Cybersecurity Analyst
Detect, investigate, and respond to security threats across enterprise environments
Job titles
Security Analyst, SOC Analyst +
UK salary range
£40,000–£70,000
US salary range
$65,000–$110,000
Time to first role
6–12 months from scratch
About this role
Cybersecurity analysts monitor security events, investigate incidents, and operate SOC tooling. The role sits at the intersection of threat intelligence, log analysis, and incident response. Entry requires understanding networking fundamentals, security tooling (SIEM, EDR), and threat frameworks like MITRE ATT&CK.
Key skills employers look for
Certification roadmap
Foundation
Networking + security fundamentals — both are required before the analyst certs
N10-009CompTIA Network+
Security analysts must read pcap files, understand TCP/IP flows, and diagnose network-based attacks. Network+ ensures you have this foundation before tackling Security+.
SY0-701CompTIA Security+
The most widely held entry-level security cert. DoD 8570 IAT Level II baseline. Covers cryptography, threat actors, vulnerability management, identity, and incident response. The expected baseline for almost every SOC analyst role.
ISC2 CCISC2 Certified in Cybersecurity
Free entry-level cert from ISC2. Good alternative to Security+ if you want an ISC2 credential early or can't yet afford the Security+ exam fee.
Analyst Specialisation
The cert that makes you hirable as an analyst — not just security-literate
CS0-003CompTIA CySA+
The most relevant intermediate security cert for analyst roles. Covers threat intelligence, behavioural analytics, log analysis, SIEM, vulnerability management, and incident response in operational depth that Security+ doesn't reach.
SIEM & Tooling
Tool-specific certs that are increasingly listed as requirements
Splunk Core UserSplunk Core Certified User
Splunk is the most common SIEM platform in enterprise SOCs. This cert demonstrates you can write SPL queries, build dashboards, and investigate log data — practical skills that analysts use on day one.
Senior / Expert
For senior analyst and security architect roles — 3–5 years experience
CISSPISC2 CISSP
The gold standard for senior security professionals. Requires 5 years of paid security experience. Shifts focus from operational analysis to governance, risk, and security architecture.
Frequently asked questions
Do I need Network+ before Security+?
Not officially, but practically yes. Security+ exam questions assume you understand TCP/IP, subnetting, and common protocols like DNS, HTTP, and SMTP. Without Network+, you'll spend double the time on Security+ because every question requiring network context will slow you down.
Is Security+ enough to get a SOC analyst job?
It's the minimum. Pair it with: hands-on experience in a home lab (TryHackMe, HackTheBox), knowledge of Splunk or Microsoft Sentinel basics, and CySA+ if the target role asks for it. Entry-level SOC roles are highly competitive — cert + demonstrated lab skills beats cert alone.
Key terms for this career path
These concepts underpin the certifications in this roadmap and appear regularly in exam questions.
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Security pillar
The Security pillar is a set of best practices for designing and operating cloud systems that protect data, systems, and assets through confidentiality, integrity, and availability controls.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.