SOC 101 — What is a Security Operations Center?

This document explains what a SOC is, why organizations need one, and what it takes to build one from scratch. No prior cybersecurity knowledge required.

1. What is a SOC?

graph LR
    Threats[🌐 Cyber Threats] --> SOC[🛡️ SOC]
    SOC --> Detect[Detect]
    SOC --> Respond[Respond]
    SOC --> Recover[Recover]
    Detect --> Safe[✅ Organization Protected]
    Respond --> Safe
    Recover --> Safe

A Security Operations Center (SOC) is a team of cybersecurity professionals who monitor, detect, and respond to security threats targeting an organization — 24 hours a day, 7 days a week.

Think of it as: - 🏥 Hospital Emergency Room — but for cyber incidents instead of medical emergencies - 🚒 Fire Station — always ready, watching for fires (attacks), and responding immediately - 🗼 Air Traffic Control Tower — monitoring everything, coordinating responses, preventing disasters

What Does a SOC Protect?

• Data: Customer records, financial data, intellectual property
• Systems: Servers, networks, cloud infrastructure, endpoints (laptops/desktops)
• People: Employees from phishing, social engineering, and fraud
• Business: Revenue, reputation, regulatory compliance

2. Why Does Your Organization Need a SOC?

The Reality of Cyber Threats

• Average time to detect a breach: 194 days (without a SOC) — IBM, 2024
• Average cost of a data breach: $4.88 million USD — IBM Cost of a Data Breach Report, 2024
• Ransomware attacks: Every 11 seconds, a business is hit — Cybersecurity Ventures
• Regulatory requirements: PDPA (Thailand), GDPR (EU), PCI-DSS require security monitoring

What Happens WITHOUT a SOC?

Scenario	Without SOC	With SOC
Phishing email received	Nobody notices → Data stolen	Detected in minutes → Blocked
Ransomware deployed	Discovered days later → Systems encrypted	Detected immediately → Contained
Unauthorized access	Found during audit months later	Real-time alert → Account locked
Data exfiltration	Unknown until public disclosure	Detected by monitoring → Stopped

3. Core Components of a SOC

graph TD
    SOC[SOC] --> People[👥 People]
    SOC --> Process[📋 Process]
    SOC --> Tech[🖥️ Technology]

    People --> T1[Tier 1: Alert Analysts]
    People --> T2[Tier 2: Incident Responders]
    People --> T3[Tier 3: Threat Hunters]
    People --> Mgr[SOC Manager]

    Process --> PB[Playbooks]
    Process --> IR[Incident Response]
    Process --> SH[Shift Handoff]

    Tech --> SIEM[SIEM]
    Tech --> EDR[EDR]
    Tech --> SOAR[SOAR]
    Tech --> TI[Threat Intel]

3.1 People — Who Works in a SOC?

Role	What They Do	Analogy
Tier 1 Analyst	Watch screens, triage alerts, escalate real threats	Security guard watching CCTV
Tier 2 Responder	Deep-dive investigations, contain active attacks	Detective solving a case
Tier 3 Hunter	Proactively search for hidden threats	Undercover agent tracking criminals
Detection Engineer	Build and tune alert rules	Alarm system technician
SOC Manager	Lead the team, report to executives	Police chief

📖 Deep Dive: See SOC Team Structure for full role definitions, skills required, career path, and staffing models.

3.2 Process — How Does a SOC Operate?

Process	Purpose	Document
Incident Response	Step-by-step guide to handle attacks	IR Framework
Playbooks	Specific procedures for each attack type	50 Playbooks
Shift Handoff	Ensure continuity between shifts (24/7)	Shift Handoff
Detection Engineering	Create rules that detect bad behavior	Detection Lifecycle
Reporting	Show leadership what the SOC is doing	Monthly Report

3.3 Technology — What Tools Does a SOC Use?

Tool	What It Does	Open Source Option	Commercial Option
SIEM	Collects all logs, finds patterns, creates alerts	Wazuh, Elastic SIEM	Splunk, Microsoft Sentinel, QRadar
EDR	Monitors endpoints (laptops/servers) for malware	Wazuh, Velociraptor	CrowdStrike, SentinelOne, Defender
SOAR	Automates repetitive SOC tasks	TheHive + Cortex, Shuffle	Splunk SOAR, Palo Alto XSOAR
Threat Intel Platform	Tracks known bad IPs, domains, file hashes	MISP, OpenCTI	Recorded Future, Mandiant
Ticketing	Tracks incidents from start to finish	TheHive, RTIR	ServiceNow, Jira
Network Monitoring	Watches network traffic for anomalies	Zeek, Suricata	Darktrace, ExtraHop

4. How to Build a SOC — The 5-Step Path

graph LR
    P1[Phase 1: Foundation] --> P2[Phase 2: Detection]
    P2 --> P3[Phase 3: Response]
    P3 --> P4[Phase 4: Hunting]
    P4 --> P5[Phase 5: Optimization]

    style P1 fill:#e74c3c,color:#fff
    style P2 fill:#e67e22,color:#fff
    style P3 fill:#f1c40f,color:#000
    style P4 fill:#2ecc71,color:#fff
    style P5 fill:#3498db,color:#fff

Phase 1: Foundation (Month 1-3) — "Crawl"

Goal: Get visibility into what's happening in your environment.

• Choose and deploy a SIEM (start with Wazuh if budget is limited)
• Identify your top 10 critical assets (servers, databases, cloud accounts)
• Onboard log sources: Firewall, Active Directory, Email, VPN
• Hire 2-3 Tier 1 Analysts + 1 SOC Manager
• Set up a ticketing system (TheHive or Jira)
• Define basic escalation procedures

📖 Read: SOC Infrastructure Setup

Phase 2: Detection (Month 3-6) — "Walk"

Goal: Create meaningful alerts that detect real attacks.

• Implement top 10 detection rules (start with our Sigma rules)
• Create your first 5 Playbooks (Phishing, Malware, Brute Force, Account Compromise, Ransomware)
• Enable a detection rule for each MITRE ATT&CK tactic
• Tune rules to reduce False Positives below 30%
• Establish shift schedule (start with 8x5, expand to 24x7 later)

📖 Read: Detection Engineering Lifecycle

Phase 3: Response (Month 6-12) — "Run"

Goal: Respond to real incidents effectively.

• Implement all 50 Playbooks from this repository
• Hire Tier 2 Incident Responders
• Set up EDR on all endpoints
• Conduct first Purple Team exercise (Simulation Guide)
• Implement SOC KPIs: MTTD, MTTR, False Positive Rate
• Begin monthly executive reporting

📖 Read: SOC Metrics & KPIs

Phase 4: Hunting (Year 1-2) — "Sprint"

Goal: Proactively find threats that bypass detection.

• Hire or train a Tier 3 Threat Hunter
• Implement Threat Intelligence feeds (MISP/OpenCTI)
• Map detection coverage to MITRE ATT&CK
• Conduct quarterly Threat Hunting campaigns
• Implement SOAR for automated response

📖 Read: Threat Intelligence Lifecycle

Phase 5: Optimization (Year 2+) — "Fly"

Goal: Measure, improve, and mature continuously.

• Achieve SOC-CMM Level 3+ Maturity
• Automate 80%+ of Tier 1 triage with SOAR
• Implement Detection-as-Code (CI/CD for rules)
• Conduct annual SOC Assessment (Assessment Checklist)
• Publish Quarterly Business Reviews to leadership

5. Estimated Budget

SOC Size	Staff	Tools (Annual)	Total Year 1
Minimal (Open Source, 8x5)	3-5 people	$0-20K	~$150K-250K
Standard (Mixed, 16x5)	6-10 people	$50K-150K	~$500K-800K
Enterprise (Commercial, 24x7)	12-20 people	$200K-500K	~$1.5M-3M

Tip: Start small with open-source tools. You can always upgrade as you mature.

6. How to Use This Repository

This repository contains everything you need to operate a SOC. Here's the recommended reading order:

#	Start Here	Document
1	📖 You are here	SOC 101 (this document)
2	👥 Build your team	SOC Team Structure
3	🏗️ Set up infrastructure	SOC Infrastructure Setup
4	📋 Learn the IR process	Incident Response Framework
5	📕 Study the Playbooks	PB-01 Phishing (start here)
6	🔍 Deploy detection rules	Detection Rules
7	⏰ Set up shift operations	Shift Handoff
8	📊 Measure your KPIs	SOC Metrics
9	🎯 Run simulations	Simulation Guide
10	🎓 Train new analysts	Analyst Onboarding Path

Related Documents

• Quickstart Guide
• Glossary of Terms
• SOC Team Structure
• SOC Infrastructure Setup

References

• NIST Cybersecurity Framework (CSF)
• CISA — Setting Up a SOC
• SOC-CMM — SOC Capability Maturity Model
• MITRE ATT&CK Framework
• IBM Cost of a Data Breach Report
• SANS SOC Survey