Skip to main content
POST ATLAS
RoleCybersecurity

Security Operations Analyst

Triage in Sentinel, run playbooks, investigate XDR incidents. Tier-2 SOC for Microsoft estates.

The verdict

The natural mid-tier seat between SOC analyst and detection engineer. Take it if you've earned it, don't take it as a sideways move from helpdesk.

Pick this if
  • You've done at least eighteen months of solid SOC work
  • You enjoy investigations more than triage
  • You can write a detection rule that survives a tuning cycle
  • You're comfortable being a senior voice on the floor
Skip this if
  • You're moving sideways from a tier-1 SOC just to get off shifts
  • You don't enjoy mentoring junior analysts
  • You want to stop responding to alerts, the seat still has some of that
What "doing well" looks like in the seat
  • Your investigations close cleanly with clear handoffs
  • Your tuning suggestions stick after detection review
  • You're trusted to brief leadership on incidents
  • You're the analyst other analysts ask before raising tickets
The bit you're probably underestimating

The role only earns its keep at orgs with a real detection engineering function above it. Without one, you'll be a glorified senior SOC analyst with extra meetings and no career runway. Diligence the team structure before you accept: is there detection engineering, threat hunting and IR as separate functions, or is this title the entire ladder above tier 1? If it's the latter, you've hit the ceiling on day one.

Tradeoffs at a glance

Hover any chip for the calibrated meaning. Ratings are directional, not absolute.

Promotion ceiling

Senior SecOps / Defender Engineer; ceiling tracks your detection-engineering depth.

Who actually gets in
  • +SOC analyst
  • +Azure admin
  • +Junior SOC
Common misconceptions
  • That SecOps in Microsoft shops is purely tooling, content quality still decides outcomes.

Where this leads

  • Defender Engineer
  • Detection Engineer
  • Incident Responder

Certifications people pair with this

Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.

Tech you'll see

  • Microsoft Sentinel

Pathways that pass through here

The serious next step

You've read about the role. The harder question is whether it's the right one for you.

A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.

Plateau zone
The flat year nobody warns you about, named and timed.
Reality vs Fantasy
Your actual five-year curve against the one you've been sold.
What to sit and what to skip
Each cert on your list: useful, optional, or skip, with reasons.
The call
A single written judgment on whether your plan holds up.
Tradeoff spectrum
What you're giving up for what you're choosing, plotted.
Decisive factors
The two or three things that will actually make or break this.
See what a Career Verdict looks like£25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All roles