This chapter covers the three tiers of SOC analyst roles as defined in CompTIA CySA+ CS0-003 objective 1.2. Understanding these roles is critical because the exam tests your knowledge of how a SOC operates, how incidents are escalated, and what responsibilities fall to each tier. Approximately 10-15% of exam questions touch on SOC structure, analyst responsibilities, and escalation procedures. You will be asked to identify which tier performs specific tasks, such as triage, deep analysis, or threat hunting.
Jump to a section
A SOC is like a hospital emergency department (ED) with three tiers of staff. Tier 1 analysts are triage nurses: they receive all incoming patients (alerts), ask basic questions (initial triage), and decide whether to treat a minor issue (close a low-severity alert) or escalate to a doctor. Tier 2 analysts are emergency physicians: they handle complex cases, order tests (deep investigation), and determine the root cause. They can prescribe treatment (containment actions) but may need a specialist for rare diseases. Tier 3 analysts are specialists like neurosurgeons or infectious disease experts: they reverse-engineer new pathogens (advanced malware analysis), design new treatment protocols (create detection rules), and advise on hospital-wide policies (security architecture). Just as a patient never skips triage to see a specialist directly, alerts are always first processed by Tier 1. If Tier 1 mis-triages a heart attack as indigestion, the patient dies — similarly, if Tier 1 misses a critical alert, the breach goes undetected. Each tier has clear escalation criteria, just as EDs have protocols for when to call a specialist. Without these tiers, chaos ensues: specialists waste time on papercuts, and heart attacks wait in the lobby.
What Are SOC Tiers and Why Do They Exist?
A Security Operations Center (SOC) is a centralized unit responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents. To manage the workload efficiently and ensure that expertise is applied where needed, SOCs organize analysts into three tiers. This tiered model allows for specialization, clear career progression, and efficient use of resources. Tier 1 handles the bulk of alerts (often 80% or more), Tier 2 handles complex investigations, and Tier 3 provides advanced expertise. The model is formalized in NIST SP 800-61 Rev. 2 and is widely adopted in industry.
Tier 1 – Triage and Initial Response
Tier 1 analysts are the first line of defense. Their primary responsibility is to monitor security alerts and events from tools like SIEM, IDS/IPS, and endpoint detection and response (EDR) systems. They perform initial triage to determine whether an alert is a true positive, false positive, or benign. Key tasks include:
Monitoring dashboards and alert queues.
Acknowledging and categorizing alerts (e.g., phishing, malware, unauthorized access).
Performing basic investigation using pre-defined playbooks.
Escalating confirmed incidents to Tier 2.
Documenting findings and updating tickets.
Tier 1 analysts typically work in shifts to provide 24/7 coverage. They are expected to have foundational knowledge of networking, operating systems, and common attack vectors. In many SOCs, Tier 1 analysts follow runbooks that specify exactly what to check for each alert type. For example, a phishing alert runbook might instruct the analyst to verify the sender, check for malicious links, and check if other users received the same email.
Tier 2 – In-Depth Investigation and Incident Response
Tier 2 analysts receive escalated incidents from Tier 1. They have deeper technical skills and are responsible for conducting thorough investigations to understand the scope and impact of an incident. Key tasks include:
Analyzing malware samples in sandbox environments.
Performing network forensics (e.g., packet capture analysis).
Correlating events across multiple sources.
Containing threats (e.g., isolating hosts, blocking IPs).
Developing remediation plans.
Writing detailed incident reports.
Tier 2 analysts often use advanced tools like Wireshark, Volatility, and YARA. They may also perform threat intelligence enrichment to identify indicators of compromise (IOCs). The exam expects you to know that Tier 2 handles containment and eradication, but not necessarily full recovery. Tier 2 analysts are also responsible for tuning detection rules to reduce false positives.
Tier 3 – Advanced Analysis and Proactive Hunting
Tier 3 analysts are the most experienced and skilled. They handle the most complex incidents that require reverse engineering, custom exploit analysis, or advanced forensics. Key tasks include:
Reverse engineering malware to understand its capabilities.
Developing custom detection signatures (e.g., Snort rules, YARA rules).
Conducting proactive threat hunting using hypothesis-driven techniques.
Performing root cause analysis for major incidents.
Advising on security architecture and improvements.
Tier 3 analysts also mentor junior staff and may lead post-incident reviews. They often have specialized certifications like GREM or OSCP. The exam emphasizes that Tier 3 is responsible for threat hunting and advanced malware analysis, not initial triage.
Escalation Process
The escalation process is critical. When Tier 1 identifies a potential incident, they follow a playbook to determine if escalation is needed. Typical escalation criteria include:
Confirmed malware infection.
Unauthorized access to sensitive data.
Multiple hosts affected.
Indicators of advanced persistent threat (APT).
Escalation is usually done via a ticketing system (e.g., ServiceNow, Jira). The ticket is reassigned to Tier 2 with all relevant evidence. Tier 2 may further escalate to Tier 3 if they encounter unknown malware or a widespread attack.
Communication and Handoff
Clear communication between tiers is essential. Each tier documents their findings in a standardized format. For example, Tier 1 might note the alert ID, timestamp, and initial actions taken. Tier 2 adds detailed analysis, IOCs, and containment steps. Tier 3 provides final root cause and recommendations. Shift handoffs also require a briefing to ensure continuity.
Metrics and Performance
SOCs measure performance using metrics like:
Mean time to detect (MTTD)
Mean time to respond (MTTR)
Number of alerts handled per shift
Escalation rate from Tier 1 to Tier 2
False positive rate
These metrics help identify bottlenecks and training needs. For example, a high escalation rate may indicate Tier 1 needs better training.
Automation and Orchestration
Modern SOCs use SOAR (Security Orchestration, Automation, and Response) platforms to automate repetitive tasks. For instance, Tier 1 might use SOAR to automatically block a known malicious IP or quarantine a file. Automation reduces workload and speeds up response. However, the exam notes that automation should not replace human judgment for complex decisions.
Relationship to Other SOC Roles
While the three-tier model is standard, some SOCs also have specialized roles like:
SOC Manager: Oversees operations, handles staffing, and reports to CISO.
Threat Intelligence Analyst: Feeds intelligence to all tiers.
Forensic Analyst: Often a Tier 2/3 skill.
The exam focuses on the core analyst tiers. Remember that Tier 1 does NOT perform advanced analysis or threat hunting. Tier 2 does NOT typically develop new detection rules (that's Tier 3).
Exam-Specific Details
For CS0-003, you need to know:
Tier 1: Monitor, triage, escalate. Uses runbooks.
Tier 2: Investigate, contain, remediate. Uses advanced tools.
Tier 3: Hunt, reverse engineer, develop signatures.
Escalation is from Tier 1 to Tier 2 to Tier 3.
Tier 3 may also work on improving SOC processes.
Common exam scenarios: You are given an alert and asked which tier responds. Or you are asked to identify the correct escalation path. Watch for distractors like "Tier 1 performs malware analysis" (false) or "Tier 3 performs initial triage" (false).
Tools by Tier
Tier 1: SIEM dashboards, basic EDR, ticketing system.
Tier 2: Wireshark, Volatility, sandbox, threat intel platforms.
Tier 3: IDA Pro, Ghidra, custom scripts, threat hunting frameworks.
The exam may ask which tool is appropriate for a given task. For example, reverse engineering malware requires a disassembler (IDA Pro) — a Tier 3 tool.
Career Progression
Analysts typically progress from Tier 1 to Tier 2 to Tier 3 as they gain experience and certifications. The CySA+ certification is often considered a Tier 2-level certification. The exam tests your understanding of this progression and the skills required at each level.
Alert Generation and Queue
A security tool (e.g., SIEM, EDR) generates an alert based on a rule or anomaly. The alert is placed in the SOC's ticketing queue. Tier 1 analysts monitor this queue continuously. The alert includes metadata such as timestamp, source IP, destination IP, severity, and a brief description. The analyst must acknowledge the alert within a defined SLA, often 5-15 minutes for high-severity alerts.
Tier 1 Triage
Tier 1 analyst reviews the alert and performs initial triage. They check the alert against known false positive patterns, verify the reputation of involved IPs, and look at the context (e.g., user activity, time of day). If the alert is a known false positive, they close it with a note. If it appears malicious, they follow a runbook to gather additional evidence, such as checking for similar alerts on other hosts. They then decide whether to escalate.
Escalation to Tier 2
If the alert is confirmed as a true positive or requires deeper investigation, the Tier 1 analyst escalates to Tier 2. They update the ticket with all gathered evidence, including screenshots, log excerpts, and initial actions taken. The escalation triggers a notification to Tier 2 analysts. The ticket priority may be increased. Tier 1 may also initiate immediate containment actions if authorized (e.g., disabling a user account).
Tier 2 Investigation
Tier 2 analyst takes ownership of the ticket. They conduct a thorough investigation: analyzing network traffic, examining endpoint artifacts, correlating with threat intelligence, and possibly running malware in a sandbox. They aim to determine the root cause, scope, and impact. They may contain the threat by isolating affected systems or blocking IOCs at the firewall. They document all findings and update the ticket.
Escalation to Tier 3 (if needed)
If the incident is beyond Tier 2's capability (e.g., unknown malware, evidence of APT, need for reverse engineering), they escalate to Tier 3. Tier 3 analysts perform advanced analysis, such as reverse engineering the malware, creating custom YARA rules, or conducting memory forensics. They also develop new detection signatures and provide recommendations for long-term remediation.
Closure and Lessons Learned
After the incident is resolved, the ticket is closed. A post-incident review is conducted, often led by Tier 3 or the SOC manager. Lessons learned are documented, and improvements are made to processes, detection rules, or training. Metrics are updated. The entire process is auditable for compliance purposes.
In a large enterprise with a 24/7 SOC, Tier 1 analysts handle around 500-1000 alerts per day. For example, a financial institution uses a SIEM like Splunk to collect logs from thousands of endpoints. Tier 1 analysts work in rotating shifts to ensure coverage. They use a runbook that tells them to check if a 'failed login' alert exceeds a threshold of 10 attempts in 5 minutes. If so, they escalate to Tier 2. A common misconfiguration is setting the threshold too low, causing alert fatigue. In production, tuning thresholds is an ongoing process.
A mid-sized company might outsource Tier 1 to an MSSP, while keeping Tier 2 and Tier 3 in-house. For instance, a healthcare provider uses an MSSP for initial triage but has internal analysts for incidents involving patient data. The MSSP follows strict SLAs: acknowledge within 15 minutes, escalate within 30 minutes for critical alerts. The internal Tier 2 analysts use tools like CrowdStrike Falcon and VirusTotal for investigation.
A tech startup with a small SOC might collapse Tier 1 and Tier 2 into a single role, but this is not recommended for security. When misconfigured, Tier 1 analysts may miss critical alerts because they are overwhelmed with false positives. For example, a poorly tuned IDS might generate thousands of alerts per day, causing analysts to ignore them. This leads to breaches that could have been prevented. Another common issue is lack of clear escalation criteria, causing delays. For instance, if Tier 1 is unsure whether to escalate, they may hold the alert too long, exceeding SLA.
In a government SOC, Tier 3 analysts often perform threat hunting using frameworks like MITRE ATT&CK. They proactively search for indicators of compromise that automated tools might miss. For example, they might look for unusual DNS queries or anomalous process behavior. This proactive approach is a key differentiator of mature SOCs.
The CS0-003 exam tests your understanding of SOC tiers under Objective 1.2: 'Given a scenario, analyze the output from security tools and determine the appropriate response.' You must know which tier performs each task. The most common wrong answers are:
Thinking Tier 1 performs malware analysis. Many candidates confuse triage with analysis. Tier 1 only does basic checks; malware analysis is Tier 3.
Believing Tier 2 does threat hunting. Threat hunting is proactive and requires advanced skills; it is a Tier 3 function.
Assuming Tier 3 handles initial triage. Tier 3 is for escalation only; they do not monitor alerts.
Exam questions often present a scenario like: 'An analyst receives an alert for a potential data exfiltration. After initial investigation, they find a suspicious process and want to reverse engineer it. Which tier should handle this?' The correct answer is Tier 3.
Specific values: The exam does not test exact SLA times, but you should know that Tier 1 is responsible for initial response within minutes. Remember that Tier 2 performs containment (e.g., isolating a host) but not necessarily recovery. Recovery may involve system administrators.
Edge cases: If a SOC is small, roles may overlap. However, the exam tests the ideal model. Also, know that Tier 3 may create custom detection rules, but tuning existing rules is often done by Tier 2.
To eliminate wrong answers, focus on the action: 'monitor' and 'triage' map to Tier 1; 'investigate' and 'contain' map to Tier 2; 'hunt', 'reverse engineer', and 'develop signatures' map to Tier 3.
Tier 1: Monitor, triage, escalate. Uses runbooks. Does NOT perform deep analysis.
Tier 2: Investigate, contain, remediate. Uses advanced forensic tools.
Tier 3: Hunt, reverse engineer, develop signatures. Proactive and complex analysis.
Escalation flows from Tier 1 to Tier 2 to Tier 3. Never skip tiers.
Tier 1 handles 80-90% of alerts; Tier 3 handles <5%.
Threat hunting is a Tier 3 responsibility, not Tier 2.
Containment actions (e.g., isolating a host) are typically performed by Tier 2.
The CySA+ certification aligns with Tier 2 analyst skills.
These come up on the exam all the time. Here's how to tell them apart.
Tier 1 Analyst
Monitors alerts and performs initial triage
Follows runbooks and predefined procedures
Escalates confirmed incidents to Tier 2
Typically has 0-2 years of experience
Uses basic SIEM dashboards and ticketing systems
Tier 2 Analyst
Conducts in-depth investigation of escalated incidents
Performs malware analysis and network forensics
Contains threats and develops remediation plans
Typically has 2-5 years of experience
Uses advanced tools like Wireshark, Volatility, and sandboxes
Tier 2 Analyst
Reactive incident response
Handles known attack patterns
May tune existing detection rules
Works with IOCs and threat intelligence
Focuses on containment and eradication
Tier 3 Analyst
Proactive threat hunting
Handles novel and complex attacks
Develops new detection signatures and rules
Performs reverse engineering and exploit analysis
Focuses on root cause analysis and process improvement
Mistake
Tier 1 analysts perform deep packet analysis.
Correct
Deep packet analysis is a Tier 2 task. Tier 1 only reviews basic alert details and uses runbooks.
Mistake
Tier 2 analysts are responsible for threat hunting.
Correct
Threat hunting is a proactive activity typically performed by Tier 3 analysts. Tier 2 reacts to incidents.
Mistake
All SOCs use exactly three tiers.
Correct
Some SOCs have only two tiers or combine roles, especially in smaller organizations. The three-tier model is a standard but not universal.
Mistake
Tier 3 analysts handle the majority of alerts.
Correct
Tier 1 handles the vast majority (80-90%). Tier 3 only handles the most complex incidents.
Mistake
Tier 1 analysts can make decisions on containment without escalation.
Correct
Tier 1 may perform basic containment (e.g., disabling a user) only if authorized by a playbook. Complex containment requires Tier 2.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Tier 1 analysts are responsible for monitoring security alerts, performing initial triage, and escalating confirmed incidents to Tier 2. They follow runbooks to determine if an alert is a false positive or requires further investigation. They do not perform deep analysis or threat hunting.
Yes, if a playbook authorizes it. For example, a runbook might instruct Tier 1 to disable a compromised user account or block a known malicious IP. However, complex containment actions (e.g., isolating a server) require Tier 2 involvement.
Tier 2 analysts investigate and contain incidents using advanced tools. Tier 3 analysts perform proactive threat hunting, reverse engineering, and develop custom detection rules. Tier 3 handles the most complex and novel attacks.
Tuning SIEM rules to reduce false positives is typically done by Tier 2 analysts. Tier 3 may create entirely new rules for emerging threats. Tier 1 may suggest tuning based on observed false positives.
No, smaller SOCs may have only two tiers or combine roles. However, the three-tier model is the standard for large enterprises and is what the CS0-003 exam tests.
Tier 2 analysts typically have 2-5 years of experience, certifications like CySA+ or Security+, and proficiency in tools like Wireshark, Volatility, and EDR platforms. They should understand network protocols, operating systems, and common attack vectors.
Escalation is done via a ticketing system. Tier 1 documents findings and reassigns the ticket to Tier 2. Tier 2 may further escalate to Tier 3 if needed. Clear criteria, such as confirmed malware or data exfiltration, trigger escalation.
You've just covered SOC Tier 1, Tier 2, and Tier 3 Analyst Roles — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?