabilities.

Fewer false positives

While aggressive threat detection and response is an important aspect of cybersecurity, too many false positives can waste precious time and resources. SOC teams cut the rate of false positives so that you can turn your attention to remediating priority risks.

Real-time visibility

Modern IT environments, often comprising diverse cloud services, evolve at unprecedented speeds, making visibility a major challenge. SOC teams, equipped with cutting-edge technologies, can enable 24/7 visibility into complex and ever-changing cloud ecosystems. This helps red-flag security threats at the earliest possible juncture and avoid the fallout of a full-fledged incident. 

Stronger regulatory adherence

Businesses from every sector are under mounting pressure from various supervisory bodies. As compliance becomes more complex than ever, businesses need unparalleled security capabilities. By securing IT environments and mitigating threats, SOC teams can ensure adherence to any compliance framework. 

Enriched security ecosystem

The impacts of an effective SOC team can be widespread. It can nurture a healthy security culture, democratize security practices, improve productivity, boost morale, and help make cybersecurity feel like a shared responsibility rather than a chore. 

Future-proof security

Threat actors are evolving like never before, and you can’t afford to have a stagnant security ecosystem. SOC teams will constantly and proactively improve security tools, practices, and personnel, ensuring that businesses are always one step ahead of adversaries. 

What are the different types of SOC teams? 

Companies can choose between a few different kinds of SOC teams, depending on resources, limitations, and objectives. Sometimes, region- and sector-specific factors may come into consideration. 

Dedicated SOC teams: Consisting exclusively of in-house IT and cybersecurity personnel, this can be an immensely effective option. Unfortunately, many businesses simply can’t afford comprehensive in-house SOC teams. 

Managed SOC teams: These teams comprise personnel from third-party managed security service providers (MSSPs). SOC as a service (SOCaaS), a market expected to be worth $11.4 billion by 2028, is a popular and more affordable option for companies with limited in-house expertise.

Co-managed SOC teams: A blend of the first two models, co-managed SOC teams combine both in-house tools and security teams with external third-party capabilities. By choosing this hybrid model, companies can reap multiple benefits without bleeding resources. 

Global SOC teams: Global SOC teams are made up of numerous dedicated SOC teams that collaborate to tackle large-scale security threats. This orchestration of multiple SOC teams is one of the most comprehensive ways to approach cybersecurity. However, it can be immensely complex and reserved for only multinational enterprises with deep pockets.

A brief look at SOC tools, technologies, and metrics

For SOC teams to function optimally, they require robust tools and technologies. They also need to have pre-established key performance indicators (KPIs) to evaluate performance and efficacy. 

Some important capabilities that can augment SOC teams include:

  • Security information and event management (SIEM)

  • Endpoint detection and response (EDR)

  • Cloud detection and response (CDR) 

Key tools and technologies within these fields include security graphs, runtime sensors, vulnerability scanners, governance platforms, and firewalls. 

Figure 2: Priority-based vulnerability management, a critical responsibility for SOC teams

To evaluate the performance of SOC teams, enterprises must have proper KPIs and metrics in place including:

  • Mean time to detect (MTTD)

  • Mean time to respond (MTTR)

  • False positive rates

  • Alert volumes

  • Remediation speeds 

Businesses may establish other domain-specific KPIs if necessary. 

A few simple best practices to build a winning SOC team

To form the most effective SOC teams, businesses should follow the following recommendations. 

Best Practice Description
Choose the right SOC team modelCompanies must assess their existing security resources, capabilities, and deficiencies to decide between dedicated, managed, co-managed, and global SOC models. Choosing the right SOC team model can provide numerous security advantages both today and into the future.
Prioritize long-term strategies and goalsWhen building a SOC team, businesses must bring their long-term plans to the forefront. Otherwise, they risk investing precious cybersecurity resources to tackle security threats that may not be relevant. By following a long-term security strategy, enterprises can future-proof their SOC teams.
Automate wherever possibleWhile it may seem counterintuitive to discuss automation when building a team of human cybersecurity experts, automation capabilities are a blessing for SOC personnel. Automation and AI tools can sift through vast volumes of data, providing SOC teams with more accurate threat data and freeing them up for more human-centric security activities.
Regularly upskillAn enterprise’s job isn’t over after setting up its SOC team. They must focus on continuously upskilling SOC team members to be one step ahead of evolving threat actors. Simple ways to do this include funding and implementing training programs and participating in threat intelligence ecosystems.
Provide SOC teams with a powerful security platformEnterprises can only unlock the full potential of their SOC teams with a powerful security solution. For companies with cloud-based infrastructure, a unified CNAPP solution with CSPM and CIEM capabilities is a must.

How Wiz can help your SOC team

Wiz empowers SOC teams by providing them with the tools and insights they need to protect their organization's cloud environment from threats. By automating routine tasks and providing clear visibility into potential risks, Wiz helps SOC teams work more efficiently and effectively.

Cloud Visibility and Risk Detection

Wiz offers comprehensive visibility into an organization's entire cloud footprint, helping SOC teams:

  • Identify and map all cloud resources, including VMs, databases, and other assets.

  • Detect misconfigurations, vulnerabilities, and sensitive data exposures across cloud environments.

  • Uncover toxic risk combinations that create open attack paths to critical infrastructure or sensitive data.

This holistic view allows SOC analysts to quickly understand the cloud security landscape and prioritize risks.

Threat Detection and Response

Wiz enhances SOC teams' ability to detect and respond to threats by:

  • Correlating runtime events, cloud audit logs, and Kubernetes events for comprehensive threat detection.

  • Providing real-time detection of anomalous behavior through cloud logs and the Wiz Sensor.

  • Combining multiple risks into single "Wiz Issues" that highlight critical security concerns requiring immediate attention.

Integrations with SIEM and SecOps Tools

Wiz integrates with Security Information and Event Management (SIEM) and Security Operations tools to streamline SOC workflows:

  • Sends Wiz Issues to platforms like Google Security Operations, allowing SOC analysts to view cloud security alerts alongside other security telemetry.

  • Enables correlation of cloud security signals with other IT security signals for a complete security picture.

  • Provides clear context and prioritization for cloud security issues, helping SOC teams understand and remediate problems quickly.

Automated Workflows and Remediation

To improve SOC efficiency, Wiz supports:

  • Automated responses to security issues, including creating tickets and notifying relevant teams.

  • Integration with tools like Jira, Slack, and ServiceNow for streamlined incident management.

  • Automated remediation flows triggered by detected misconfigurations.

Get a demo now to see how Wiz can boost your SOC team today.

Cloud-Native Incident Response

Learn why security operations team rely on Wiz to help them proactively detect and respond to unfolding cloud threats.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.