Rock the SOC
In a perfectly choreographed security career, you land your first job in the SOC, ace it, and climb up the ladder to success, eventually becoming a SOC director or even a CISO. But wait. How do you make that happen? Career journeys of any role are rarely so linear. And how do you avoid burning out before you’ve reached your goals? This guide is here to help. Compiled from the collective wisdom of both Devo executives and infosec community members, this guide will help you land your first role as a SOC analyst, and understand the different career tracks available to you. There are also plenty of tips on how to uplevel your skill set in order to stand out among your peers. We also leave you with some valuable frameworks to use throughout your career. That’s just the beginning though—there are all sorts of good nuggets of information throughout the guide. Wanna build a home lab but don’t know where to start? We have an entire section that explains how. Or are you just trying to pick a focus or make a hard decision related to your job? Check out Chapter 9! But this guide isn’t just for those starting out in their career. We provide answers, insights, and advice that will take your career to the next level.
A Career Guide for Your First Analyst Role and Beyond
Are you ready to rock the SOC?
Chapter 1
So You Want to Be a SOC Analyst...
By John Hammond
Read Now
Chapter 2
The Hard and Soft Skills Needed to Crush a SOC Role
By Josh Copeland
Chapter 3
Advancing Cybersecurity and Career-Readiness in Academic Institutions
By Bill Britton
Chapter 4
Break into Cybersecurity by Leveraging LinkedIn
By David Meece
Chapter 5
Navigating Your Cybersecurity Career as a SOC Analyst
By Deidre Diamond
Chapter 6
Becoming a Security Researcher: 5 Questions Answered
By Chaz Lever
Chapter 7
Positioning Yourself for a SOC Leadership Role
By Kayla Williams
Chapter 8
Balancing Your Career and Wellness: A Hopeful Message for the SOC Community
By Peter Coroneos
Chapter 9
Change, Challenges, and Priorities
By Marc van Zadelhoff
Table of Contents
Meet Our Authors
Hover over an author to learn more about them.
John Hammond Principal Security Researcher at Huntress, educator, and content creator
Josh Copeland Director of Enterprise Security and content creator
Bill Britton Vice President of Information Technology and Chief Information Officer at Cal Poly
John Hammond: Threat operations at Huntress and cybersecurity researcher, educator, and content creator. As part of the Threat Operations team at Huntress, John spends his days analyzing malware and making hackers earn their access. Previously, as a Department of Defense Cyber Training Academy instructor, he taught the Cyber Threat Emulation course, educating both civilian and military members on offensive Python, PowerShell, other scripting languages, and the adversarial mindset. He is an online YouTube personality showcasing programming tutorials, CTF video walkthroughs, and other cybersecurity content.
David Meece SOC analyst, cyber mentor, and educator
Deidre Diamond Founder and CEO, CyberSN
Chaz Lever Security Researcher
Kayla Williams CISO, Devo
Peter Coroneos Founder of Cybermindz, author, and activist
Marc van Zadelhoff Cybersecurity CEO
Are you ready
Chapters
01
So You Want to Be a SOC analyst...
02
03
04
05
06
07
08
09
to rock the SOC?
Let's Go
Josh is a cybersecurity leader and engineer with 25 years of experience, with a focus on holistic cloud and on-prem security approaches and specific expertise in building and operating security stacks, SOC operations, and cybersecurity governance, risk, and compliance processes.
Bill Britton is the Vice President of Information Technology and Chief Information Officer at Cal Poly. Contributors to the chapter include: Henry Danielson, Technical Advisor, California Cybersecurity Institute, and Doug Lomsdalen, Information Security Officer, Cal Poly Information Technology Services.
David Meece is SOC analyst, passionate cyber mentor, and educator in the industry. He holds a Master of Science degree in Information Systems and has a wide array of skills ranging from teaching to virus removal. He is passionate about cybersecurity and enjoys using his platform to teach people how to protect themselves and stay safe online.
Deidre Diamond, founder and CEO of CyberSN, transformed the cybersecurity job search and hiring process by launching a deepjobs matching platform and standardizing all cybersecurity job functions into a common taxonomy of 45 roles. Deidre also founded SecureDiversity.org and the Day of Shecurity conference to help promote diversity in cybersecurity. Deidre has more than 29 years of experience in technology and staffing, leading teams at Rapid7 and Motion Recruitment. She received the Top 25 Women in Cybersecurity award by Cyber Defense Magazine and is a sought-after speaker who inspires individuals to join the cybersecurity industry while driving change in the industry.
Chaz Lever is a security researcher with over a decade of experience. He received his B.S. in computer science from Duke University, M.S. in computer science from Wake Forest University, and PhD in computer science from the Georgia Institute of Technology. Dr. Lever's research has focused on large scale measurements and data analysis with a focus on network security applications, and his work has appeared at numerous top academic and industry security conferences. Beyond his academic work, Dr. Lever also has industry experience developing scalable, data-centric applications in the business intelligence, financial services, and government spaces.
Kayla is the CISO at Devo. She is an analytical and results-driven professional with experience in management of cybersecurity incidents, compliance management, corporate risks, information security, project and program management, and organizational controls surrounding many different aspects of business. Kayla was previously the director of GRC at LogMeIn, a $1b global SaaS company, and the senior risk manager for Computershare, US, a global financial services company, where she was responsible for supporting the development, implementation, and monitoring of operational, financial, compliance, and IT risk.
Peter Coroneos is an internationally recognized authority on cyber policy, an internet industry leader, author, activist and policy innovator. As part of the mission to build a faster, fairer, safer and more trusted internet for all Australians, Peter led the development of icode, an industry-wide botnet mitigation program developed while he was head of Australia’s iconic Internet Industry Association (1997-2011). Peter founded Cybermindz.org, a not-for-profit dedicated to bringing scalable, evidence based mental health support to embattled cyber teams. It is the world’s first application of the US military-backed iRest protocol into cybersecurity to build and powerfully restore emotional and cognitive resilience and prevent burnout.
Marc van Zadelhoff has more than 20 years of experience in strategy, venture capital, business development and marketing in the cybersecurity space. A transformative technology leader, Marc thrives on building effective, high-performing cultures and driving continuous improvement in client service excellence. He’s helped oversee record growth, significant fundraising, and several acquisitions. Previously, Marc was COO of LogMeIn, Inc., driving all go-to-market activities leading up to its $4.3B ‘take private’ sale. Before that, he was the co-founder and CEO/GM of IBM Security, a unit he helped to found and grow to more than $2.5B in software and services revenues.
Let's go
Back to Home
So You Want to
The thing about being a SOC analyst
You know the daily grind: signing on to your rapid communication platform, checking the dashboard for any new alerts or signals to triage, and cruising through investigations or writing reports. You’re also keeping up with the news and the latest security events. This is the typical “day in the life” of a SOC analyst. Don’t get me wrong, that work is incredible. It’s super fulfilling to respond to incidents, hunt for threats, and make a difference in protecting your organization—or many others. Every day is different, too, whether you’re uncovering new malware, finding fresh threat actor activity, or improving security on the frontlines. But, sometimes, it’s not all it’s cracked up to be. From the outside looking in, it may look like a flashy and cool career, but it’s not always sunshine and rainbows. There are many long days. For example, maybe you’re on shift and your team member is getting online late, and they need to rely on you to finish up some more investigations. You’ve already been working eight hours, you’re tired, and you want to do just about anything other than continue staring at the screen.
The thing about being a SOC analyst is that it isn’t always about being a SOC analyst.
This book highlights the best parts of being a SOC analyst for a career, but don’t forget that life comes first, and sometimes, life gets in the way.
When you’re in the trenches and it’s starting to bog you down, don’t forget about the progress you’re making. That’s just part of the journey. There are so many great things that outweigh the bad: the sense of achievement and accomplishment, your own growth and development, the camaraderie with your team, and the feeling you get when doing something you love.
All those long nights, challenging work, and hardships
are a sacrifice you make on the journey to success.
Imagine there's an ice cube
To be honest, there’s no secret here—sometimes, you never find a good balance, and there’s no skeleton key that will open every door of opportunity for you. But what can you do to become the best SOC analyst you can be?
Now, stop and ask yourself: Is it a job or a career? Is it your passion or your vocation? Or is it both? These are the questions you should ask at the beginning of your career and throughout it to take stock of your own feelings and goals as they evolve over time. For example, maybe you start your first role and discover that you want to use it as a stepping stone or springboard to even more incredible things in your life and work within cybersecurity that you find more compelling. There’s nothing wrong with that! In any case, this should be some food for thought. Even as a SOC analyst, what’s next for you? Do you want to specialize in malware analysis or reverse engineering? Do you want to focus on vulnerability research or unravel the latest zero-day exploits? What if you were the lead incident response manager, digging deeper into digital forensics and the artifacts and indicators of compromise? You could even be a dedicated detection engineer and write rules or logic to help flag new threats. Don’t be afraid to think about the bigger picture, too, even if it seems far off. For example, do you want to be a CISO one day?
Often, the best thing you can do is center yourself on doing what you love. No matter where you are in your career, whether you’re still hunting for that SOC analyst role or you’re thinking about what’s next after your time in the SOC, get into the growth mindset. Learn to love the journey, not just the destination, but make sure you always have some goals on the horizon to work toward, too. While there are lots of cutesy, trite, and cliche analogies to help keep you chugging along with your work, there is one that’s always stuck with me, and I’d love to share it with you:
It’s your goal to make this ice cube melt. You can increase the temperature to heat up the ice cube, but here’s the kicker: you can only change the temperature by a tenth of a degree at a time—maybe one unit of change every day.
Now, think about what task this ice cube represents in your own life, whether it’s chipping away at a growing mountain of alerts or studying to ace that test or grab that next certification.
While you whittle away at this task, you might have people around you or certain elements bogging you down. “Why are you wasting your time? You won’t be able to get this done—there’s already too much going on. It’s not going to make a difference anyway, so don’t bother trying.”
No one sees change until it happens. Despite raising the temperature one tenth of a degree consistently, the ice cube still looks solid and frozen every day. To others, it may look like there is no difference being made.
But you keep putting the pressure on and heating things up one degree at a time, slowly making a difference and knocking out what you know you need to do. No matter how long it takes, you still put in the effort to accomplish that goal. Whether it’s getting that SOC Analyst job, earning that promotion, or pursuing a whole new role, you keep chipping away at it.
Eventually, you will see the difference. That ice cube will start to melt, and one day, it’ll be nothing more than a puddle.
That’s the destination, but you’ve got to love the journey, even when it’s slow and it seems like you’re not making progress. Just remember: everything you did to make that change is the real value.
And who knows, maybe the proverbial ice cube never melts—but the fun is keeping the heat on.
Having a mindset of growth in your SOC analyst career
means finding your passion, following it wherever it
goes, and loving the hard work along the way.
All those long nights, challenging work, and hardships are a sacrifice you make on the journey to success.
What’s the secret to being an incredible SOC analyst? What does it mean to be an incredible security professional and a contributing member of the community who goes on to do even more incredible things beyond their SOC analyst role?
Be a SOC Analyst
Other times, you might be struggling to figure out what a threat actor did or how to unravel a malware attack, or maybe you’re just exhausted and overwhelmed by all the alerts. Alert fatigue is real—our work is plagued by digital alarm bells and figurative sirens going off. You get to hear about all the success stories, the wins, and the accomplishments, but people don’t always talk about the low points. No one thinks about when you make a mistake while working a case and things go wrong. No one talks about burnout, imposter syndrome, and the long hours, from sleepless nights to working weekends, holidays, and even during vacation time. That stuff isn’t flashy and doesn’t make for an inspiring LinkedIn post.
The Good Outweights the Bad
Sometimes, things get tough, but ultimately, none of these things overpower how awesome being a SOC analyst can be. After all, no job is immune to hardship.
Here’s something to consider that might be unorthodox for this book:
Maybe you don’t want to be a SOC analyst forever. This is a “SOC Analyst Career Guide,” but let’s say you’ve done it: you got the gig and you’re working what may be your dream job.
Maybe being on the “blue team” was cool for a bit, but you might find the ethical hacking world with penetration testing and “red teaming” just as compelling. If so, you could blend the two and embrace “purple teaming,” where the defensive and offensive security specialists work together. Whatever your job hopes and dreams are, you should take the time to think about and decide on your career. Obviously, you don’t need to have all the answers right away—there’s no way to know what the future holds—but be open to exploring your passions and figuring out what you really love to do. That’s the best recipe to stave away those mental hardships when the going gets tough.
It should be fun to practice your craft and learn more, because that’s what the industry is all about: continuous learning and putting the effort in every day. This can be difficult, but it’s what I call “the dark bargain,” the hard deal you make to become the best practitioner you can be while still finding the balance for everything else in your life.
Don’t forget about the whole other side of the playing field, either.
Embracing a Growth Mindset
🔥
About the author
John Hammond
Next Chapter
[ The Good Outweighs the Bad ] [ Embracing a Growth Mindset ]
01 / 07
02 / 07
03 / 07
04 / 07
05 / 07
06 / 07
07 / 07
Click arrows to read more
Youtube
Twitter
LinkedIn
So You Want to Be a SOC Analyst
Additional social links
The thing about being an SOC analyst is that it isn’t always about being a SOC analyst.
Having a mindset of growth in your SOC analyst career means finding your passion, following it wherever it goes, and loving the hard work along the way.
The Hard and Soft
Josh Copeland
Previous Chapter
So you want to be a SOC star?
Learning hard technical skills can be a challenge. Traditional education paths like getting a degree or doing boot camps often don’t provide enough current hands-on training that truly hones your cyber chops. Fear not, young SOC star, there is a path for you to really gain these skills with a mix of self-education and guided learning.
Where do certifications fit into all of this? It is honestly a great question. SOC stars are always looking for a great way to not only gain skills, but highlight those skills in the all-important job search. First, what is the purpose of a certification? Ultimately, the intent is to be a validation of a specific set of knowledge or skills. If a person holds a specific certification, there is an expectation the individual has a minimum baseline of knowledge in the areas identified by that credential's learning objectives. Now what? There are hundreds of certifications out there! Vendor-neutral, vendor-specific, entry-level, mid-level, expert-level. What is right for YOU? What is a suitable investment in both time and money that will get the best return?
[ Learning New Tools and Skills ]
There are hundreds of ways to become one, and no specific way is inherently better than another, but all of them involve a mix of both technical hard skills and non-technical soft skills. The nature of SOC work consists of dealing with complex cybersecurity incidents and managing the security of an organization's systems and data. It also involves understanding how and why systems do what they do, and the business context that drives them. The specific skills and emphasis may vary depending on the organization, the level of the SOC role, and the focus of the security operations. Continuous development of technical and soft skills will help you excel in the dynamic cybersecurity field and become a SOC star! But how do you develop these skills? Let’s dive in!
🌟
Learning New Tools and Skills
— and Keeping Them Sharp
The Home Lab
The home lab is, bar none, one of the easiest and most effective tools to sharpen your technical skills. Home labs allow you to create purpose-built training environments that scale with your skill and interest. The real bonus is that not only is a home lab an ideal place to learn and explore safely, but it is also highly affordable! There is a plethora of free, open-source tools available, and most will run on that decade-old computer that you have sitting in your closet, on inexpensive hardware like Raspberry Pi, or even on used end-of-life server hardware. The same holds true for getting used routing and switching hardware.
Free Open-Source Tools
Malware Analysis Tools: • Cuckoo Sandbox: An open-source automated malware analysis system for examining suspicious files and URLs. • REMnux: A Linux distribution designed for analyzing malware and conducting reverse engineering tasks. Vulnerability Scanning and Penetration Testing Tools: • OpenVAS or Nessus: These tools can perform vulnerability scans on networks and systems, identifying potential weaknesses, and misconfigurations. • Metasploit Framework: A widely used penetration testing tool that helps discover and exploit vulnerabilities. Security Information and Event Management (SIEM): • SecurityOnion: A free and open Linux distribution for threat hunting, enterprise security monitoring, and log management.
Threat Intelligence Tools: • MISP (Malware Information Sharing Platform): A threat intelligence platform for collecting, sharing, and analyzing indicators of compromise (IOCs). • VirusTotal: An online service aggregating various antivirus scanners and other tools to analyze suspicious files and URLs. • Talos: An online service provided by Cisco for IP and domain reputation. Web Application Security Tools: • OWASP ZAP: An open-source web application security scanner for finding vulnerabilities in web applications. • Nikto: A web server scanner that checks for common security misconfigurations and vulnerabilities. Password-Cracking Tools: • Hashcat: A popular password-cracking tool capable of attacking password hashes obtained from various sources. Security-focused Linux system: • Kali Linux, SamuraiWTF and Parrot OS: These OS distributions are purpose-built Linux systems that include many of the tools discussed above as part of a single package. 03 / 03
Firewall: • pfSense: A free network firewall distribution, based on the FreeBSD operating system. • IPFire: A hardened open-source firewall that’s based on Linux. Virtualization Software: • VMware Workstation or Oracle VirtualBox: These tools allow you to create virtual machines (VMs) to emulate different operating systems and network environments. Network Security Tools: • Wireshark: A powerful network protocol analyzer for capturing and analyzing network traffic. • Nmap: A network scanning tool used for port scanning, service enumeration, and vulnerability detection. • Burp Suite: A web application security testing tool for identifying and exploiting vulnerabilities in web applications.
Training Platforms
Is the thought of building a home lab a bit too daunting out of the gate? Want something that’s more guided before diving in and building your own lab? There are a host of solutions for that as well! They also have a wide range of costs and models. These platforms have the massive advantage of having professional engineers building virtual environments that ensure you are able to see the same content the same way in a repeatable manner. Many of these platforms specifically map training paths back to recognized standards like MITRE ATT&CK™, D3FEND™, and NIST NICE Frameworks.
Some of my favorite platforms are:
TryHackMe
LetsDefend
Hack the Box
Rangeforce
Security Blue Team
Each of these platforms is primarily agnostic in the toolset, using either open-source tools or the most widely used toolset for the training task. TryHackMe and Hack The Box, as the names suggest, focus on more of the pentest skill sets but have expanded to “blue team” skills. The other side of the coin has LetsDefend, RangeForce, and Security Blue Team, which primarily focus on defender skill sets. Another excellent training platform capability is the security tools vendors themselves. Many have tool-specific training programs on leveraging the tools to their full capabilities, or even general and advanced cybersecurity training.
What About Certifications?
Research!
Look at what the demand is for the jobs you want to do. Look at what certifications they are asking for and at what levels. The critical component here is that certifications should be a capstone event for your learning. You shouldn’t take a crash course boot camp that crams all the knowledge in one week with the exam at the end. That does no one any good because while you might get the certification paper, you don’t have the knowledge to back it up and become a paper tiger.
Are Boot Camps Bad?
Inherently no, if they are correctly used to refine and polish the edge of your sword. Mr. Paul Jerimy has an impressive certification roadmap available that highlights many of the most common certifications that are loosely categorized by area of expertise and level with links to information about the exams.
You can view his roadmap here
Certification vs. Certificate vs. Certificate of Completion
Something else to consider is the difference between a certification, certificate, and certificate of completion. They all sound similar but are very different. A certification is a professional credential typically achieved through the completion of an exam. Certifications often have continuing education requirements associated with them to maintain currency. Certificates generally are programs offered through institutions of higher learning after completing a prescribed set of coursework. These certificates can be stand-alone programs or programs that are part of a more extensive degree-granting program. Certificates rarely have continuing education requirements. A certificate of completion is precisely what it sounds like. It just documents that you attended a specific course and often has no validation of learning outside of basic attendance.
Ultimately, certifications should be done with a deliberate and measured methodology that aligns your skills with that of the requirements employers are requesting and provides a good return on your long-term investment.
For example, you might get a certificate of completion after finishing a CompTIA Security+ boot camp. That does not mean you have Security+, just that you have completed the course material offered by the educator for that exam. What about “stacking” certifications and certificates? These are becoming more and more common across a multitude of certification bodies and higher education organizations. The premise behind these types of achievements is that there can be several independent lines of training and validation that, if looked at together, demonstrate a broader, more robust body of knowledge and skill or develop a specialization within a larger field.
How Do You Keep Up?
One of the hardest things to do within the cybersecurity and IT fields is keeping up to date with all of the changes occurring on an almost minute-by-minute basis. Here are some ways to stay on top of the ever-evolving landscape.
Consider joining groups like InfraGard and your industry-specific ISAC groups. They specialize in sharing threat intelligence and trends. Additionally, subscribing to threat intelligence platforms that aggregate and analyze security-related information can provide even deeper datasets. While many of these platforms that offer insights into emerging threats, indicators of compromise, vulnerability disclosures, and attack trends are paid services, tons offer free content!
04 Blogs and Newsletters
Following blogs and newsletters of cybersecurity solution providers and vendors can provide deep insight into niche areas. They often share insights on the latest threats, best practices, threat intelligence and industry developments. Major cybersecurity companies like Cisco, Symantec, Unit 42, and Fortinet have informative blogs, webinars, and sponsor events covering a wide range of topics related to cybersecurity.
03 Industry Conferences
Industry conferences (international or regional), seminars, webinars, and workshops focused on cybersecurity can be a great way to get the newest technology. These events often feature presentations by subject matter experts, demonstrations of new technologies and discussions on the latest trends. Many conferences offer virtual attendance options, allowing you to participate remotely. Well-known cybersecurity conferences include Black Hat, RSA Conference, DEF CON, Innovate, and vendor-specific conferences.
02 Online Platforms
Online platforms like Reddit, LinkedIn, Mastodon, and Twitter have active cybersecurity communities that can provide real-time updates and discussions on emerging threats and trends. They often have insight into podcasts and local events to follow. Engaging in these communities can also help you network with experts in the field.
01 News Outlets
Identify reputable cybersecurity news outlets, blogs and websites that provide reliable and up-to-date information. Some great sources include Government Computer News, SecurityWeek, Dark Reading, KrebsOnSecurity, and The Hacker News.
The Value of Building a Mentor Support Network
All the tools, training, and certifications don’t matter if you don’t have a support network. Mentorship matters! Mentors come from all aspects of the sphere. Bosses, leaders, peers, and friends can all be mentors. The value of mentorship can not be understated:
Knowledge and Experience Sharing Mentors provide valuable insights and knowledge based on their own personal and professional experiences. They have already trekked down the road, and their guidance can help you navigate challenges, make informed decisions, and avoid common pitfalls. Sharing practical advice and lessons learned can save you time and effort in the process.
Networking Opportunities Mentors often have extensive networks and can introduce you to influential individuals in your field. These connections can open doors to new opportunities, such as internships, jobs, or collaborations. Through mentorship, you can tap into a broader professional network and expand your own circle of contacts.
Skill Development Mentors can help identify your strengths and areas for improvement. They can provide feedback, suggest resources, recommend training programs or even offer hands-on training opportunities. Having a mentor can accelerate your learning process and help you acquire the specific skills needed to succeed in your chosen field.
Expanded Perspectives Mentors often bring diverse perspectives and insights that can broaden your horizons. This highlights why having multiple mentors in different areas and different backgrounds is critical. Good mentors challenge your assumptions, introduce alternative ways of thinking, and expose you to different approaches or cultures. This exposure to new ideas can foster creativity, innovation and critical-thinking skills.
Career Guidance Mentors can offer guidance and advice on career planning and development. They can help you define your professional goals, explore various career paths, and strategize for long-term success. Mentors who are familiar with the industry can provide valuable insights into current trends, job market dynamics, and the skills in demand.
Emotional Support Mentors not only provide professional guidance but can also offer emotional support. They understand the challenges and frustrations that arise along the way and can provide a listening ear, empathy, and encouragement. Having someone who understands your journey, has “been there, done that,” and is there to provide guidance and support can make a significant difference.
Overall, 360-degree mentorship is crucial to the long-term success of any person in the field! Having mentors up and down the chain provides that context and feedback loop that make professionals grow and provide direction we wouldn’t see on our own.
Maintaining an Analyst Mindset at Every Level
Being a SOC star is unlike many other facets of IT or cybersecurity. IT is the science part of the field. There can be multiple ways to do the same thing, but it is all the bits and bytes.
Many other areas within cybersecurity are much the same way. Compliance is very binary; you either comply or you don’t. SOC is the art and magic of the field. Analysts are the ones who are the detective, the person looking for the anomaly in the matrix. They have to be inquisitive, collaborative, and most of all, they have to be able to think differently.
Tier 1: Entry Level
Cybersecurity and SOC, in particular, are not for the weak of heart or mind! It is a demanding role that requires the individual to be curious, driven, and laser-focused. This is not a 9-5 job in any respect. SOCs often run 24/7/365, and threats are constantly evolving, with new vulnerabilities and threat actors coming out daily. SOC analysts need to have a passion for security and be committed to nonstop learning, not just on the job, but committed to continuous lifelong learning. One of the biggest hurdles new analysts have to overcome is a fear of the volume of alerts, events, and logs. It can feel like a firehose! Time management is going to be your best friend. Most SOCs have multiple tiers, time limits before escalation, and playbooks for investigations. These are there to help and guide you. We all know how easy it is to go down the rabbit hole of an extra juicy investigation. The key is to be detailed, document everything with artifacts, and escalate appropriately.
Tier 2: Mid Level
Tier 2 analysts start diving deeper into those alerts that might “be something.” At this point, you really need to be honing your skills. You should be leveraging things like the MITRE ATT&CK and D3FEND frameworks and the Lockheed Martin Cyber Kill Chain to not only see the event that generated the alert but link back activities for lateral movement and exploitation as well as possible exfiltration. Your time management skills are going to be put to the test because you aren't just dealing with alerts; you are doing investigations, you are mentoring Tier 1s, and you are communicating escalations up to Tier 3–all while still focused on continuous learning to boot!
Tier 3 + Managers: Senior Level
You are THE expert! This is no time to rest on your laurels! You are now interacting with people external to the SOC, building soft skills. You are creating documentation and playbooks. You are writing reports that need to be understandable to both technical and non-technical stakeholders. Mentoring the team is one of your critical tasks. Identifying and cultivating talent, doing proactive threat hunting, and tuning your alerts; your job is to make your SOC better, faster, and more robust. You must build these management and leadership skills while still maintaining technical proficiency. Just as you mentor your team, make sure you have a mentor helping you!
An Eye on AI-powered Automation
AI-powered automation will revolutionize various industries, and the SOC will be no exception. It offers significant benefits in terms of improving efficiency, enhancing threat detection and response capabilities, and reducing the workload on security analysts. It won’t replace human analysts, but it will make their work look different and ultimately give them different, more exciting tasks with which to deal. Threat detection and response will be massively affected by the introduction of AI. AI will be able to process larger volumes of data faster, and bring the SOC even closer to near real-time monitoring. It will take the flood of false positives that Tier 1 analysts often have to sift through and do that first line of evaluation. This means that Tier 1s are going to get more time to do investigations on things that might actually be malicious and react far faster than the current breach detection and containment times. AI and automation will be the background noise filtering mechanism. AI is going to be able to leverage large data sets and look for anomalies in the behavior of users and devices that just wouldn’t be seen by a human because the volume of logs is just too large. AI will make establishing baselines and flagging deviations orders of magnitude more manageable and more accurate. The ability for AI to learn and then automate playbooks and even Security Orchestration, Automation, and Response (SOAR) will allow analysts at all levels to focus on the threats over building documentation.
These playbooks and automation will always need human eyes and minds to validate that it is accurate and necessary. The real value of AI and automation is that it makes your human capital more valuable since it does mundane low-value tasks, allows your personnel to focus on what is truly important, and allows for more strategic evolutions of service.
Adding Value to the Business
One of the most significant missed opportunities that cybersecurity professionals and SOCs, in particular, miss is demonstrating how they add value to the larger business. IT and cybersecurity are often seen as a cost center, just something you have to spend money on as part of doing business, and doesn’t really provide any return on the investment. Great professionals can take the “bits and bytes” and translate them into “dollars and cents.”
Compliance and regulatory requirements: It is rare that a business doesn’t have some type of regulatory or compliance requirement. GDPR, HIPAA, PCI-DSS, Insurance, SOC2, FedRAMP, or industry-specific standards. Compliance with these requirements enhances trust among customers, partners, and regulatory bodies. SOCs are critical to these evaluations as part of the more extensive cybersecurity program. The business value of these is often overlooked. Having specific compliances opens up the aperture of who your client base is and could even reduce your cybersecurity insurance premium. These are revenue-GENERATING activities!
Business impact: Business continuity planning is an area SOCs actively contribute to by identifying critical systems, assets, and processes. They assess vulnerabilities, implement security controls, and develop incident response playbooks tailored to the organization's specific needs. These measures help ensure that, in the event of a security incident, the organization can continue operating and minimize disruption to its core functions.
Using data for optimization: Another area where SOCs can excel is by using data to identify optimization points. Seeing where the network traffic goes, how it flows, and what legacy systems are there can drive continuous improvement. Conducting post-incident reviews, analyzing root causes, and implementing preventive measures are all value-added tasks. SOCs identify weaknesses, update security controls, and enhance incident response capabilities. This iterative approach helps the organization strengthen its defenses and minimize the potential for future disruptions and reputation damage.
Ultimately, when cyber professionals and SOCs show business value and align with the business goals, a fantastic winning scenario can be achieved where security is a business function, not just something that is also done.
Skills Needed to
Crush a SOC Role
What does that really mean? Let's talk about real examples:
[ How Do You Keep Up? ]
[ Maintaining an Analyst Mindset at Every Level ]
[ Adding Value to the Business ]
01 / 04
02 / 04
03 / 04
04 / 04
Home Lab
01 / 06
02 / 06
03 / 06
04 / 06
05 / 06
06 / 06
Tier 1: Entry Level Cybersecurity and SOC, in particular, are not for the weak of heart or mind! It is a demanding role that requires the individual to be curious, driven, and laser-focused. This is not a 9-5 job in any respect. SOCs often run 24/7/365, and threats are constantly evolving, with new vulnerabilities and threat actors coming out daily. SOC analysts need to have a passion for security and be committed to nonstop learning, not just on the job, but committed to continuous lifelong learning. One of the biggest hurdles new analysts have to overcome is a fear of the volume of alerts, events, and logs. It can feel like a firehose! Time management is going to be your best friend. Most SOCs have multiple tiers, time limits before escalation, and playbooks for investigations. These are there to help and guide you. We all know how easy it is to go down the rabbit hole of an extra juicy investigation. The key is to be detailed, document everything with artifacts, and escalate appropriately.
01 / 03
Tier 2: Mid Level Tier 2 analysts start diving deeper into those alerts that might “be something.” At this point, you really need to be honing your skills. You should be leveraging things like the MITRE ATT&CK and D3FEND frameworks and the Lockheed Martin Cyber Kill Chain to not only see the event that generated the alert but link back activities for lateral movement and exploitation as well as possible exfiltration. Your time management skills are going to be put to the test because you aren't just dealing with alerts; you are doing investigations, you are mentoring Tier 1s, and you are communicating escalations up to Tier 3–all while still focused on continuous learning to boot!
02 / 03
Tier 3+ Managers: Senior Level You are THE expert! This is no time to rest on your laurels! You are now interacting with people external to the SOC, building soft skills. You are creating documentation and playbooks. You are writing reports that need to be understandable to both technical and non-technical stakeholders. Mentoring the team is one of your critical tasks. Identifying and cultivating talent, doing proactive threat hunting, and tuning your alerts; your job is to make your SOC better, faster, and more robust. You must build these management and leadership skills while still maintaining technical proficiency. Just as you mentor your team, make sure you have a mentor helping you!
03 / 03
Advancing
Each student is personally mentored and contributes via an individualized professional development plan (e.g., data analysis, programming, statistical modeling). A team of five to eight students works on real-world campus security problems through a robust summer internship program. The focus is to improve campus security and daily operations, both academic and administrative.
Overarching daily Learning SOC analyst responsibilities include:
Many Learning SOC student staff first grew their skills at Cal Poly's California Cybersecurity Institute (CCI). At CCI, students focus on developing their cyber understanding and application management skills while working on educational programs, such as the game-based Space Grand Challenge cyber training platform. CCI helps address the serious workforce development problem and California's growing cybersecurity defense challenges. Students then take the knowledge gained from their hands-on experience at CCI and apply it to the demanding environment of the Learning SOC. The onslaught of security alerts is a huge part of the job. Flagging alerts include tricky false positives and anomalies that require human review and interaction.
Cal Poly’s Learning SOC is tasked with providing around-the-clock protection from cyberthreats, which is made possible by an analyst team of two to four students each quarter. “It’s the students who provide the first, tier-one incident response,” said Doug Lomsdalen, Chief Information Security Officer for Cal Poly.
Learn by Doing
A Day in the Life of a Learning SOC
Bill Britton
Website
[ Learn by Doing ]
[ A Day in the Life of a Learning SOC ]
[ Ready for Day One of Employment ]
Cybersecurity is a daily battle and one that is ever-changing. With large user populations and expansive attack opportunities, universities are prime targets for cybercriminals and malicious cyberactivity. There are tons of new academic programs emerging for cybersecurity every year, but the California Polytechnic State University (Cal Poly) in San Luis Obispo was designed to give students real hands-on experience with an on-campus Learning Security Operations Center (Learning SOC). The Cal Poly Information Security Office established the Learning SOC with a two-fold mission: protect the campus from cyberthreats and train the future cybersecurity workforce. Like most universities, Cal Poly’s cybersecurity landscape is truly complex, and the university’s cybersecurity posture is critical to all operations. The Learning SOC leads real-time incident response and drives ongoing security improvements to protect the university from cyberthreats. The Learning SOC provides real-world cybersecurity protection methodologies.
Student professional development is recognized via a structured Learning SOC analyst badging program achieved by meeting four defined core competencies: security incident and event management; process and procedures; monitoring and alerting; and collaborate, communicate, and critical thinking.
Monitoring and analyzing the network traffic of Cal Poly community members for malicious activity.
Responding to emails and phone calls from Cal Poly community members regarding MS-ISAC/EI-ISAC notifications and any cyber incidents they may be experiencing.
Adding, removing, or updating IP addresses and domains provided by members interested in passive monitoring services.
Collaborating with the Intelligence team and the Computer Emergency Response team to ensure awareness of any cyber trends that could impact Cal Poly community members.
Monitoring open-source resources for nefarious postings that include any data from Cal Poly community members.
Cal Poly thwarts more than 1 million threats each day and takes less than five minutes to respond to incidents thanks to programmatic alerts that provide 24/7 visibility. Security monitoring and data-driven decisions are paramount and drive how the Learning SOC operates.
Ready for Day One of Employment
The Learning SOC prepares students to be ready on day one for employment in a rapidly changing cybersecurity industry. The skills required to work as an analyst in a SOC are demanding, and attention to detail is significant. SOC teams detect and respond to cybersecurity threats and vulnerabilities, and many concepts are needed to be an effective SOC analyst: host-based analysis, security policies and procedures, security monitoring, and information security research.
The Cal Poly Learning SOC works with state-of-the-art security tools. Students receive formal SIEM training, and then develop Cal Poly-specific modules to help secure the Cal Poly ecosystem. Other tools used in academia may include industry partnerships, academic research, collaborations with professional associations, industry certifications, and the campus cybersecurity curriculum.
With unparalleled training resources and tools, universities are uniquely positioned to stay ahead of the evolving cyberthreat landscape. Along with preparing students for a career in cybersecurity, a Learning SOC model fosters cyber resilience in academic institutions and enables continuous service to campus, despite cyberattacks.
Cybersecurity and
Career-Readiness in
Academic Institutions
Break into
The cybersecurity industry is a mile wide and there are many different sectors to choose from. It can get especially overwhelming if you are just starting out. Deciding what career path to take can often be half the battle.
David Meece
[ Step 1 ] [ Step 2 ] [ Step 3 ] [ Step 4 ]
By Dave Meece
Whether you are just starting out in your career or making the shift to cybersecurity, it can be intimidating to know how to start and where to direct your energy. Professional social networks such as LinkedIn provide a global career platform at your fingertips and endless resources to help. They can be such great resources for helping you with your career path. But how can you maximize your effort and ultimately land your first SOC job? This chapter provides actionable tips for aspiring analysts on how to leverage platforms like LinkedIn to start or progress their careers. I also include some tips on interviewing and a fun challenge to join to help you grow your network.
Step 1
Choose a Focus
How should you think about choosing your path? I typically advise recent graduates to find a focus and really dig in and learn as much as possible about one area of cybersecurity. For example, you could decide on jobs that fall under defensive (blue team), offensive (red team), or GRC (governance risk and compliance). Blue team roles are the defensive teams within an organization. These include roles that require incident response and monitoring. Red team roles simulate adversaries and work on ways to exploit an organization's weaknesses so that it can guide higher-level security measures and strategies. Both red and blue teams typically work in a SOC or similarly named team that focuses on security operations. GRC roles usually sit on a different team besides the SOC and focus on things like vendor assessment and larger corporate security strategies.
Step 2
Identify Companies You Want to Work For
Once you have a general area of focus, pick three to five companies you would want to work at. Search the company on LinkedIn and then find people who work at those companies or who have your dream position.
From there, reach out to folks and simply ask for a 15-minute virtual coffee chat to learn about their position. By doing this, you can pick their brains about day-to-day tasks that their positions entail. This allows you to get a bird’s-eye view of what a SOC analyst at a given company does each day. Depending on your resources, paying for LinkedIn Premium will help you message more people. There is often a free trial available so you can see if this feature makes sense for you to keep long-term. You should come away from these conversations with a better understanding of the types of tools and soft skills needed to succeed in this type of position. Also, be sure to find out what they like and dislike about the job. This will help make an informed decision on which type of career you want to pursue. Personally, I have had great success by reaching out and asking for 15-minute virtual coffee chats. The questions I mentioned are very open-ended and typically get interesting responses or provide new ways of thinking about roles and development.
Step 3
Reach Out Directly to Hiring Managers and Recruiters
While you are reaching out to people with jobs that you want someday and building your network, you will also likely be applying to jobs as well. Another great way to leverage LinkedIn during an active job search is to reach out directly to hiring managers and recruiters to gain more information and details about the position. If you have any mutual connections, even better, as you can ask for an intro. Try to keep perspective on the reality of applying to jobs and don’t let a lack of responses discourage you. Oftentimes, job titles aren’t accurate, or they were not written in the best possible way to attract the right candidates. By reaching straight out to folks, you can make sure of the exact job requirements. This will help you prepare for the interview and give you an advantage over other candidates.
Step 4
Post Regularly
Think of LinkedIn as more than just a place to look for jobs and more of a forum to share advice or learnings that could help the larger community. Aim to post a few times a week about any learnings you have made or advice you can give based on interviewing experiences. You can also share interesting articles and provide your point of view. Ask a question in your post that will drive engagement and reach. Consistent posting shows hiring managers you are dedicated to self-learning, and posting each day gives you more visibility on LinkedIn for hiring managers and recruiters to find you. And don’t forget to respond and engage with other people's posts as well. This will help your profile get more exposure.
Rule #1 Write a post on your LinkedIn page every day for 100 days. For instance, this could be a new threat intelligence tool you learned about or something from an article or book you read.
Bonus: Join the 100-Day Cybersecurity Challenge
If you are interested in becoming a SOC analyst, pentester, cybersecurity analyst, or simply would like to advance your career, please check out my 100-day cybersecurity challenge: #cybertechdave100daysofcyberchallenge
I mostly designed this challenge for folks who are looking for their first position to break into the industry. However, it’s great for all levels of professionals to brush up on their skills. It doesn’t matter if you have zero years of experience or 20 years in the field, ALL levels are welcome to participate. The challenge helps folks get out of their comfort zone and get more exposure to recruiters and hiring managers.
There are only three simple rules for the challenge:
Rule #2 Be sure to include my hashtag #cybertechdave100daysofcyberchallenge inside each post you make on LinkedIn.
Rule #3 Tell a friend in your network about the 100-day challenge and see if they would like to join the challenge with you.
If you have any questions, do not hesitate to inbox me on LinkedIn. I’m a teacher at heart and want to see you succeed! I’m always open to new connections. Thanks!
– David (@CyberTechDave)
Cybersecurity by
Leveraging LinkedIn
Identify the Companies You Want to Work For
Reach Out Directly to Hiring Managers
Navigating
Deidre Diamond
Deidre Diamond, founder and CEO of CyberSN, transformed the cybersecurity job search and hiring process by launching a deepjobs matching platform and standardizing all cybersecurity job functions into a common taxonomy of 45 roles. Deidre also founded SecureDiversity.org and the Day of Shecurity conference to help promote diversity in cybersecuriDeidre has more than 29 years of experience in technology and staffing, leading teams at Rapid7 and Motion Recruitment. She received the Top 25 Women in Cybersecurity award by Cyber Defense Magazine and is a sought-after speaker who inspires individuals to join the cybersecurity industry while driving change in the industry.
SecureDiversity.org
Breaking into Cybersecurity by Leveraging LinkedIn
In the rapidly evolving landscape of cybersecurity, the role of a SOC analyst serves as the foundation for many security professionals. SOC analysts play a crucial role in identifying and mitigating cyberthreats as well as ensuring the safety of organizational systems and data. In the past year alone, an average of 63,000 SOC analyst roles were posted on CyberSN in the United States, highlighting the high demand for professionals in this field. After all, analysts are the lifeline of our cybersecurity talent ecosystem. They’re relied on to find anomalies and follow suspicious trails of activity. These professionals, like all cybersecurity professionals, need to be treated like emergency healthcare professionals and be given ample time to rest between shifts. The more we know about what these professionals do, the more we can help them. Whether you’re a current or prospective SOC analyst, here are the ins and outs of navigating your career in cybersecurity.
Unveiling Salary, Responsibilities, and Essential Tools
The average salary for SOC analysts with two or more years of experience is $124,150 and ranges from $110,000 to $138,300 per year.
A SOC analyst is responsible for enhancing their organization's cybersecurity posture by monitoring and responding to threats and implementing or enhancing security solutions, such as firewalls, endpoint security tools, and security event monitoring. To effectively handle high volumes of events and ensure thorough examination of potential incidents, SOC analysts often operate at different levels based on their experience. For example, a SOC I analyst may focus on monitoring an endpoint detection and response (EDR) solution for malicious activity and subsequently escalate potential incidents to a SOC II analyst for further investigation, response, or remediation. SOC analysts have expertise in cyberattack methods, cloud or network-based services, operating systems, malware, and incident response. The tools of a SOC analyst can vary but typically include anti-virus software, EDR solutions, threat intel platforms, firewalls, security information and event management (SIEM) solutions, and scripting languages.
Your Cybersecurity
Career as a SOC Analyst
A SOC analyst position offers excellent opportunities for career growth within the cybersecurity field. It serves as a valuable stepping stone toward various cybersecurity roles or can be a fulfilling career path on its own. To excel in this role, it’s crucial to possess a solid understanding of malware (how it works and how to identify it), networking, attack techniques, and normal operating system behavior. Being proficient in at least one programming/scripting language is ideal. Other skills that will help you in this role are reverse engineering, digital forensics, and penetration testing. The SOC analyst role encompasses a wide range of cybersecurity disciplines, making it an ideal starting point for individuals who are uncertain about their desired career path within the field. It provides an opportunity to gain exposure to different areas before specializing in a particular domain. SOC analysts often transition into other areas, such as incident response, digital forensics, threat hunting, risk/compliance, engineering, and many more, as they progress in their cybersecurity career.
Career Path Options and Growth Opportunities
[ Unveiling Salary, Responsibilities, and Essential Tools ] [ Career Path Options and Growth Opportunities ] [ Finding the Right Role ]
• Cloud Security Analyst • Cyberdefense Analyst • Cyberfusion Analyst • Cybernetwork Defense Analyst • Cyber Risk Defense Analyst • Cybersecurity Analyst • Cybersecurity Operations Analyst • Cyberthreat Detection Analyst • Endpoint Analyst • Information Assurance Analyst • Information Security Analyst • Network Security Analyst • Purple Team Analyst • Security Analyst • Security Operations Monitoring Analyst • SIEM Analyst • Systems Security Analyst
SOC analysts may also be referred to as:
Career Path Options, SOC Analyst
To advance your career as a SOC analyst, it’s essential to actively explore the various career path options available and gain an understanding of the responsibilities associated with each path. By doing so, you can make informed decisions about your professional development and choose the most suitable paths to pursue within the dynamic field of cybersecurity.
SOC Analyst
Cyber security Specialist
Cloud Security Engineer
Cyber Insider Threat Analyst
Cyber security Lead
Security Engineer
Privacy Analyst
Cybersecurity Forensic Engineer
Threat Hunter
Red Teamer
Cyber Risk Analyst
Governance & Compliance Analyst
Vulnerability/ Threat Management Analyst
Identity and Access Management (IAM) Engineer
Cyber security Administrator
Incident Responder
Reverse Engineer/ Malware Analyst
Hover over the circles to learn more about each role
governance & compliance analyst Governance and compliance analysts ensure that an organization’s operations and procedures meet government and industry compliance standards. They research regulations and policies on behalf of the organization, communicate the necessary requirements, apply for certifications, and serve as a subject matter expert on all compliance-related matters.
Current Role
Feeder Role
Next Role
privacy analyst A privacy analyst manages the legal and operational risks around sensitive and critical information assets by assessing business operations on a continual basis, developing the right policies, procedures, and training programs, and overseeing all data agreements. Privacy analysts can focus on the general operations of a business or on privacy as it relates to specific projects.
vulnerability/threat management analyst Vulnerability/threat management analysts are responsible for maintaining all vulnerability or threat management solutions, ensuring all assets and systems are scanned for vulnerabilities regularly. They then need to bring any findings to the attention of the business while working within the cybersecurity department to prioritize and remediate threats.
cyber insider threat analyst Cyber insider threat analysts are responsible for collecting and assessing potential threats from within an organization, whether they’re from employees, business partners, or third-party vendors. They analyze these threats, identify trends and patterns in threat data, and search for policy violations before disseminating and presenting their findings to key stakeholders.
reverse engineer/malware analyst Reverse Engineers, also known as malware analysts, use decompiling, disassembling, and deobfuscating to gain a deeper understanding of how and what a malicious software operates. They identify, examine, and work to understand various forms of malicious software, such as adware, bots, rootkits, spyware, ransomware, Trojan horses, viruses, worms, and much more.
cyber risk analyst The cyber risk analyst supports the analysis, classification, and response to cybersecurity risks within an organization. They address cybersecurity risk and analyze the potential business and customer risk, aligning processes and controls to relevant frameworks and internal systems. The cyber risk analyst also works to identify areas of concern for their specific organization, supporting resolution and mitigation by providing advice and recommendations.
threat hunter A cybersecurity threat hunter is responsible for detecting and identifying highly advanced cyberthreats that cannot be detected by automatic or programmatic solutions. They search for and track hidden threats before they attack rather than addressing incidents that have already happened, like the incident response team. These threats can be posed by insiders, such as employees, or outsiders, like organized crime groups.
incident responder Incident responders protect and improve an organization’s security by addressing and managing the activities to recover from a cybersecurity event. The incident responder makes an assessment on threat severity, conducts investigations, and works to contain, eradicate, and recover from threats.
red teamer A red team assessment is far more targeted than penetration testing. Red team assessments are employed to rigorously test an organization’s detection and response capabilities. A red teamer's responsibility is not to find as many vulnerabilities as possible but to access sensitive information that achieves their unique goal. They do this by acting as swiftly and quietly as possible, emulating a malicious actor.
identity and access management (iam) engineer Access management services encompass all the tools that a user has access to within a company’s IT infrastructure. IAM Engineers implement and continuously optimize identity and access management services in line with evolving technologies and security regulations. They are responsible for designing, implementing, and maintaining IAM technologies to ensure audit and privacy compliance, driving automation wherever possible. IAM Engineers also assist with resolving any security issues related to IAM operations.
security engineer Security Engineers develop and maintain the systems that keep sensitive data safe from breaches and leaks. These professionals play a pivotal role in protecting an organization’s data, reputation, and finances by working with penetration testers, security analysts, and technology managers to secure data as well as installing firewalls and other breach detection systems.
cybersecurity forensic engineer A cybersecurity forensic engineer is part of the cybersecurity and investigation teams, responsible for acquiring and analyzing information and applying advanced analysis skills to support or contest cyberevent timelines. They often work to recover hidden, encrypted, or deleted information to safeguard the integrity of data.
cloud security engineer Cloud security engineers are responsible for the secure operations of cloud infrastructure, platforms, and software, including the installation, maintenance, and improvement of cloud computing environments. They also help develop new designs and security strategies across cloud-based applications, including the infrastructure, platform, and software supporting them.
cybersecurity lead The cybersecurity lead heads up the cybersecurity team or a specific department within the cybersecurity team. They are responsible for ensuring that teams are working toward the right goals efficiently. Cybersecurity leads oversee the delivery of services, manage relationships, and take control of any issues in their department or specialism.
Finding the Right Role
To facilitate your own career journey, we invite you to join our cybersecurity talent network on CyberSN.com. By creating an anonymous profile and matching you to roles based on your experience and skill set rather than your job title, you can gain access to a wide range of opportunities that align with your aspirations.
You Are Here
Take the next step toward your professional growth and unlock exciting opportunities in the cybersecurity field.
cybersecurity specialist Cybersecurity specialists are often an entry-level job that will vary depending on company size. Generally, cybersecurity specialists are responsible for helping protect the organization's network and data.
cybersecurity administrator Cybersecurity administrators typically work as part of a team to cover all the digital security needs of an organization. The role varies with the size and nature of the organization, but in general, security administrators ensure the safety of the organization's data.
• Information Assurance Analyst • Information Security Analyst • Network Security Analyst • Purple Team Analyst • Security Analyst • Security Operations Monitoring Analyst • SIEM Analyst • Systems Security Analyst
• Cloud Security Analyst • Cyberdefense Analyst • Cyberfusion Analyst • Cybernetwork Defense Analyst • Cyber Risk Defense Analyst • Cybersecurity Analyst • Cybersecurity Operations Analyst • Cyberthreat Detection Analyst • Endpoint Analyst
SecurityDiversity.org
Becoming a
Chaz Lever
Chaz Lever is a security researcher with over a decade of experience. He is currently the Senior Director of Security Research at Devo. He received his B.S. in computer science from Duke University, M.S. in computer science from Wake Forest University, and PhD in computer science from the Georgia Institute of Technology. Dr. Lever's research has focused on large scale measurements and data analysis with a focus on network security applications, and his work has appeared at numerous top academic and industry security conferences. Beyond his academic work, Dr. Lever also has industry experience developing scalable, data-centric applications in the business intelligence, financial services, and government spaces. At Devo, his team is focused on building out modern, next generation security solutions leveraging big data and data science.
[ What Exactly Is a Security Researcher? ] [ Do You Need an Engineering or Advanced Degree to Become a Security Researcher? ]
The role of a security researcher is ever-evolving, requiring individuals to stay up-to-date with the latest threats and technologies. Researchers often need to think outside the box to develop new solutions for cyber defense. Whether you are coming from an academic or non-academic background, this chapter will break down the experience, background, and skills you will need to launch a security research career.
Question 1
What Exactly Is a Security Researcher?
A security researcher is someone who loves diving deep into the world of cybersecurity. They have a curious and analytical mind–and are always on the lookout for vulnerabilities and potential risks in various systems and technologies. These researchers possess a wide range of technical skills and knowledge, from understanding networks and operating systems to programming and cryptography.
Security researchers spend their time investigating, experimenting, and analyzing to uncover security flaws and develop ways to mitigate them. Whether working independently or as part of a team, security researchers stay up-to-date with the latest trends and emerging threats to keep their knowledge sharp and their defenses strong. Ultimately, their goal is to help make the digital world a safer place by contributing to the development of secure systems and protecting against potential security breaches.
The best way to break into any industry is to put yourself out there and try to connect with community members and groups. Start by subscribing to newsletters, reading blogs, industry reports, and papers. Taking advantage of conferences is another great way to network and forge community relationships.
Security Researcher:
5 Questions Answered
How Can I Get Started in Security Research?
What Traits Make for a Strong Security Researcher?
These types of people love diving into systems, networks, and technologies, uncovering vulnerabilities, and discovering new attack methods. Problem solving is their superpower—they excel at identifying security issues, analyzing complex problems, and coming up with innovative solutions to protect against risks. With a solid technical background in networking, operating systems, programming languages, and security tools, they're always on top of the latest technologies and emerging threats. Persistence is their middle name—they never give up when faced with challenging security puzzles and are willing to dedicate long hours to find the answers. They also believe in lifelong learning, stay up-to-date with industry trends, often read research papers, and attend security conferences to continuously enhance their knowledge and skills.
[ How Can I Get Started in Security Research? ] [ What Traits Make for a Strong Security Researcher? ]
[ What Types of Work Do Research Teams Do? ]
The short answer is no. Security roles vary, and while many researchers have obtained advanced degrees, this is not a prerequisite. How much engineering you will need to know will vary depending on the role as research is a mixture of both practice and theory. An advanced degree in security and research is almost like an apprenticeship instead of a traditional educational academia environment. With that said, obtaining an advanced degree often comes with resources that allow you to carry out experiments and studies that you might not be able to do on your own or in another environment. Whether or not you are taking a formal education route or not, there is space and opportunity for those interested in research roles.
Every path to research will look a little different. I personally came to research from the academic route.
I was working on a Ph.D. in an applied degree. Once I completed the Ph.D. I started working as a director position within the university. After a few years, I stepped into more industry roles where today I now lead Devo’s SciSec team – the research arm of the product organization.
But there are certainly many non-academic routes to research as well. Application developers or security engineers are more than qualified to step into the same types of roles as they develop similar skills in a corporate environment.
Do You Need an Engineering or Advanced Degree to Become a Security Researcher?
You can also learn about emerging topics on social media—whether it’s through forums or Twitter. This is also going to be a useful strategy for you once you are in a research role when trying to address problems: survey what the security community is doing and then come up with ways to tackle them at your company. The more practical solutions you can come up with, the better. Then get to work doing things to gain real world experience! Create a lab environment where you can experiment with various security tools and techniques. Set up virtual machines or a dedicated test network to practice different security scenarios without impacting live systems. Gain more practical experience by participating in Capture the Flag (CTF) competitions and online hacking challenges. These platforms provide real-world scenarios and puzzles for you to solve, honing your skills in vulnerability analysis and exploitation. Remember security is a practitioner’s domain and there’s no substitute for experience!
As a security researcher, you are breaking things and figuring out how to defend against vulnerabilities. A genuine curiosity in how things work and trying them out is going to be your greatest asset.
Other key traits of a good security researcher include:
Curiosity
Problem-solving skills
Technical aptitude
Persistence
Analytical thinking
Continuous learning
What Types of Work Do Research Teams Do?
Research teams are often working on some of the most fun (perhaps I’m biased) and noteworthy projects within an organization.
Hover over each card to learn more about each work area.
Incident response and threat intelligence
Analyzing security incidents, tracking threat actors, and developing techniques to detect, respond to, and mitigate threats. Work involves creating threat intelligence feeds, analyzing malware campaigns, and understanding adversary techniques.
User entity and behavior analytics (UEBA)
Behavior analytics interprets user behavior patterns to detect anomalies that may indicate security threats, such as insider threats or unauthorized access. Entity analytics examines the behavior and relationships of entities within a system or network, helping researchers identify abnormal or malicious activities. Both techniques use data analysis, machine learning, and statistical methods to enhance threat detection capabilities and strengthen overall security defenses.
Vulnerability research
Identify and analyze vulnerabilities in software, operating systems, networks, and applications. The goal is to discover previously unknown vulnerabilities and responsibly disclose them to vendors for patching.
Malware analysis
Analyze and dissect malicious software (malware) to understand its behavior, functionality, and propagation techniques. This includes reverse engineering, sandbox analysis, and identifying indicators of compromise (IOCs).
Cryptography and cryptanalysis
Study cryptographic algorithms, protocols, and systems to identify weaknesses and develop more secure solutions. Analyze encryption algorithms, cryptographic protocols, and cryptographic implementations for vulnerabilities.
Network security
Research network protocols, network devices, and their vulnerabilities. Focus on analyzing network infrastructure, firewalls, routers, and switches to discover weaknesses that could be exploited by attackers.
Social engineering and human factors
Study the human element in security, including social engineering techniques, phishing attacks, and user awareness and behavior. Analyze the psychology behind security breaches and develop strategies to mitigate human-related security risks.
The type of work could include:
As you embark on a potential security research career, leverage your community as much as possible and don’t feel like there is a only one “best” route to becoming a researcher. Drive and persistence pay dividends with any role!
Question 2
Question 3
Question 4
Question 5
Positioning
Kayla Williams
[ How to Start Distinguishing Yourself Early On ] [ The Skills and Abilities You Will Need to Grow ] [ What Does a SOC Director Do? ] [ What Does a CISO Do? ]
While working in a SOC can be a highly rewarding career, you may already be thinking about how it can set you up for a leadership role at some point. This chapter will focus on the portion of readers who are interested in the leadership tracks of the SOC–whether that means a SOC director or even a CISO. Before diving into the tips, I’d like to step back and talk about the importance of the SOC to other teams and companies as a whole. As you start to work in a leadership role, you will find yourself working with new teams and needing to connect the importance of the SOC to the larger organization priorities:
How to Start Distinguishing Yourself Early On
When you are early in your career, there will likely be lots of resources and learning opportunities available to you. Take every chance you can to learn more.
Demonstrate your desire to learn by taking training on other areas of the business that are offered by your organization. Retain evidence of this in either the LMS, in an email folder, or on your personal drive. This may mean completing courses on your own time, but it gives you insight into business goals, objectives, and the jargon used in other functional departments so you can learn to speak in terms they will understand and care about. Ask your leadership about company objectives when given the chance. Attend all-hands meetings and your own team’s all staff/all hands meetings to learn about what the executive team is focusing on and not focusing on, and the path the company is on (this can change often).
01 Regularly meeting with internal and external clients to ensure oversight of progress, quality, and overall client satisfaction.
If you would like to be a SOC director one day, it’s a good idea to understand what the job entails. While every company operates its SOC a bit differently, SOC directors are responsible for ensuring that company assets, technologies, and client data are protected. SOC directors strategize prevention, detection, and remediation responses to which the SOC analysts carry out.
Some of the mission-critical collaboration points for SOC directors include:
03 Maintain communication with peers throughout the organization to ensure security awareness.
Yourself for a SOC
Leadership Role
Brand and reputation protection: You may not think that the security and marketing organizations would be intertwined but the risk of a breach or any sort of security incident will reflect poorly on the brand and make marketing that much harder.
Research: Innovation at any company often comes from a research and development team but these teams can only work if they have a secure infrastructure.
Threat intelligence: The SOC helps keep critical assets secure and informs spending across multiple organizations.
Find free/low-cost training (there are a lot of options out there!) and add the course certificates/emails confirming completion to your personal drive. Then use them as evidence during your next performance review. Check out Josh Copeland’s chapter on how to be a SOC star for a long list of free training platforms!
As you start to take on more responsibility in your role, you will be evaluated on your ability to learn on the job and also manage people at the same time. Managing people doesn’t just happen with direct reports–your own manager and stakeholders all require a certain management style as well. The sooner you learn how to best communicate and work with all these groups, the sooner you can start to distinguish yourself as a future leader. Take leadership training courses that your company offers or find free courses and maintain evidence. Provide an email summary/synopsis to your team on what you’ve learned, how it applies to their roles, and links to the course(s). You can also ask your leadership if human resources has established a path to promotion for the different levels in the organization. Ensure you are on track to complete the must-have items.
The Skills and Abilities You Will Need to Grow
If you are a reader, read leadership books, magazines, and articles. Provide an email summary/synopsis to your team on what you’ve learned, how it's relevant, and links to articles or books. Communicating and sharing knowledge not only demonstrates your acumen but can also inspire others, which is a key trait of a leader.
As you gain more experience, you may start to look for or be promoted into a SOC manager role. This is a transition role that will set you up for future leadership roles (SOC director or CISO). SOC managers usually manage a team of analysts for a particular shift or specialty team, but are often expected to monitor threats themselves.
02 Collaborating with stakeholders in IT, engineering, cloud operations, project management, and finance to align on security operations standards.
What Does a SOC Director Do?
There is more responsibility on a SOC director to lead a team of security, threat, and vulnerability analysts, as well as threat hunters. While operations will make up the majority of the role, SOC directors are also expected to establish ongoing education and training programs for SOC team members. Defining and helping your team track personal and team KPIs are also large parts of the role as well. One of the challenges of a SOC director is balancing these operational and interpersonal priorities to ensure a happy and effective SOC team. As with anything, experience helps, but keeping perspective and an eye on the wellness of your team will help set you up for success.
What Does a CISO Do?
The biggest difference between a SOC director and a CISO is that the SOC director is an operational role, while a CISO is a strategic executive role.
If you want to be a CISO one day, it’s important to start learning and understanding all aspects of the business as soon as possible. Many other functional leaders do not understand all the technical terminology used with IT and security, so you will also have to think about how you communicate the objectives and priorities around security with people who don’t live and breathe it every day. This is something that will take time and experience no matter what, so give yourself time to practice this with colleagues you have relationships with. One of the most critical skills of a CISO is risk management and decision-making. Understanding what risk is, how to rate it according to your company’s situation, how to follow up on it, and how to report it to executive leadership is critical to success as a CISO. (See Chapter 9 for even more in-depth commentary on risk and decision-making.) Certificates at the CISO level don’t really matter, but getting some along the way is important to progress to the next step. You do not have to shell out $10k+ for an expensive onsite class. You can take the free and lower-cost self-study programs. By all means, if your company will reimburse or cover the costs of onsite training, go for it. The experience and networking is invaluable, but it is not the only way to get qualifications.
Working as a SOC analyst is a great launch pad for pursuing a leadership role in security as either a SOC director or CISO. If you have the motivation and desire, the cybersecurity world can be your oyster. SOC analysts live in the trenches and see the emerging threats as they happen. What better way to learn how to someday lead an organization's security strategy?
Balancing Your
Peter Coroneos
Cybermindz.org
[ The Cybermindz Mission ] [ Leveraging the iRest Protocol ] [ The Results ]
In the high-stakes world of SOC analytics, the pressure can often seem insurmountable. It is against this backdrop that Cybermindz.org, a dedicated nonprofit mental health initiative, brings a hopeful message that career choice and mental wellness need not be mutually exclusive. Since our inception in 2022, Cybermindz.org has set out to transform the narrative around mental health in the cyber field from one of despair to a tale of hope and resilience. Through our targeted mental health programs, we aim to turn the tide and bring relief to those on the front lines of cyber defense.
The Cybermindz Mission
Commitment to a mental health program can often have an immediate morale boost. The very anticipation of help inspires hope and reassures participants that their struggles are seen and understood. We often hear from leaders embarking on the program that their team is very excited to be starting the journey. Cyber teams grapple daily with an unending barrage of threats. With increasing scrutiny from regulatory bodies and an amplified media focus, the consequences of a significant breach have grown more daunting. This has only heightened the pressure on cyber defenders, leading to increased fears, unmanaged stress, and potential burnout.
We've received overwhelmingly positive feedback on our program's effectiveness, particularly for managing stress, improving cognitive recovery and aiding in burnout recovery. One New South Wales SOC team leader noted, "The program has had a great effect in my burnout recovery, I highly recommend it as a very good addition to the cyber defenders toolkit." We are grateful for the support from organizations like Devo, which has been instrumental in raising awareness that help is within reach, and mental health need not be compromised based on career choice. Through this partnership, we remind our community that help is at hand. As we continue our mission, our message remains clear and hopeful: to equip SOC analysts and other cyber professionals with the neural tools and training necessary to navigate their high-stress environment with resilience and clarity. At Cybermindz.org, we believe career choice and mental wellness can harmoniously coexist. We are committed to shielding our protectors, helping to build both psychological resilience and improve overall cyber resilience within organizations and society as a whole.
Career and Wellness:
A Hopeful Message
Recent studies have highlighted a troubling trend of burnout and increased resignation intent. As cyberthreats intensify, we risk losing critical professionals in a field already facing a skills shortage.
Leveraging the iRest Protocol
To counter this, Cybermindz.org launched a groundbreaking program, leveraging the Integrative Restoration or iRest protocol. iRest, while not specifically developed for the military, saw early implementation there and is now in use in over 70 Veteran Affairs facilities throughout the United States. Beyond the military, it has helped millions worldwide recover from and prevent anxiety, trauma, depression, insomnia, and manage stress.
This protocol guides participants into a state of calm, facilitating the release of stress and the emergence of a positive, mission-focused mindset. Over an eight-week period, we address industry-specific stressors—from detaching from work, managing overwhelming issues, and dealing with control loss, to tackling fear of failure and performance anxiety. The final step is integrating these tools and practices into daily routines, promoting sustained resilience. Our peer-informed programs foster trust and engagement, which are essential for acceptance within the cyber community. This industry-focused approach has helped create a sense of camaraderie and support, promoting the normalization of discussing mental health.
The Results
for the SOC Community
Our mission is born from the stories of hundreds of SOC analysts and cyber professionals. We've seen firsthand the emotional toll of an ever-evolving threat landscape. The most poignant cry we've heard is a plea for balance—a call for a world where maintaining mental health doesn't have to be the price paid for a career in cyber defense.
Cyber professionals are reaching their breaking point as attacks increase and new risks emerge, with many considering leaving their roles due to stress and burnout.
We invite you to join us in our mission or learn more about our work at Cybermindz.org
Let us bring back hope, balance, and resilience to the heart of cybersecurity.
Change, Challenges,
and Priorities
[ Dealing with Change and Challenges ] [ The Incongruence of Your Responsibility vs Ability ] [ Calculating Risk and Prioritizing ]
Pursuing a career in cybersecurity can be difficult and feel uncertain for many—an endless cycle of alerts, countless industry certifications to sift through, staffing shortages, and a lack of career development opportunities. As Chief Executive Officer at Devo, and a cybersecurity professional for 20+ years, I wanted to share the frameworks I’ve found most helpful throughout my career journey. None I’ve invented, but each sticks in my brain and altered for my usage in life. These frameworks can be helpful regardless of what industry you’re in or role you’re pursuing. I believe it’s a good way to level set and think about your career at a higher level.
Dealing with Change and Challenges
When it comes to cybersecurity, change is constant. You will face no shortage of new and ever-evolving cyberthreats, team and role changes, and organizational shifts. Learning how to adapt and respond is where you can set yourself apart and grow. Early in my career, I came across this diagram charting ‘The Emotional Cycle of Change’ created by psychologists Don Kelley and Daryl Connor. I made a few changes to it, but the model has proven quite useful.
This framework is great for when you start a new project or job. You will see a pattern and once you notice it you can ride it versus it riding you.
Optimistic
Pessimistic
Uninformed
Informed
Valley of Death
Emotional Cycle of Change
A My new boss/job is great!
Optimistic, Uninformed
We learn about a change—whether it’s an upcoming promotion, changing jobs, or tackling a new responsibility—and at first, we feel optimistic and excited about what’s to come. It’s energizing to think of how you can learn and grow. The trouble is that we are fundamentally uninformed about it. We don’t really know what our new realities will look like or what is required of us.
Stage 1
Change is uncomfortable and can be downright terrifying at times. It’s easy to forget that in order to grow as a professional, you have to endure discomfort and uncertainty. As you navigate big changes, especially early in your career, the best piece of advice I can leave you with is that things won’t be tough forever. And, over the course of your career the goal is to both flatten and compress this curve: can you reduce the highs and lows? Can you get through the change cycle faster?
The Incongruence of Your Responsibility vs Ability
By nature, your responsibility (as best represented by your job title) will not always match your skill level. Promotions can take months—or even years—to be awarded, leaving you frustrated and stagnant. Conversely, you might start a job you don’t feel qualified for, leaving you overwhelmed and plagued with impostor syndrome. I call this conundrum Career Skills vs. Level. Again, I’m sure I read about it years ago and it stuck in my head.
Here’s another diagram to help visualize the concept:
Scenarios
2: Help! I have imposter syndrome!
Likelihood
Impact
Impact x Likelihood =
Risk
Marc van Zadelhoff
Marc van Zadelhoff joined Devo as CEO in 2020. He has more than 20 years of experience in strategy, venture capital, business development and marketing in the cybersecurity space. A transformative technology leader, Marc thrives on building effective, high-performing cultures and driving continuous improvement in client service excellence. He’s helped oversee record growth, significant fundraising, and several acquisitions to help boost Devo’s market position. Previously, Marc was COO of LogMeIn, Inc., driving all go-to-market activities leading up to its $4.3B ‘take private’ sale. Before that, he was the co-founder and CEO/GM of IBM Security, a unit he helped to found and grow to more than $2.5B in software and services revenues.
Hover over each phase to learn more
Stage 2
Less Optimistic, More informed
As we settle into our new realities, we may start to realize that expectations are high and the job is more difficult than expected. We’re at the start of the learning curve, slowly grasping the challenges that lay ahead, and feeling uncertain if we can rise to the occasion. Maybe this is when you wonder, “What have I gotten myself into?”
Stage 3
Pessimistic, Informed
I call this stage The Valley of Death. The changes are happening in full force, and we haven’t yet developed the skills or knowledge to handle them confidently. You might be drowning in work, doubting your abilities, or regretting your decision to tackle new responsibilities. It feels like things will never get better.
Stage 4
Less Pessimistic, Informed
Things have gotten easier now. You’re still not great at your new tasks, but you’re learning. You’re creating new processes, talking to new people, and starting to adapt to your new reality. Maybe this is when you start to say, “I think I can handle this.”
Stage 5
Optimistic, Informed
You did it! You navigated the change. It might have been a tough few weeks or months, but now you have a new skill and perspective.
1: I'm bored! I'm ready!
3: I feel 100% fulfilled with my role.
There are three main dynamics that usually come into play:
"I'm ready! I'm Bored!"
In this scenario, you’ve been in the same role for a while. You feel competent in the job and are itching for a new challenge or promotion. This is a precarious place to be for both you and your organization. You might be frustrated with your organization’s recognition (or lack thereof) of your contributions and ability, leading you to seek a role elsewhere.
“Help! I have impostor syndrome!”
Whether you got a new job or received a promotion, there are times when you might not feel ready for the responsibilities of your job title. If this lasts forever among one of your team members, then they may have hit the Peter Principle (they were promoted one level above their competence).
“I feel 100% fulfilled with my role."
This is a great place to be as you are striking a great balance between confidence, competence, and satisfaction. Although it is a great feeling to be satisfied with your role, the more comfortable you get, the more likely you are to repeat the cycle and start to feel bored again.
Calculating Risk and Prioritizing
Cyberthreats are relentless, and it can be difficult to prioritize tasks when risk is coming from every direction. That’s why risk assessment and management are critical elements of working in cybersecurity.
To help focus on what matters most, I use the following equation:
Using this model, you can organize your risks into four main categories:
A) High Likelihood, High Impact: These are the most important risks to mitigate. If something is probably going to happen, and the consequences will be severe, it should be your first priority.
B) Low Likelihood, High Impact: These types of risks should be planned for, but if they’re extremely unlikely, they may not be the best place to focus your energy.
C) High Likelihood, Low Impact: If something is probably going to happen, but the fallout will be minimal, you should put preventative measures in place.
D) Low Likelihood, Low Impact: These are the risks that you can add to the end of your to-do list. As far as risk goes, they’re the lowest priority.
This framework was first developed by the United States Department of Defense, but I altered it slightly:
I find I even talk to my kids about this framework when they have worries. I ask them: what’s the chance it happens, really? What’s the real impact? Often it’s a 4! And then we discuss the third dimension not shown: can you even control it? If you cannot control it at all, even if it’s a 1, it may not be something you should be worrying about.
My middle daughter had a field trip to DC and was stressing she may get a terrible roommate in the hotel. We discussed:
A) It’s unlikely, she submitted two choice girlfriends B) If it’s not a “great” person, will that really ruin much? C) You have no more control over this now, stop worrying!
I hope these three frameworks are a helpful way to think about your career in cybersecurity—whether you are just starting out, working toward a promotion, or just looking for general career advice.
Despite the perks of this job, historically, our industry hasn’t done enough to adequately prepare people for satisfying, long-term careers in cybersecurity. That’s why I’m so thrilled this book came to fruition. Thank you to all of our contributors for conveying your passion for cybersecurity, and your eagerness to help aspiring SOC professionals find their footing. I sincerely hope that you find nuggets of wisdom from these pages and take it with you along your career journey.
B First meeting was tough. This will be hard
C Too hard. I can't do this.
D Ok, first I'll find my way.
E I think I've got this.
01 / 05
02 / 05
03 / 05
04 / 05
05 / 05
As many of our SOC Career Guide contributors have attested, cybersecurity is not always sunshine and rainbows. The job is hard. It can be incredibly challenging and stressful, and at times, feel like the weight of the world is on your shoulders. Though, after two decades in this industry, I can confidently tell you this: It’s worth it. In my experience, the best cybersecurity professionals recognize and love what makes this industry unique. In typical roles, you have two stakeholders in mind: your internal team and your customers. Cybersecurity introduces a third, equally important stakeholder: bad actors.
By design, everything you do revolves around outsmarting adversaries in order to keep your organization safe.
In simpler terms, your North Star is getting the bad guys. And how cool is that? The reward of successfully fending off bad actors makes everything long night, stressful alert, and threat hunting mission worth it.
A: My new boss/job is great! B: First meeting was tough. This will be hard.
C: Too hard. I can't do this. D: Ok, first I'll find my way.
E: I think I've got this.
