Security Operations Center (SOC): Functions and Models

A Security Operations Center (SOC) is the organizational and technical hub through which enterprises monitor, detect, analyze, and respond to cybersecurity threats on a continuous basis. This page covers the core functions, staffing models, operational frameworks, and deployment variants that define how SOCs are structured across government, healthcare, financial services, and critical infrastructure sectors. The distinctions between insourced, outsourced, and hybrid models carry direct implications for regulatory compliance obligations under frameworks such as NIST, HIPAA, and CMMC.

Definition and scope

A SOC is a centralized function — physical, virtual, or hybrid — staffed by security analysts, engineers, and incident responders who operate around the clock to protect an organization's information assets. The scope of a SOC encompasses continuous monitoring of networks, endpoints, applications, and cloud environments, paired with structured processes for triage, escalation, and remediation.

The NIST Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, maps directly to SOC operations across its five core functions: Identify, Protect, Detect, Respond, and Recover. A mature SOC operationalizes all five, though the Detect and Respond functions represent its primary operational surface. NIST SP 800-61, Computer Security Incident Handling Guide, establishes the incident response lifecycle that most SOC procedures formalize.

Federal civilian agencies are subject to continuous monitoring requirements under the Federal Information Security Modernization Act (FISMA), administered by the Cybersecurity and Infrastructure Security Agency (CISA). Defense contractors operating under the Cybersecurity Maturity Model Certification (CMMC) framework face tiered SOC-equivalent requirements tied to the sensitivity of Controlled Unclassified Information (CUI) they handle.

The scope of a SOC is further shaped by the technology stack it monitors: a SOC serving a hospital network under HIPAA cybersecurity requirements must extend visibility to electronic protected health information (ePHI) systems and medical device endpoints, not only enterprise IT.

How it works

SOC operations are organized around a tiered analyst model and a core technology platform. The standard tier structure is:

1. Tier 1 — Alert triage analysts: Monitor dashboards, review automated alerts from the Security Information and Event Management (SIEM) platform, and perform initial classification. Tier 1 analysts handle high alert volumes and escalate confirmed or ambiguous events.
2. Tier 2 — Incident responders: Conduct deeper investigation of escalated alerts, correlate indicators of compromise (IOCs), and initiate containment actions. Tier 2 analysts interface with the incident response framework and document case timelines.
3. Tier 3 — Threat hunters and senior analysts: Perform proactive threat hunting, develop detection logic, tune SIEM rules to reduce false-positive rates, and lead post-incident analysis. Threat hunters operate on hypothesis-driven methodologies rather than reactive alert queues.
4. SOC Manager / Director: Oversees operations, manages staffing models, coordinates with executive leadership, and ensures alignment with regulatory reporting timelines.

The primary technology stack includes SIEM platforms for log aggregation and correlation, Security Orchestration, Automation, and Response (SOAR) tools for playbook execution, endpoint detection and response (EDR) agents, network traffic analysis (NTA), and threat intelligence feeds. The MITRE ATT&CK framework provides a structured taxonomy of adversary tactics, techniques, and procedures (TTPs) that SOC teams use to map detected behaviors to known threat actor patterns.

Mean time to detect (MTTD) and mean time to respond (MTTR) are the primary operational performance metrics. IBM's Cost of a Data Breach Report 2023 found that organizations with fully deployed security AI and automation had an average breach cost of $3.60 million, compared to $5.36 million for those without — a differential that reflects the operational leverage of an instrumented SOC (IBM Cost of a Data Breach Report 2023).

Common scenarios

SOC teams operate across a defined set of recurring threat scenarios. The following represent the highest-frequency operational categories:

Ransomware containment: Upon detection of lateral movement or encryption activity consistent with ransomware behavior, Tier 2 analysts isolate affected endpoints, preserve forensic images, and engage the incident response playbook. The ransomware reference taxonomy informs IOC classification. CISA's #StopRansomware advisories provide sector-specific TTPs that SOC detection rules reference.

Phishing and credential compromise: SIEM correlation rules flag anomalous authentication patterns — logins from unexpected geographies, impossible travel, or high-volume failed authentications. The SOC cross-references phishing and social engineering indicators and initiates account lockdown or multi-factor authentication (MFA) resets through identity and access management integrations.

Insider threat detection: Behavioral analytics platforms flag deviations from baseline user activity, including abnormal data exfiltration volumes or access to sensitive repositories outside normal work patterns. Insider threat programs define the policy thresholds that SOC analysts apply when escalating to HR or legal.

Vulnerability exploitation: When a critical CVE is actively exploited in the wild — as catalogued in CISA's Known Exploited Vulnerabilities (KEV) catalog — SOC teams shift to active monitoring for exploitation signatures while vulnerability management teams prioritize patching.

Cloud security incidents: SOC visibility into cloud environments relies on cloud-native logging (e.g., AWS CloudTrail, Azure Monitor) ingested into the SIEM. Cloud security fundamentals define the shared responsibility boundaries that determine which log sources the SOC controls directly versus those managed by the cloud service provider.

Decision boundaries

The most consequential structural decision for any organization is the SOC delivery model. Three primary models define the landscape:

In-house SOC: The organization builds, staffs, and operates its own SOC. This model provides maximum control over data residency, tooling customization, and institutional knowledge retention. It requires sustained investment — SANS Institute surveys consistently cite analyst staffing as the primary operational cost driver, with a 24/7 coverage model typically requiring 8–12 analysts minimum to avoid burnout-driven attrition.

Managed Security Service Provider (MSSP) / MDR: A third-party provider delivers SOC functions under a contracted service level agreement (SLA). Managed Detection and Response (MDR) is a more advanced variant that includes active threat hunting and response capabilities beyond alert monitoring. The trade-off is reduced visibility into analyst workflows and potential data sovereignty concerns for regulated industries.

Hybrid SOC: The organization retains a core internal team for sensitive data handling and compliance oversight while outsourcing 24/7 alert monitoring to an MSSP. This model is common in healthcare and defense contracting, where CMMC compliance and HIPAA mandates require documented internal accountability even when operational functions are partially outsourced.

A second decision boundary involves SOC maturity level. The SOC-CMM (SOC Capability Maturity Model), published by the Dutch National Cyber Security Centre (NCSC-NL), defines five maturity levels from ad hoc (Level 1) to continuous optimization (Level 5). Organizations in regulated sectors subject to NIST Cybersecurity Framework or ISO 27001 audits use maturity assessments to benchmark gap remediation roadmaps.

The distinction between a SOC and a red team/blue team structure is operational, not organizational: the SOC functions as the permanent blue team conducting continuous defense, while red team engagements are episodic adversarial simulations used to test SOC detection fidelity. Organizations with mature programs integrate both under a purple team model that closes the feedback loop between offensive findings and defensive rule tuning.

References

• NIST Cybersecurity Framework (CSF)
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• CISA — Cybersecurity and Infrastructure Security Agency
• CISA Known Exploited Vulnerabilities (KEV) Catalog
• MITRE ATT&CK Framework
• IBM Cost of a Data Breach Report 2023
• Dutch NCSC — SOC Capability Maturity Model (SOC-CMM)
• Federal Information Security Modernization Act (FISMA) — OMB
• NIST SP 800-137 — Information Security Continuous Monitoring (ISCM)