POST
Start guided route
All perspectives
Perspective · Roles

The realistic SOC analyst path

Most guides describe the job a SOC analyst wishes they had. Here's the one they actually do.

Published 24 May 2026·10 min read·By the POST editor, 20 yrs, helpdesk to security architect
Verdict

The job described in most SOC analyst guides isn't the job most SOC analysts do. Real entry-level SOC work is shift-based, repetitive, heavy on triage and light on the threat-hunting that influencers post about. Most of the people who quit within eighteen months quit because the reality didn't match the marketing. Go in with the real picture and it's a decent first security job. Go in without it and it isn't.

Who this is for

  • People in helpdesk or junior IT seriously considering SOC as the next move, who want to know what the day-to-day actually looks like before committing.
  • Career changers about to spend three to six months on Security+ and a home SIEM lab, wanting to make sure they're aiming at the right target.
  • Students finishing a cyber degree, wondering why "junior threat hunter" jobs don't really exist in any quantity, and what does.

Who it isn't for

  • People already in a SOC. You don't need me explaining the SOC to you. Some of this will read as obvious. The rest will be wrong for your specific employer.
  • Anyone targeting offensive security. The SOC path is the wrong shape for what you want. The Security+ piece has the redirect for that.

The real tradeoff

SOC analyst is the most accessible specialist security role in the UK and most of Europe. That accessibility is exactly the tradeoff. The role is approachable because the work is structured and repeatable, which is what makes it possible to train someone into it in months rather than years. The flip side is that the work is structured and repeatable. For a meaningful chunk of people that's a fine first security job. For others it's a slow grind toward burnout, especially on rotating shifts.

The realistic salary is also lower than the marketing implies. UK L1 SOC ranges are roughly £28k to £38k for the first eighteen months at most MSSPs. In-house enterprise SOCs pay a bit better, £35k to £45k, but compete much harder for candidates and rarely hire pure juniors. The "£60k entry-level cybersecurity" claim is not a SOC claim, and chasing it through the SOC route ends in disappointment.

What the job actually looks like

Most L1 days are 80 percent alert triage and 20 percent everything else. Triage means working through a queue of alerts the SIEM has scored above a threshold, deciding whether each one is a false positive, a benign-but-noisy detection, or a thing worth escalating to L2. The good shifts have a few interesting incidents. The bad shifts have a thousand near-identical phishing reports and a single flaky detection rule firing every four minutes.

The 20 percent that isn't triage is some mix of writing case notes, attending stand-ups, getting trained on a new playbook, tuning a detection that's annoying everyone, and occasionally helping with a real incident. Threat hunting, as a discrete activity, almost never appears on an L1 rota. It exists, it's interesting, and it's roughly a Year Two or Year Three move depending on the team.

Shifts matter a lot more than people expect. A 24/7 SOC means rotas with nights or weekends, or both. Some employers run follow-the-sun models that protect your sleep. Most don't. If you have caring responsibilities, a partner with a fixed schedule, or a body that does badly on shift work, the wrong SOC will quietly cost you a lot. Ask in interviews. Don't take vague answers.

What people get wrong

By miles the biggest mistake: assuming "SOC analyst" means the same thing everywhere. It doesn't. An MSSP L1 role and an in-house enterprise L2 role share a job title and almost nothing else. The MSSP is ticket-volume work across many clients. The in-house role is deep-context work on one estate. Both are valid. They're different careers with the same name. Apply accordingly.

Next: confusing "SOC career" with "any security career." Stay in SOC for ten years and you become a senior SOC engineer or SOC manager. You don't, by default, drift into incident response, forensics, threat intel or detection engineering. Those are separate teams at most employers and you move sideways into them. Plan the sideways move from Year Two, not Year Six.

And the quieter one: thinking the certs you collected before the job carry weight inside it. They don't, much. Once you're in, what counts is whether you can write a clean case note, tune a noisy rule without breaking it, and stay coherent during an actual incident at three in the morning. None of those are on the Security+ syllabus.

The realistic twelve months in

Month one to three is mostly ramp. Learn the SIEM, learn the playbooks, shadow more senior analysts. Imposter syndrome is loud in this period and that's normal.

Month four to nine is the real test. The work is repetitive enough that the people who quit usually quit in this window. The thing to do is start picking up one specific area. A particular detection type, a tool nobody else on the team enjoys touching, an improvement project the L2s keep meaning to do. Quietly become the person who handles it.

Month ten to twelve is when the sideways move starts to look real. Either you've earned the credibility to move toward L2, or you've built enough niche expertise to apply for adjacent roles (detection engineering, IR, threat intel) at other employers. People who haven't done either by month eighteen tend to stall.

The honest alternative

  • GRC analyst. Less shift work, more meetings, similar entry salary, opens different doors. If you preferred the policy parts of Security+ to the technical parts, this is probably the better fit.
  • Sysadmin or cloud support at a security-conscious employer. Less glamorous-sounding, often better-paid, and the lateral move into a security engineering role two years in is genuinely easier than the move out of a junior SOC.
  • MSSP detection engineering apprenticeship or junior role, where they exist. Rarer than they should be, but a much faster on-ramp to the work most SOC analysts actually want to do.

When to walk away from the plan

If shift work is a hard no, walk away. Don't try to negotiate it out. The operating model of a 24/7 SOC won't bend for an individual L1. If the bit of security you actually like is the offensive or the engineering side rather than the operational side, walk away. The SOC is not the back door into those careers, regardless of what LinkedIn says. And if the salary ceiling matters more than the title, GRC and cloud security engineering both pay more for the equivalent years of experience in most UK markets.

Where this connects on POST

The pathways page has the helpdesk-into-SOC lane with the realistic project list. The Security+ page has the structured breakdown alongside the practitioner take. And the Security+ perspective covers why most people misuse the cert as the entire plan.

Authored by

The POST editor. Twenty years in the work. Helpdesk, sysadmin, network, cloud, security engineering, security architecture. POST exists because the advice given to people entering this industry is, on average, dishonest.

Last reviewed 24 May 2026. Career advice without a date is worth what you paid for it.

More on roles
All perspectivesTry the guided route