Skip to content
cyber-security.eu
DEEN

What is a SOC?

A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.

Who this page is for

This page is for security leaders, IT leadership, SOC newcomers and decision makers weighing in-house operation against a managed service.

What a SOC does

A SOC collects security-relevant data from endpoints, network, cloud and applications, correlates it and assesses anomalies. Confirmed incidents are contained, handed to incident response and reviewed afterwards.

Good SOC operations are not just alert handling. They include detection engineering, threat hunting, tuning and close collaboration with IT and business.

Operating models: in-house, hybrid, managed/MDR

In-house SOC: full control, deep context, but expensive in 24/7 operation.

Hybrid: detection and tooling partly internal, operational triage external. Often a good compromise.

Managed SOC or MDR: detection and first response as a service. Faster start, defined response times. Clear interfaces and sufficient context on the provider side are key.

Roles

Typical roles:

- Tier 1 analyst: triage, initial assessment
- Tier 2 analyst: deeper analysis, escalation
- Tier 3 / threat hunter: proactive hunting, complex incidents
- Detection engineer: develops and maintains use cases
- Incident responder: handles confirmed incidents
- SOC lead: steering, maturity, interfaces

Tooling: SIEM, EDR, SOAR, threat intelligence

SIEM aggregates and correlates logs.

EDR delivers endpoint telemetry and response actions.

SOAR automates recurring steps and playbooks.

Threat intelligence provides context on actors, indicators and behaviours.

All tools are only as good as the data, use cases and people behind them.

Good alert triage

Good triage separates noise from signal:

- Clear categorisation and thresholds
- Context from identity, asset and behaviour
- Linkage with threat intelligence
- Clean escalation under uncertainty
- Documentation for tuning and learning

Common challenges

- Alert fatigue from too many low-value alerts
- False positives and weak data quality
- Incomplete logs and unclear ownership of log sources
- Missing business context, leading to mis-prioritisation
- Scarcity of experienced analysts

Maturity and measurement

Useful KPIs include mean time to detect and respond, false positive rate, coverage against frameworks such as MITRE ATT&CK and the share of automated responses.

Avoid metrics that only measure activity rather than impact.

Practical scenario

A SOC detects a suspicious OAuth consent in Microsoft 365. A SOAR playbook collects context, Tier 2 confirms it is malicious, incident response disables the account, revokes tokens and informs the affected department. Lessons learned lead to an additional detection use case.

Checklist

  • Clear target picture and maturity assessment
  • Defined use cases with business context
  • Important log sources fully onboarded
  • Documented playbooks for top risks
  • Detection engineering as a dedicated role
  • Regular tuning against false positives
  • Interfaces to IT, legal and communications defined
  • Meaningful KPIs rather than pure activity metrics

Frequently asked questions

+In-house or managed?

Managed lowers entry barriers and delivers value faster. In-house keeps more context. Hybrid models combine both.

+How is SOC quality measured?

Detection rate, mean time to detect and respond, false positive rate and coverage against frameworks such as MITRE ATT&CK.

+Do we need 24/7?

For critical functions, yes. A managed 24/7 service is often more efficient than full in-house cover.

Related topics

SIEM

A SIEM aggregates log and telemetry data, correlates it and provides the foundation for detection and incident response. This page covers function, important data sources and common mistakes.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Security awareness

Awareness works when it is continuous, relevant and fairly measurable. A yearly mandatory training is not enough. This page shows what good organisational awareness looks like.

TIBER-EU

TIBER-EU is the European framework for threat-led resilience testing of critical functions. This page explains the idea, the phases and the link to DORA and TLPT - intentionally at a high level and without describing concrete attack techniques.

Endpoint Detection and Response

EDR provides telemetry and response on endpoints. It is standard in many organisations today and extends classic endpoint protection with detection and response.

Extended Detection and Response

XDR combines telemetry from multiple sources to detect threats faster and with better context. This page positions the term beyond marketing.

Managed Detection and Response

MDR is an externally run detection and response service. For many organisations it is the pragmatic path to 24/7 detection without a full in-house SOC.

Threat intelligence

Threat intelligence is more than a list of IOCs. It is processed, contextual knowledge about adversaries, techniques and risks - useful only when it drives decisions.