Navigate the site
SIEM, EDR, and threat-hunting specialists for 24x7 SOCs across regulated industries and managed detection providers.
A Security Operations Center (SOC) Analyst is the human in the loop on the security alerting pipeline. Modern SOCs ingest hundreds of millions of events per day from endpoints, networks, identity systems, and cloud workloads; the SIEM and SOAR layer correlates and prioritises that volume into a smaller flow of alerts, but the analyst is still the role that determines what is real, what is noise, what is benign, and what is an incident. The work is split across three commonly recognised tiers, each with its own skill profile.
The tooling landscape has consolidated meaningfully since 2022. Most SOCs run one primary SIEM and one primary EDR, with peripheral tooling for cloud workload protection, network detection, and SOAR orchestration. Our bench tracks the dominant platforms.
| Capability | Primary use | Dominant platforms | Bench depth |
|---|---|---|---|
| SIEM | Event collection + correlation | Splunk ES, Sentinel, Chronicle, Elastic | Largest specialism |
| EDR / XDR | Endpoint detection + response | CrowdStrike, SentinelOne, Defender, Cortex XDR | Mid-sized |
| SOAR | Playbook automation | Splunk SOAR, XSOAR, Tines, Sentinel Logic Apps | Specialist |
| NDR | Network detection | Darktrace, ExtraHop, Vectra | Smaller |
We staff SOC analysts across contract, direct hire, and managed-SOC-augmentation models. The dominant engagement shape is contract for 24x7 coverage rotations — typically six to twelve months with extension options. Direct hire is more common for Tier 3 threat hunters and SOC managers where the client wants permanent leadership headcount.
For organisations building or expanding an in-house SOC, we often staff a mixed-tier team: one Tier 3 lead, two Tier 2 investigators, and four to six Tier 1 triage analysts to cover 24x7 rotation. The blend matches the alert volume and shift-pattern requirements specific to the client's environment.
Our IAM Engineer and IAM Architect placement pages cover the role-shape and seniority blend that pair with SOC engagements when identity events are a primary alert source.
The technical tooling for SOC work has commoditised faster than the human investigation reasoning. SIEM queries are searchable, detection content is downloadable, and most playbooks are publicly documented. The differentiator between an effective analyst and a mediocre one is the reasoning chain that turns an alert into a triage decision: which signals to weight, what context to gather, which escalation criteria apply, when to declare an incident. This reasoning is built through repetition under varied real-world conditions, and our screening explicitly tests it through investigation walkthroughs rather than tool-syntax exams.
Detection engineering — the discipline of writing, tuning, and managing the corpus of SIEM detection content — has emerged as a distinct specialism within senior SOC work since 2022. The discipline differs meaningfully from analyst work: detection engineers spend most of their time writing and tuning detection logic, building enrichment pipelines, validating detections through purple-team testing, and managing the false-positive-to-true-positive ratio across hundreds of active detections. The skill set overlaps with Tier 3 analyst skills but emphasises engineering rigour over investigation reasoning.
We staff detection engineers as a separate sub-track within our SOC bench, typically for engagements where the client wants to materially improve their detection coverage rather than just expand their analyst headcount. Detection engineering engagements are typically twelve-to-eighteen months and benefit from explicit success metrics — coverage of MITRE ATT&CK techniques, mean time to detection, false-positive rate trends.
Most enterprise SOC programmes pass through recognisable maturity stages. Early-stage SOCs run primarily on Tier 1 triage with manual investigation, limited detection content beyond vendor-shipped defaults, and ad-hoc threat hunting. Mid-stage SOCs add detection engineering capability, structured threat intelligence consumption, and formalised incident response handoff procedures. Mature SOCs run continuous detection improvement, integrated threat hunting, and SOAR-driven investigation automation. The investment to move between stages is significant — typically twelve-to-eighteen months of focused programme work — but the operational difference between mid-stage and mature SOCs is meaningful in measurable detection coverage and response speed.