What is a SOC?
A security operations center (SOC) is a centralized function that combines people, processes, and technology to continuously monitor an organization's IT environment for security threats. This means the SOC serves as the nerve center for detecting attacks, investigating suspicious activity, and coordinating response before attackers can cause damage.
Many SOCs operate around the clock (24/7/365), while others use business-hours coverage with on-call or managed detection and response (MDR) support for nights and weekends. The coverage model depends on organizational risk tolerance, budget, and threat landscape. Attackers do not follow business hours, which means organizations need continuous coverage to catch threats whenever they occur. The goal is not simply to detect alerts but to prevent breaches by acting on threats quickly enough to stop attackers in their tracks.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
SOC Benefits: Why organizations need a SOC
Attackers can move quickly. Some modern intrusions progress from initial access to impact in hours or days, while organizations without strong detection capabilities may not discover breaches for weeks or months. This timing gap gives attackers opportunity to steal data, establish persistence, or cause widespread damage, with breaches costing organizations an average of $4.4M globally.
Cloud adoption has dramatically expanded the attack surface beyond traditional network perimeters. Organizations now run workloads across multiple cloud providers, deploy containers and serverless functions, and rely on dozens of SaaS applications. Each of these creates new entry points and new types of activity that need monitoring. A firewall at the network edge cannot see an attacker abusing cloud IAM permissions or moving laterally between containers.
Attack sophistication has also increased, and ransomware continues to be a major driver of breaches (Verizon DBIR). Rather than relying on simple malware that signature-based tools can catch, attackers chain together multiple techniques. They steal credentials, move laterally across systems, escalate privileges, and access sensitive data, often without ever deploying traditional malware. Detecting these attacks requires understanding behavior patterns, not just matching known signatures.
Regulatory and compliance requirements add another dimension. Frameworks like PCI DSS, HIPAA, and SOC 2 mandate continuous monitoring and incident response capabilities. Organizations that handle sensitive data must demonstrate they can detect and respond to security incidents. Without a functioning SOC, meeting these requirements becomes extremely difficult.
Manual, reactive security approaches simply cannot keep pace with modern threats. Dedicated SOC operations provide the continuous visibility and rapid response that organizations need to protect their environments. The business impact of failing to do so is severe: breaches result in financial losses, reputational damage, and regulatory penalties that can threaten an organization's viability.
What does a SOC do? Core functions and workflows
SOC work centers on three core operational phases: monitoring and detection, investigation and analysis, and response and remediation. These phases form a continuous cycle where lessons from response inform better detection, and detection findings drive investigation.
SOCs do not simply react to alerts as they arrive. They proactively hunt for threats that may have evaded existing detection rules. They continuously refine their detection capabilities based on what they learn from incidents. This ongoing improvement cycle is what separates mature SOC operations from basic alert monitoring.
Continuous monitoring and threat detection
SOCs collect and analyze data from across the environment to identify potential threats. This includes logs from servers, network traffic flows, cloud control plane events, identity provider activity, and endpoint telemetry. The goal is comprehensive visibility into everything happening across the organization's infrastructure.
Detection approaches have shifted significantly over the past decade. Traditional signature-based detection matches activity against known malware patterns and attack indicators. While still valuable, this approach misses novel attacks and sophisticated adversaries. Modern SOCs increasingly rely on behavior-based detection that identifies anomalous activity, such as a user suddenly accessing systems they have never touched before or a service account making unusual API calls.
Cloud environments add new monitoring requirements that did not exist in traditional data center architectures. SOC teams must track control plane API calls that create or modify cloud resources. Key cloud telemetry sources include:
Cloud audit logs: AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs for API-level visibility
Identity provider logs: Okta, Azure AD, Google Workspace for authentication and access events
Kubernetes audit logs: API server events for container orchestration activity
DNS and egress logs: VPC Flow Logs, DNS query logs for network behavior
SaaS admin activity: Microsoft 365, Salesforce, GitHub audit logs for application-layer events
Each source provides different investigation value. Cloud audit logs reveal resource changes, identity logs show authentication patterns, and Kubernetes logs expose container-level activity that traditional tools miss.
Incident investigation and analysis
When a detection fires, analysts must determine whether it represents a real threat or a false positive. This triage process is where SOC work becomes genuinely difficult. Analysts assess severity, gather additional context from other data sources, and decide whether the alert warrants escalation or can be closed as benign.
Understanding an attack often requires connecting data from multiple sources. A suspicious login might look harmless in isolation but become clearly malicious when correlated with subsequent privilege escalation attempts, unusual data access patterns, and network connections to known bad infrastructure. This correlation work is time-consuming and requires both technical skill and investigative intuition.
Investigation speed directly impacts outcomes. The faster analysts understand the scope and blast radius of an incident, the faster they can contain it. When analysts must switch between multiple consoles and manually query different data sources, investigation time increases dramatically. Every hour spent correlating logs is an hour the attacker has to move deeper into the environment.
Understanding what could happen next is as important as understanding what already happened. If an attacker compromised a service account, what systems can that account access? What sensitive data could they reach? What lateral movement paths are available? This forward-looking analysis helps analysts prioritize containment actions and understand the true severity of an incident.
Response and remediation
Incident response involves taking action to contain and neutralize threats. This might mean isolating compromised systems from the network, revoking credentials that attackers have stolen, or blocking malicious network traffic. The immediate goal is stopping the attack from progressing further.
Containment is only the first step. Effective response also includes preserving evidence for forensic analysis and identifying the root cause of the incident. If analysts simply stop the immediate attack without understanding how it happened, the organization remains vulnerable to the same techniques.
Fixing underlying issues is critical for long-term security improvement. If an attacker exploited a misconfiguration or vulnerability, that weakness needs to be remediated to prevent recurrence. This often requires coordination between SOC teams, IT operations, and development teams who own the affected systems.
Post-incident reviews and lessons learned feed back into improved detection and prevention. Every incident teaches the organization something about its blind spots, its response processes, or its security posture. Mature SOCs capture these lessons systematically and use them to strengthen defenses over time.
Key roles in a SOC team
SOC organizations typically use a tiered structure where analysts at different levels handle different types of work. This specialization matters because it allows organizations to handle high alert volumes efficiently while ensuring complex threats receive appropriate attention from experienced practitioners.
Team size varies widely based on organization size, risk tolerance, and whether the SOC is in-house or outsourced. A small company might have a handful of analysts, while large enterprises may employ dozens.
SOC analysts (Tier 1, 2, 3)
Tier 1 analysts: Handle initial alert triage, filter out false positives, and escalate potential incidents. They process high volumes of alerts and serve as the first line of defense. This role requires solid foundational security knowledge and the ability to work efficiently under pressure.
Tier 2 analysts: Conduct deeper investigation of escalated incidents, perform correlation across data sources, and determine incident scope. They have more experience and technical depth than Tier 1 analysts and can handle investigations that require connecting multiple pieces of evidence.
Tier 3 analysts: Handle the most complex incidents, perform proactive threat hunting, develop new detection rules, and conduct forensic analysis. They are senior practitioners with specialized expertise who tackle problems that junior analysts cannot solve.
This tiered model allows organizations to handle alert volume efficiently while ensuring complex threats receive appropriate attention. Career progression typically moves from Tier 1 through Tier 3 as analysts gain experience and develop specialized skills.
SOC manager and leadership
SOC managers oversee day-to-day operations, staffing, and shift coverage. They ensure the team has adequate resources and that workload is distributed appropriately across analysts. Managing a 24/7 operation requires careful attention to scheduling and coverage gaps.
Leadership is responsible for defining and tracking metrics that measure SOC effectiveness. Common metrics include mean time to detect (MTTD) and mean time to respond (MTTR), along with false positive rates. These numbers help identify areas for improvement and demonstrate value to executive stakeholders.
SOC leadership also handles stakeholder communication, reporting on security posture and incidents to executive leadership and other business units. This communication role is critical for maintaining organizational support and ensuring security concerns are understood at the highest levels.
Specialized roles
Threat hunters: Proactively search for threats that have evaded existing detection, using hypotheses about attacker behavior to identify hidden compromises. They do not wait for alerts but actively look for signs of malicious activity.
Detection engineers: Build and tune detection rules, reduce false positives, and ensure detection coverage maps to known attack techniques. They translate knowledge about threats into automated detection capabilities.
Forensic analysts: Conduct deep-dive investigations of compromised systems, recover evidence, and support legal and compliance requirements. Their work is essential when incidents may have legal implications.
Threat intelligence analysts: Monitor the external threat landscape, track attacker groups and techniques, and provide context that improves detection and response. They help the SOC understand what threats are most relevant to the organization.
Not all SOCs have all specialized roles. Smaller teams may combine responsibilities, with analysts handling both detection engineering and threat hunting alongside their investigation work.
Guided Tour
See Wiz Defend in Action
SOC tools and technologies
SOC effectiveness depends on shared context across tools. Detections should arrive pre-enriched with identity, exposure, and asset criticality rather than showing up as isolated alerts that analysts have to manually piece together.
SIEM and log management: Security Information and Event Management (SIEM) platforms aggregate logs from across the environment, correlate events, and generate alerts. They act as the central repository for security-relevant data and the foundation for detection and investigation.
SOAR and automation: Security Orchestration, Automation, and Response (SOAR) platforms automate repetitive tasks, orchestrate workflows across tools, and run playbook-driven response. When an alert fires, SOAR can automatically gather context, enrich the alert with additional data, and execute initial response actions. Tasks that take an analyst minutes to perform manually happen in seconds.
Endpoint detection and response (EDR): EDR agents run on workstations and servers to capture detailed telemetry about processes, file activity, and network connections. Analysts can see process trees, spot suspicious behaviors, and take response actions like isolating a compromised machine from the network.
Cloud detection and response (CDR): Cloud environments generate attack patterns that traditional tools were never built to see. Control plane API calls, ephemeral workloads, cross-account lateral movement, and cloud-specific privilege escalation all create blind spots for SIEM and EDR. CDR monitors cloud provider audit logs, detects cloud-specific attack techniques, and correlates signals across compute, identity, data, and network layers. The best CDR tools go beyond telling you what happened. They show what could happen next by connecting detections to attack paths and blast radius, so analysts can prioritize response based on actual risk.
Threat intelligence platforms (TIPs): Threat intelligence platforms aggregate and operationalize threat data from commercial feeds, open-source intelligence, industry sharing groups, and internal findings. They feed indicators of compromise and attacker context into SIEMs, EDR, and firewalls so detections reflect current threats rather than stale signature lists. The real value of a TIP is not raw indicator volume. It is turning external threat data into detection rules and hunting hypotheses that match your specific environment and threat profile.
Vulnerability management and attack surface monitoring: Vulnerability scanners and attack surface management tools identify weaknesses before attackers exploit them. They catalog exposed assets, flag unpatched software, and highlight misconfigurations across cloud and on-premises infrastructure.
Case management and ticketing: SOC teams need a system to track investigations from initial alert through resolution. Tools like Jira, ServiceNow, or dedicated platforms like TheHive give analysts a structured way to document findings, hand off between shifts, and maintain chain of custody for evidence.
Tools alone do not make a SOC effective. They need proper configuration, tight integration, and skilled analysts running them. The most expensive security platform adds little value if it generates alerts nobody reviews or if the team does not know how to use it.
Types of SOC models
Organizations have multiple options for structuring their SOC based on size, budget, risk tolerance, and internal expertise. There is no single right model. The best choice depends on organizational context and security requirements.
In-house SOC
Pros: Full control over operations, deep institutional knowledge of the environment, direct alignment with business priorities
Cons: High cost (staffing, tooling, facilities), difficulty recruiting and retaining skilled analysts, challenge of maintaining 24/7 coverage
In-house SOCs work best for organizations with significant security budgets and complex environments that require specialized knowledge. When analysts understand the business context deeply, they can make better decisions about what matters and what does not.
Building an effective in-house SOC takes time. It requires not just hiring people but also developing processes, building institutional knowledge, and creating a culture of continuous improvement. Organizations should expect a multi-year journey to reach maturity.
Managed SOC and SOC-as-a-Service
Pros: 24/7 coverage without staffing burden, access to specialized expertise, faster time to value, predictable costs
Cons: Less organizational context, potential handoff delays during incidents, dependency on third-party provider
Managed SOC services, including managed security service providers (MSSPs) and managed detection and response (MDR), can be effective for organizations that lack resources for in-house operations. These services provide immediate capability without the overhead of building a team from scratch.
Quality varies significantly across providers. Organizations should evaluate detection capabilities, response times, and integration with existing tools. The best managed services function as an extension of the internal team rather than a black box.
Hybrid SOC
Hybrid models make sense when organizations want the benefits of both approaches. An internal team might handle critical response and high-context decisions while an external provider handles monitoring volume and off-hours coverage. This division allows internal staff to focus on the work that most benefits from organizational knowledge.
Clear handoff procedures and communication channels between internal and external teams are essential. Without well-defined processes, incidents can fall through the cracks during transitions between teams. Hybrid models can provide the best of both worlds but require careful coordination to avoid gaps.
SOC Best Practices
Modern SOC maturity is defined by investigation speed and risk clarity, not alert volume. The strongest teams build operations around context, automation, and measurable improvement.
1. Align detection with business risk
A SOC does not protect everything equally. It protects what matters most.
Start by identifying:
Critical production systems
Sensitive data stores
Privileged identity systems
Revenue-impacting services
Detection rules and escalation policies should elevate activity involving these assets automatically. Severity without business context creates noise.
2. Unify people, process, and tooling
Tools alone do not create security outcomes. Clear workflows, escalation paths, and ownership boundaries matter just as much as telemetry.
Define:
Who owns initial triage
When incidents escalate
How handoffs occur
What containment authority exists
Without defined process, even good tooling produces inconsistent response.
3. Prioritize context-rich detections
Alerts should arrive pre-enriched with:
Asset criticality
Network exposure
Identity privilege level
Data sensitivity
Known vulnerabilities in path
Analysts should not have to pivot across five consoles to determine impact. Correlation should happen before the alert reaches a human.
4. Use risk-based prioritization
Not every high-severity finding is high risk.
Prioritization should consider:
Exploitability
Exposure
Privilege
Lateral movement potential
Blast radius
Mapping detections to frameworks such as MITRE ATT&CK helps identify blind spots and validate coverage across relevant attack techniques.
5. Automate enrichment before response
Automation should first eliminate repetitive investigative tasks:
Log correlation
Privilege mapping
Asset tagging
Exposure validation
Only after context is reliable should containment automation be introduced. Automation without clarity increases operational risk.
6. Formalize and test incident response playbooks
Every common scenario should have a documented and practiced response plan:
Credential compromise
Privilege escalation
Cloud control plane manipulation
Ransomware activity
Data exfiltration
Tabletop exercises and simulations reduce confusion during real incidents and improve containment time.
7. Invest in proactive threat hunting
Detection rules cannot catch everything. Mature SOCs dedicate time to hypothesis-driven hunts based on emerging attacker techniques.
Threat hunting closes coverage gaps and improves future detection logic.
8. Measure operational friction
Beyond MTTD and MTTR, track:
Investigation touch-time
Alert-to-incident conversion rate
False positive rate
Analyst context switching
These metrics expose tooling inefficiencies that inflate response times.
9. Create a feedback loop between incidents and prevention
Every incident should drive improvements in:
Detection rules
Identity permissions
Configuration hygiene
Exposure reduction
A SOC is not just a reactive function. It is a continuous improvement engine.
Wiz for SOC Teams
Modern SOC teams are expected to investigate cloud incidents without unified cloud context. Signals are scattered across control plane logs, identity systems, runtime telemetry, and posture findings. Analysts spend critical time stitching together evidence instead of assessing impact.
Wiz brings this context together through the Wiz Security Graph, the foundation of the Wiz AI Application Protection Platform (AI-APP). The Security Graph correlates control plane activity, identity risk, posture exposures, data sensitivity, and runtime signals into a single model.
Wiz Defend correlates control plane activity, identity risk, posture exposures, data sensitivity, and runtime signals into a single investigation view. Three AI Agents extend this capability across the SOC workflow:
The Blue Agent handles automated threat investigation, analyzing every new detection with the full context of the Wiz Security Graph and producing transparent verdicts analysts can validate immediately.
The Green Agent drives remediation by tracing issues to root causes, identifying the most efficient fix, and routing actionable guidance to the right developer or owner.
Agentic Workflows let SOC teams encode their operational processes, connecting agent verdicts to containment actions, Slack notifications, Jira tickets, and human approval gates. The result: analysts see the full attack path, receive AI-generated investigation context, and can move from detection to containment in minutes rather than hours.
Get a demo of Wiz Defend to see cloud detection and response with investigation-ready context.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.