Last updated: May 9, 2026
SOC analysts in 2026 monitor IT environments for threats, investigate alerts, and contain incidents across a three-tier structure — with U.S. base pay from $58K (Tier 1) to $145K (Tier 3).
Below is a ready-to-adapt SOC analyst job description template, calibrated to the actual 2026 hiring market and the JD mistakes that quietly extend most cybersecurity searches by months.
Tom Kenaley here. KORE1 places cybersecurity analysts through our cybersecurity staffing practice, and the SOC analyst posting is one of the most consistently miscalibrated job descriptions in security hiring right now. Hiring managers understand the role. That part is usually fine. The failure happens earlier, in the translation from what they know to what ends up in the posting. A Tier 1 job with Tier 3 cert requirements. A 24/7 operation that doesn’t mention shift rotation until round two. A credential stack that would require 15 years to accumulate and costs the company the six candidates who actually had the skills to do the work. The template below is built around what actually closes.
KORE1 earns a fee when a search runs through our team. The template and framework below work whether you engage us or not.
What Is a SOC Analyst?
A SOC analyst monitors an organization’s network, endpoints, and cloud environment for security threats, investigates and validates alerts, and executes containment steps or escalates confirmed incidents according to established response playbooks. The three-tier structure of most security operations centers reflects increasing autonomy and compensation: Tier 1 handles initial alert triage, Tier 2 conducts deeper investigation and containment, and Tier 3 leads advanced threat hunting and incident response.
The role is not glamorous, particularly at Tier 1. It’s high-volume, repetitive work. Most alerts are false positives. The candidates who develop into strong Tier 2 and Tier 3 analysts are the ones who treat every alert as a real incident until the evidence says otherwise, not the ones who pattern-match to known benign events after the first month and start clicking through the queue on autopilot. That disposition doesn’t show up on a cert list. You find it in the behavioral interview.
The Bureau of Labor Statistics projects 32% employment growth for information security analysts through 2032, adding more than 56,000 annual job openings in the U.S., a growth rate nearly four times the average across all occupations during that period. The candidate supply has not kept pace. ISC2’s 2024 Cybersecurity Workforce Study put the global workforce gap at 4.8 million unfilled roles. The demand is real. The pool is tight. Which means your job description is doing active gatekeeping work before a single person applies. Good gatekeeping or bad, depending on how it’s written.
SOC Analyst Tiers: What Each Level Does
Tier confusion is the most common JD failure mode in security hiring, and the consequences run in both directions at once. When a Tier 1 posting reads like a Tier 2 role, you get two outcomes: qualified Tier 1 candidates self-screen out assuming the role is above them, and overqualified candidates apply, realize the mismatch quickly, and leave in eight months or negotiate to a comp band you didn’t budget for. The tiers are real. Write to the one you’re filling.
| Tier | Primary Work | Experience | 2026 Salary Range |
|---|---|---|---|
| Tier 1 (L1) | Alert triage, monitoring dashboards, documenting and escalating confirmed incidents | 0–2 years | $58,000–$75,000 |
| Tier 2 (L2) | Incident investigation, log correlation, malware triage, containment execution | 2–5 years | $80,000–$110,000 |
| Tier 3 (L3) | Threat hunting, advanced incident response, detection engineering, playbook development | 5+ years | $110,000–$145,000 |
Salary ranges compiled from Glassdoor, Built In, ZipRecruiter, and Salary.com across U.S. markets in 2025–2026. High-cost-of-living markets like San Francisco, Seattle, New York, and Washington D.C. typically run 20–35% above these figures. Cleared positions (DoD Secret or Top Secret) add $15,000 to $30,000 above the tier equivalent in most markets regardless of geography.
Before You Write the Posting: Three Decisions That Matter
Skip these and you’ll write a technically accurate posting that does not attract the right candidates.
Which tier are you actually filling? Not the aspirational tier. The real one. If the role reports to a senior analyst who handles complex investigations, you’re hiring Tier 1. If the person is expected to independently investigate confirmed incidents and write post-incident documentation, that’s Tier 2 work at minimum. Strong candidates know the difference, and the experienced ones who’ve been through a bait-and-switch before will back-channel to find out what the role actually is before committing time to an interview process. The posting is where that reputation starts.
The tooling question shapes the candidate pool more than most hiring managers expect. A Splunk-trained analyst doesn’t automatically transfer to Microsoft Sentinel on day one. Same conceptual framework, but different query language (SPL vs. KQL), different detection rule structure, different alert tuning workflow, and a real productivity gap while they ramp that matters significantly if the team is already operating lean. Different query syntax, different detection logic, different tuning workflow. There’s a ramp. If your SOC runs on CrowdStrike Falcon, QRadar, Palo Alto Cortex XSIAM, or Google Chronicle, name the platform in the posting. It helps candidates self-select honestly, and it’s a searchable term that surfaces your posting to people actively looking for that environment.
What is the shift structure? This is the question that kills the most SOC analyst offers. A candidate accepts the role expecting standard business hours. Week one, they learn about the rotating overnight and weekend schedule. We’ve seen this more than once. It’s rarely malicious. The hiring manager usually assumed it was obvious. But the damage to retention is immediate. If the role involves shift rotation, overnight coverage, or on-call obligations, put that in the job description. Candidates who can’t do nights will self-select out before you’ve spent a recruiter hour on them.
SOC Analyst Job Description Template
Written for a Tier 2 analyst at a corporate or MSSP SOC. For Tier 1, remove the independent investigation requirements and lower the experience floor. For Tier 3, add threat hunting and detection engineering responsibilities and drop the escalation language. The notes in italics are for your intake process, not part of the public posting.
Job Title: SOC Analyst – Tier 2 (Security Operations Center Analyst II)
Location: [City, State / Hybrid / Remote]
Employment Type: [Full-time / Contract / Contract-to-Hire]
Department: Information Security / Cybersecurity Operations
Reports To: SOC Manager / Director of Security Operations
Note: If this is an MSSP environment, clarify client portfolio scope and SLA expectations here.
About the Role
We’re looking for a SOC Analyst to own Tier 2 incident investigation within our security operations center. You’ll receive escalated alerts from Tier 1, conduct log analysis and malware triage, execute containment per established playbooks, and produce written post-incident documentation. This role works in [Splunk Enterprise Security / Microsoft Sentinel / CrowdStrike Falcon / IBM QRadar; use your actual platform name here]. If your tooling experience matters to you, it matters to us too.
Note: Name your actual SIEM and EDR. Generic “leading SIEM platform” language is a yellow flag to experienced candidates. It signals the JD was templated, not written by someone who knows the environment.
What You’ll Do
- Investigate and validate escalated alerts using log correlation, endpoint telemetry, and packet analysis; determine scope and severity independently
- Execute containment and eradication steps per documented incident response playbooks; escalate to Tier 3 when scope or authorization requires it
- Conduct malware triage using sandbox analysis and behavioral indicators; document indicators of compromise for threat intelligence tracking
- Write post-incident reports with timeline, root cause, affected systems, and remediation actions; adapt format for both technical and executive audiences where applicable
- Tune detection rules and alert thresholds to reduce false positive volume; propose new detection logic based on observed threat patterns
- Participate in tabletop exercises, red team debriefs, and process improvement efforts across the SOC team
What We’re Looking For
- 2 or more years of hands-on SOC experience with demonstrated Tier 2 or equivalent investigation work, not just Tier 1 monitoring volume
- Working proficiency in at least one enterprise SIEM in a production environment: Splunk, Microsoft Sentinel, IBM QRadar, CrowdStrike Falcon, or equivalent
- Solid understanding of network protocols, log formats, and threat behavior across Windows, Linux, and AWS or Azure environments
- Applied familiarity with the MITRE ATT&CK framework used in actual detection and triage, not only as a reference document
- Experience triaging malware at the behavioral level: C2 communication patterns, persistence mechanisms, lateral movement artifacts
Preferred
- CompTIA CySA+ or Security+, GIAC GCIA, GCIH, or equivalent applied certification demonstrating hands-on incident analysis skills
- Scripting in Python or PowerShell for alert enrichment, log parsing, or triage automation
- Prior MSSP experience managing alerts across multiple client environments simultaneously
- Active DoD Secret or TS clearance where applicable to environment
Note: Do not require CISSP at Tier 2. It requires five years in two cybersecurity domains before you can sit the exam. Adding it to a Tier 2 posting screens out your best mid-level candidates and doesn’t make the role look more senior. It makes the JD look unresearched.
Schedule
[24/7 SOC: this role participates in rotating shifts including evenings, weekends, and holidays / Standard business hours with defined on-call rotation / Remote monitoring with documented response SLAs]
Note: This section is not optional. Specify the actual schedule. Post-offer surprises about shift obligations are the single largest source of first-year departures in SOC hiring.
Compensation
Base salary: $[low]–$[high]. We don’t negotiate off-cycle.
Note: California, Colorado, New York, Washington, and several other states now legally require salary range disclosure for most job postings. Post the range regardless. Candidates who don’t see a number assume the floor is what you’ll offer. The ones with market-rate options move on.
SOC Analyst Salary in 2026: Four Sources
Four aggregators, slightly different samples. That’s why the ranges don’t perfectly align. The variance is information worth keeping, not a discrepancy to average away. If you’re setting a comp band for this role, use the KORE1 salary benchmark assistant and filter by metro, clearance level, and tier before locking in the number.
| Source | Tier 1 (L1) | Tier 2 (L2) | Tier 3 (L3) |
|---|---|---|---|
| Glassdoor (2025) | $60K–$76K | $82K–$108K | $112K–$142K |
| Built In (2025) | $62K–$78K | $80K–$112K | $110K–$148K |
| ZipRecruiter (2025) | $58K–$74K | $78K–$105K | $108K–$138K |
| Salary.com (2025) | $61K–$78K | $83K–$110K | $113K–$145K |
A few notes worth keeping. Night-shift differentials vary widely across SOC environments. Some operations pay nothing extra for off-hours coverage while others add $5,000 to $8,000 annually, and the difference is often a negotiating point candidates raise directly when the base sits at the low end of the band. MSSP roles often run $5,000 to $10,000 lower than equivalent corporate SOC positions for the same tier, offset by the cross-environment exposure candidates gain. The Northern Virginia and D.C. corridor, Huntsville, and Colorado Springs see premiums driven by cleared-position demand that doesn’t apply in most commercial markets.
SOC Analyst JD Mistakes That Cost Searches
These are the patterns we see when a cybersecurity search goes sideways and the client can’t figure out why strong candidates aren’t applying.
Requiring CISSP at Tier 2. CISSP requires five years of paid work in two or more cybersecurity domains before you can even sit the exam. Adding it to a Tier 2 posting doesn’t make the role look senior. It makes the hiring manager look like they pulled the cert from a template without reading what it requires. Strong Tier 2 candidates who see it assume the role is actually Tier 3 with Tier 2 compensation. They move on.
The cert stack problem has a second version that’s almost as common. Postings that list eight or ten certifications simultaneously: Security+, CySA+, CEH, OSCP, GCIA, GCIH, CISSP, and a few cloud certs for good measure. No candidate has all of these. The cert exists to signal demonstrated skill when work history alone can’t establish it. It’s a proxy credential, not a checklist, and listing 12 of them simultaneously signals that whoever wrote the JD was trying to sound comprehensive rather than actually defining what the role requires. Pick one or two that actually reflect what your environment does and make the rest genuinely preferred. We worked a search where the cert list had 14 items. The hiring manager thought it was thorough. Three of the four qualified candidates who applied said the list made them think the expectations were incoherent.
Vague tooling requirements compound both of the above. “Experience with industry-leading SIEM technology” is not useful to a candidate with three years on Splunk SPL who wants to know if their skills transfer before they spend an hour writing a cover letter for a role that might put them on a six-month ramp to basic productivity. Name the stack. CrowdStrike. Sentinel. QRadar. Cortex. Splunk ES. Named tooling also functions as a search term: candidates searching “Splunk SOC analyst” find your posting. Candidates searching “SIEM experience required” don’t.
What Good SOC Analyst Candidates Are Actually Evaluating
The strongest analysts in this market are not passively waiting, and they’re not applying to everything that looks remotely related to their experience. They’re selecting the three or four postings that look like they were written by someone who actually understands what the role involves. The 4.8 million global role gap means they have options. They evaluate postings the same way you evaluate candidates, and they’re faster about it. Most decisions about whether to apply happen in under 90 seconds.
Tooling is the first screen. A Tier 2 analyst with three years on Splunk wants to know if they’re walking into a Microsoft Sentinel environment with a four-month ramp or building on what they already know. That’s not laziness. That’s reasonable calibration of how long it takes to be productive and how long before boredom sets in. Tell them what they’re working with.
Career path is the second one. Good candidates at Tier 2 are thinking about what Tier 2 leads to. Is there a Tier 3 track? A threat hunting function? A path toward incident response leadership, red team involvement, or detection engineering? If your SOC has a structured development track, say so in the posting, because the analyst who is good enough to be competitive in this market is evaluating whether your organization will help them get better or just need them to stay where they are. The analyst who wants a Tier 3 path in 18 months and your SOC doesn’t have one will leave in 18 months. Better to know that during screening than after a year of training.
The shift disclosure matters here too, one more time. $95,000 for a 9-to-5 Tier 2 role is a different job than $95,000 for a rotating overnight position. Candidates who have done night-shift SOC work have a considered opinion about it. Tell them the real schedule, and the candidates who accept have made an actual informed decision to be there, which is the version of the hire who shows up for the overnight shift in month three without resentment building underneath it.
Questions That Come Up in Every SOC Analyst Search
Do SOC Analyst Roles Require a College Degree?
Not in most cases, and requiring one shrinks your pool significantly in a market where the supply-demand gap is already severe. Many of the strongest Tier 1 and Tier 2 analysts our cybersecurity practice has placed came up through military service, community college programs, or self-directed study with certifications as the credentialing mechanism. Write requirements around what the job actually needs (hands-on triage experience, SIEM proficiency, log analysis fluency) and the degree question resolves itself in the screening process, usually in favor of the candidate who doesn’t have a diploma but has three years of real alert investigation behind them.
Realistically, How Fast Can a SOC Analyst Search Close?
Tier 1 searches typically close in 3 to 4 weeks when the compensation is market-rate and the posting is honest about shift requirements. Tier 2 takes 4 to 6 weeks in most U.S. markets. Tier 3 is a different problem entirely. The pool of analysts with 5-plus years of hands-on investigation experience who are actively looking is thin in every geography. Searches for cleared positions add 2 to 3 weeks minimum regardless of tier due to the verification steps involved.
Should Shift Rotation Appear in the Posting Even if Days Are the Most Common Shift?
Always disclose the full schedule exposure, even when rotation is infrequent. The analyst who reads the posting, understands that occasional overnight rotation is part of the role, and accepts the offer with full information is the one who shows up for the 2 a.m. alert without resentment building underneath it because they made an eyes-open choice. The analyst who accepts without knowing and discovers overnight obligations later is the one who starts quietly interviewing within six months. Transparency in the posting costs nothing.
C2H for SOC Analysts: Does It Actually Work?
Well, particularly for Tier 1 and early Tier 2. Contract-to-hire works in SOC hiring because the role has a skills-demonstration component that’s difficult to evaluate fully in an interview. You really want to see how someone handles actual alert volume before making a permanent commitment. A 90-day contract-to-hire period gives both sides a real evaluation window where the analyst is handling live alerts under actual volume conditions rather than performing for a panel interview, which is a fundamentally different signal about whether the fit is real. The conversion rate from C2H in our cybersecurity practice is around 78%. More on the mechanics at KORE1 contract staffing.
What’s Realistic for a Cleared SOC Analyst Search Timeline?
Count on 6 to 10 weeks for Secret-cleared candidates who are actively searching. TS/SCI-cleared SOC analysts represent a smaller active pool. Don’t plan on under 8 weeks for Top Secret regardless of market conditions. Clearance holders weigh mission, location, and compensation differently from the commercial market. Northern Virginia, the D.C. corridor, Huntsville, and Colorado Springs see faster cleared fills than most other geographies. Cleared remote roles tend to take longer because the competition for those candidates is genuinely national.
Do We Need to Post a Salary Range?
California, Colorado, New York, Washington, and a growing list of states now require salary range disclosure by law for most job postings, so if your company operates in those markets, you’re posting a range whether you want to or not. Practically, you should post it everywhere regardless of legal requirement. Candidates who don’t see a range assume the floor is the number you’ll offer, and the ones with competitive options skip the process. Post the range. Attract candidates who fit it. Filter the others before you’ve spent recruiting hours on them.
If your SOC analyst search is more complicated than this template covers (cleared positions, MSSP environments, Tier 3 threat hunting roles, or multi-geography deployments), reach out to our cybersecurity recruiting team. KORE1 has placed SOC analysts across Tier 1 through Tier 3 in corporate security teams, MSSPs, and cleared environments across 30-plus U.S. metros. We can typically tell you within 24 hours whether a search is feasible at your target comp band and timeline. For IT staffing needs beyond cybersecurity, our broader IT staffing services cover the full technology practice.