Here’s a simple breakdown of SOC Analyst roles (L1, L2, L3):

L1 (Level 1) Analysts:

Role: Entry-level, such as the “eyes” of the SOC. They watch security tools (e.g., Splunk or QRadar) for alerts, such as a suspicious login attempt, and resolve minor incidents (e.g., resetting a hacked password).

Example: If a SIEM alerts on multiple failed logins, L1 verifies whether it is a user mistake or a brute-force attack and escalates if necessary.
Skills: Minor networking, SIEM tools, log understanding. Ideal for first-timers!
Tools: Splunk, Wireshark, minor firewalls.

L2 (Level 2) Analysts:

Role: Intermediate, such as the “detectives” of the SOC. They dig into escalated alerts from L1, conduct more in-depth analysis, and react to sophisticated threats (e.g., malware or data breaches).
Example: If L1 identifies a questionable file, L2 examines it in a sandbox to verify that it’s malware and contains the threat.
Skills: Malware analysis, incident response, scripting (e.g., Python). Needs 1-3 years of experience.
Tools: IDS/IPS (Snort), EDR (CrowdStrike), threat intelligence platforms.

L3 (Level 3) Analysts:

Role: Senior-level, such as the “architects” of the SOC. They architect security systems, manage sophisticated threats (e.g., APTs or zero-day attacks), and lead L1/L2 teams.
Example: When a new ransomware attack emerges, L3 creates a defense plan and modifies firewall rules.
Skills: Sophisticated threat hunting, system architecture, leadership. Requires 5+ years of experience.
Tools: Sophisticated SIEM, threat hunting platforms (e.g., Elastic), custom scripts.