SOC Analyst
Often searched as cyber security analyst.
Triaging alerts on rotation, writing tickets, chasing false positives.
In UK job ads, "cyber security analyst" usually maps to SOC analyst, junior security analyst, or a monitoring/detection seat. POST keeps SOC Analyst as the canonical role because it describes the actual work, shift-based alert triage on a SIEM, more precisely than the generic title recruiters reach for.
The easiest seat to land in cyber, and the hardest one to stay sane in past year two. Worth it if you'll move on deliberately.
- You want into security and have nothing better than a Security+ on your CV
- Shift work doesn't break you (and you've actually checked, not just assumed)
- You're aiming at detection engineering, IR or threat hunting within two years
- You can write a clear ticket under time pressure, that's half the job
- You picture yourself doing offensive work and just see SOC as a step, the gap is wider than you think
- You need a 9-to-5, most SOCs run 24/7 rotations and you'll feel it
- You're allergic to repetitive triage, the first eighteen months are mostly that
- You spot the false positives that everyone else tickets and closes blindly
- You start writing detections, not just consuming them
- Your tickets read like an analyst wrote them, not a script
- You volunteer for purple-team exercises and IR shadowing when they come up
Two things wear people down here, and the bootcamps don't tell you about either. First, the queue is endless. Closing a hundred tickets a week feels productive for a month, then it feels like running on a treadmill. Second, the night shifts compound. By month eighteen your sleep is wrecked, you've stopped studying outside work, and the move to detection engineering you planned has quietly evaporated. Plan the exit before you sign the contract.
Tradeoffs at a glance
Hover any chip for the calibrated meaning. Ratings are directional, not absolute.
Promotion ceiling
Moderate at T1; clear ladder via detection engineering or IR.
- +IT support
- +Network admin
- +Self-taught + Security+
- −That it's a glamorous 'hacker' job, most days are queue work.
Where this leads
- Detection Engineer
- Incident Responder
- Threat Hunter
Certifications people pair with this
- Security+
- CySA+
- Splunk Core Certified User
- GIAC GSEC
- CompTIA PenTest+
- CEH
- Microsoft SC-200
- Blue Team Level 1
Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.
Pathways that pass through here
- Defensive / SOC → Detection Engineer
The realistic on-ramp into security. Defensive, structured, hireable. Biased toward SOC-stack certs. NOT CISSP.
- IT Support → Sysadmin (the honest on-ramp)
The realistic first paid technology job. No shortcuts, but the cleanest gateway into every other world.
- DFIR & Threat Intelligence
When the alert is real. Forensics, IR, malware analysis, threat intel. SANS/GIAC biased.
Where this fits
Roles connect to pathways, certs and other roles. Use one to test the next.
- IT Support → Sysadmin (the honest on-ramp)
The realistic first paid technology job. No shortcuts, but the cleanest gateway into every other world.
- Defensive / SOC → Detection Engineer
The realistic on-ramp into security. Defensive, structured, hireable. Biased toward SOC-stack certs. NOT CISSP.
- Enterprise IT. Windows / AD / M365
The Microsoft-shop spine. A durable, hireable lane and a direct on-ramp to security, cloud and IAM.
- The realistic SOC analyst path
Most guides describe the job a SOC analyst wishes they had. Here's the one they actually do.
- Why most people fail trying to leave helpdesk
It's almost never a skills problem. It's a positioning problem, a portfolio problem, and a willingness-to-be-uncomfortable problem, in that order.
- Why Security+ is simultaneously overrated and useful
It will not get you a security job. It will get you past an HR filter. Those are different problems.
The serious next step
You've read about the role. The harder question is whether it's the right one for you.
A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.
Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.