1.2 Analyst Tiers and Role Definitions

8-10 hours · Module 1 · Free

Analyst Tiers and Role Definitions

Introduction

The tiered analyst model assigns responsibilities based on experience, skill level, and decision authority. It is not a rigid hierarchy — it is a framework that ensures the right work goes to the right person. T1 analysts handle the highest volume of work (alert triage). T2 analysts handle the highest complexity of work (investigation and containment). T3 analysts handle the highest impact work (threat hunting, detection engineering, and incident leadership).

Every playbook in Module S7 references analyst tiers in its response actions: “T1 analyst, within 15 minutes” and “T2 analyst, within 1 hour.” These references only work if the tiers are defined and the analysts know which tier they operate in.

Tier 1: Alert Triage and Initial Response

Primary responsibility: Monitor the alert queue, perform initial triage on every alert, classify and close false positives, and escalate potential true positives to T2.

Core skills:

Navigate the Sentinel incident queue and Defender XDR portal
Read alert details and extract key entities (user, IP, device, timestamp)
Run pre-written KQL queries (from playbook triage phases) and interpret results
Classify alerts using the categories from Module S2 (true positive, false positive, benign positive)
Follow playbook triage steps without deviation
Communicate clearly when escalating — what the alert shows, what was checked, what was found

Decision authority:

Close alerts classified as false positive or benign positive (with documented reasoning)
Execute low-blast-radius containment actions pre-authorized by the playbook (token revocation in some organizations)
Escalate to T2 when triage indicates a potential true positive or when the playbook directs escalation

What T1 does NOT do:

Modify detection rules or analytics rules
Execute high-blast-radius containment (account disablement, device isolation) without T2/manager approval
Make regulatory notification decisions
Communicate externally about incidents

Typical experience: 0–2 years in security operations. May come from IT helpdesk, network operations, or recent cybersecurity education. Becomes effective within 2–4 weeks with playbook training and shadowing.

Tier 2: Investigation and Containment

Primary responsibility: Investigate escalated alerts to determine scope and impact. Execute containment actions. Lead the technical response for most incidents. Produce the investigation log and technical timeline.

Core skills:

Write and adapt KQL queries for novel investigation scenarios (not just pre-written queries)
Trace attack chains across multiple log sources (SigninLogs + OfficeActivity + AuditLogs + EmailEvents)
Make containment decisions: select proportional actions based on the containment framework (Module S7, subsection 7.3)
Identify persistence mechanisms and verify complete removal
Document investigations in real time using the investigation log format (Module S8, subsection 8.1)
Brief T1 analysts on new threat patterns and investigation techniques

Decision authority:

Execute containment actions within the approval matrix (token revocation, password reset, inbox rule removal, application consent revocation)
Classify incident severity (escalate or de-escalate from the initial triage severity)
Request T3 / SOC manager involvement for complex or multi-user incidents
Recommend (but not decide) regulatory notification

Typical experience: 2–5 years in security operations. Has investigated multiple real incidents. Can work independently through a complete playbook without guidance.

Tier 3: Threat Hunting, Detection Engineering, and Incident Leadership

Primary responsibility: Proactive threat hunting, detection rule development and maintenance, incident leadership for complex or critical incidents, and SOC capability improvement.

Core skills:

All T2 skills plus: write production detection rules from hypothesis through deployment (the full lifecycle from Module S2)
Lead cross-team investigations involving multiple compromised accounts, lateral movement, or organizational-impact events
Conduct threat hunting: develop hypotheses, write hunting queries, interpret results, convert findings to detection rules
Perform root cause analysis at technical, process, and organizational levels (Module S8, subsection 8.7)
Mentor T1 and T2 analysts
Evaluate and recommend security tool investments

Decision authority:

All T2 authority plus: deploy and modify detection rules
Lead PIR sessions and assign improvement actions
Recommend SOC process and tool changes
Approve containment actions that T2 requests (in some organizations, this authority sits with the SOC manager)

Typical experience: 5+ years in security operations with demonstrated investigation and detection engineering capability. Holds or is working toward relevant certifications (SC-200, GCIH, GCFA, or equivalent demonstrated experience).

The SOC Manager role

The SOC manager is not a tier — it is a management role that sits across all tiers. The SOC manager’s responsibilities include:

Approving high-blast-radius containment actions (account disablement, device isolation, KRBTGT reset)
Communicating with the CISO and executive stakeholders during active incidents
Managing the analyst roster (scheduling, training, career development)
Owning the SOC charter and operational metrics
Making the final call on regulatory notification recommendations
Allocating capacity between reactive work (alert triage) and proactive work (detection engineering, improvement)

In small teams (2–3 people), the SOC manager role often falls to the senior analyst who also performs T2/T3 work. This dual role is common but creates a capacity conflict — the manager’s operational duties compete with their management responsibilities. Acknowledge this conflict explicitly and protect time for both functions.

Tiers are roles, not people

A person can operate at different tiers depending on the situation. A T2 analyst who is the most experienced person on shift may operate as the incident leader (T3 role) for a complex incident. A T3 analyst who is catching up on the overnight queue may perform T1 triage. The tiers define the work, not the person. What matters is that each tier's responsibilities and authorities are clear so that anyone operating in that role knows their scope.

Matching tiers to playbook phases

The playbooks from Module S7 are designed around the tier model:

Playbook phase	Primary tier	Why
Triage (first 5 minutes)	T1	Structured checks with binary outcomes — designed for analysts with less experience to execute consistently
Investigation	T2	Requires query writing, attack chain analysis, and judgment about scope and severity
Containment	T2 (low blast radius) / SOC Manager (high blast radius)	Proportionality decisions require experience and authority
Communication	SOC Manager / T3	External and executive communication requires organizational context and authority
Post-incident review	T3 / SOC Manager	Root cause analysis and improvement actions require broad perspective

This mapping ensures that each phase is handled by someone with the appropriate skill level and decision authority. T1 analysts are not asked to make containment decisions they are not equipped for. T3 analysts are not spending their time on routine triage.

Try it yourself

Map your current team against the tier model:

How many people on your team operate at each tier?
Are there gaps? (No T3 capability = no detection engineering = no custom detection rules)
Are there conflicts? (One person trying to fill all three tiers = capacity bottleneck)
Based on the tier definitions, what is the single highest-value skill development investment for your team?

Check your understanding

1. A T1 analyst triages an alert and determines it is a true positive — an adversary has created inbox forwarding rules on a finance director's account. The analyst wants to remove the rules immediately to stop exfiltration. The playbook says "T2 analyst or SOC manager" approval is required for containment. No T2 is available — they are on lunch. What should the T1 do?

Contact the SOC manager (the approval matrix says "T2 analyst OR SOC manager"). If the SOC manager is also unavailable, the organization's escalation procedure should define an alternative authority for urgent containment during coverage gaps. If no alternative exists, this is an escalation framework gap that the PIR should address. In the immediate situation: removing inbox forwarding rules is a low-blast-radius action (it only affects the forwarding, not the user's access). Many organizations pre-authorize T1 analysts to remove inbox rules during confirmed compromises specifically because the blast radius is low and the exfiltration cost of delay is high. Check your organization's pre-authorization list.

Wait for the T2 to return from lunch — the approval requirement is clear

Remove the rules immediately — active exfiltration justifies the override

Escalate through the approval matrix (SOC manager is an alternative approver). If all approvers are unavailable, the escalation framework should define what happens — and if it does not, that gap needs to be fixed. Low-blast-radius actions (rule removal) may be pre-authorized for T1 in some organizations specifically to handle this scenario. The worst outcome is exfiltration continuing because nobody with authority was available.

2. Your SOC has 3 analysts. One has 5 years of experience and handles T2/T3 work plus SOC management. The other two are junior (under 1 year). What is the single biggest operational risk in this team structure?

Single point of failure. If the senior analyst is unavailable (illness, leave, resignation), the SOC has no T2/T3 capability and no management authority. The two junior analysts can triage but cannot investigate complex incidents, make containment decisions, develop detection rules, or communicate with executives. Mitigation: (1) cross-train one junior analyst to operate at T2 level for defined scenarios (the most common incident types), (2) document the senior analyst's institutional knowledge in playbooks and detection rule specifications (this course's content), (3) establish a relationship with an external IR provider for surge support during the senior analyst's absence.

The junior analysts will burn out from high alert volume

The team is too small to operate a SOC effectively

Single point of failure at T2/T3. Playbooks and detection rule specifications (Modules S2–S8) are the primary mitigation — they codify institutional knowledge that currently exists only in the senior analyst's head. Cross-training is the secondary mitigation. External IR support is the tertiary mitigation for when the senior analyst is unavailable and the incident exceeds junior capability.

You're reading the free modules of SOC Operations

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← 1.1 SOC Operating Models 1.3 Shift Handover Procedures →