role

How to become a SOC Analyst

Explore How to become a SOC Analyst with BLS/O*NET wage, outlook, skill, and task evidence plus source-backed certification options.

Build my personalized career plan

Researched by RoleMath Research. Every figure on this page traces to the official source shown next to it — next source review 2026-09-23.

What the numbers say about this work

Government occupation data for the role this maps to Information Security Analysts (SOC 15-1212). This is planning context for the occupation, not a salary or a job this role guarantees you.

Median pay (occupation)
$129,180 / yr · $75,090 to $199,850 (10th–90th percentile)
Projected change (2024–34)
+28.5% · ~16k openings/yr
Typical entry education
Bachelor's degree

BLS OEWS — occupation-level, national BLS Employment Projections 2024–34 This role has a high-confidence mapping to the listed O*NET-SOC/BLS occupation.

What it pays by metro

The national median hides a wide geographic spread. Below is the occupation’s median in some of the highest-paying and largest-employment metros, adjusted for local prices — regional price-level context, not take-home pay or a salary this role guarantees you.

MetroNominal medianCost-adjusted
San Jose, CA$176,120$159,496
Raleigh, NC$143,640$146,337
Seattle, WA$161,780$145,573
San Francisco, CA$162,310$140,391
Huntsville, AL$130,330$140,031
Washington, DC$148,950$136,797

See all metros and how this is calculated → Sources: BLS OEWS (May 2025), occupation-level metro median ÷ BEA Regional Price Parities (2024, US=100).

What this work involves

The tasks the U.S. Department of Labor’s O*NET lists most central to this occupation — role-fit evidence to weigh against your background, not a measure of employer demand.

  • Develop plans to safeguard computer files against accidental or unauthorized modification, destruction, or disclosure and to meet emergency data processing needs.
  • Monitor current reports of computer viruses to determine when to update virus protection systems.
  • Encrypt data transmissions and erect firewalls to conceal confidential information as it is being transmitted and to keep out tainted digital transfers.
  • Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures.
  • Modify computer security files to incorporate new software, correct errors, or change individual access status.
  • Review violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated.

O*NET — occupation-level

Skills that matter

The skills O*NET rates most important for this occupation. A starting map for what to build — weigh it against the specific job you’re targeting.

  • Reading Comprehension
  • Critical Thinking
  • Active Listening
  • Speaking
  • Writing
  • Monitoring
  • Active Learning
  • Learning Strategies

O*NET — occupation-level

What employers ask for right now

The skills and certifications employers most often name in a sample of 77public job postings for this role. Treat it as a to-learn list — it’s dated hiring language, not a count of open jobs, demand, or salary.

Most-named skills

  • Cybersecurity 61
  • SIEM 53
  • Incident response 48
  • EDR 44
  • threat intelligence 42
  • threat hunting 36
  • Splunk 30
  • Python 26
  • AWS 24
  • Azure 24
  • CrowdStrike 22
  • PowerShell 21

Certifications named

  • Security+ 10
  • CySA+ 10
  • CCNA 3
  • CompTIA A+ 2
  • PMP 1

Compare what employers ask across roles → Qualitative employer-language sample only; do not use as official demand, market-size, salary, or certification ROI evidence.

Evidence stack

Source Stack Panel

Evidence chips, posture, citations, and blocked-claim boundary.

3 visible citations
Claim-source mapcitation infrastructure

Visible linkage between page claims, source rows, citation IDs, freshness, and review state.

Source posturesource governance

Whether a page has current, partial, stale, missing, or blocked source coverage.

Freshness rulesource governance

How recently the source must be checked before a claim or page can render as current.

Blocked-claim policyeditorial governance

Transparent explanation of claims RoleMath refuses to make without exact support.

What this page will never claim
  • Pass Rate
  • Placement Rate
  • Job Guarantee
  • Certification Specific Salary
  • Personal Salary Prediction
  • Roi Or Payback
View table fallback
SectionValueSource layerCaveat
Postureno_certification_source_linkssource postureDraft status; source posture must pass before public launch.
Visible citation count3claim source mapCitation count does not imply page is public-ready.

RoleMath fit signals

Role Fit Scorecard

Fit breakdown with readiness, market context, and source confidence.

Not a predictionThese scores explain current evidence, not personal outcomes.
ReadinessStrong signal
85/100

Internal scoring explanation; not an outcome guarantee.

Market contextModerate signal
67/100

Internal scoring explanation; not an outcome guarantee.

Source confidenceStrong signal
90/100

Internal scoring explanation; not an outcome guarantee.

O*NET role evidenceBLS occupation contextRoleMath scoring evidenceClaim-source map
View score table fallback
SignalValueSource layerCaveat
Readiness85/100rolemath scoring evidenceInternal scoring explanation; not an outcome guarantee.
Market context67/100rolemath scoring evidenceInternal scoring explanation; not an outcome guarantee.
Source confidence90/100rolemath scoring evidenceInternal scoring explanation; not an outcome guarantee.

Certification decision support

Certifications mapped to SOC Analyst

Certifications mapped to this role from cited OEM target-role data and the RoleMath role mapping, ordered by relationship strength and then Difficulty Score. This is planning context — not a guarantee, not an employer requirement, and not a claim that any one certification is best for everyone. Your fit depends on your background; pay/outlook context is occupation-level on the role page.

Start here signalSplunk Certified Cybersecurity Defense Analyst40/100 · Moderate

SOC foundations

2 mapped

Entry and foundation credentials before deeper SOC tooling and response work.

CredentialDifficultyCostRelationshipWhy it appears here
CompTIA Security+CompTIA · foundation
45/100Moderate$439 examstrong signalSecurity+ is a common baseline for SOC analyst preparation, but learners still need hands-on SIEM, networking, and incident triage practice.Official source
20/100Foundational$125 exampre entry foundationCCST Cybersecurity is useful for cyber fit exploration before deeper SOC preparation.Official source

Detection and monitoring

5 mapped

SIEM, monitoring, detection-engineering, and security-operations credentials.

CredentialDifficultyCostRelationshipWhy it appears here
40/100Moderate$130 examstrong signalSplunk Certified Cybersecurity Defense Analyst maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
40/100Moderate$999 examstrong signalGIAC Certified Detection Analyst (GCDA) maps to SOC Analyst as a strong role signal based on its cited name keyword:security:detection monitoring signal.Official source
50/100Moderate$999 examstrong signalGIAC Continuous Monitoring Certification (GMON) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
60/100Hard$130 examadvanced adjacentSplunk Certified Cybersecurity Defense Engineer maps to SOC Analyst as an advanced credential for progressing toward/within this role, not an entry signal.Official source
65/100Hard$200 examadvanced adjacentFortinet NSE 5 - FortiAnalyzer 7.6 Analyst maps to SOC Analyst as an advanced credential for progressing toward/within this role, not an entry signal.Official source

Incident response and forensics

7 mapped

Forensics, incident handling, malware, and response credentials for SOC escalation paths.

CredentialDifficultyCostRelationshipWhy it appears here
50/100Moderate$999 examstrong signalGIAC Certified Forensic Analyst (GCFA) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
50/100Moderate$999 examstrong signalGIAC Certified Forensic Examiner (GCFE) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
50/100Moderate$999 examstrong signalGIAC Certified Incident Handler (GCIH) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
GIAC Cloud Forensics Responder (GCFR)GIAC (SANS) · specialist
50/100Moderate$999 examstrong signalGIAC Cloud Forensics Responder (GCFR) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
GIAC Network Forensic Analyst (GNFA)GIAC (SANS) · specialist
50/100Moderate$999 examstrong signalGIAC Network Forensic Analyst (GNFA) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
50/100Moderate$999 examstrong signalGIAC Reverse Engineering Malware Certification (GREM) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
55/100ModerateCost not verifiedstrong signalOffSec Defense Analyst (OSDA) maps to SOC Analyst as a strong role signal based on its cited name keyword:security:soc or security operations signal.Official source

Threat intelligence

1 mapped

Threat intelligence and adversary-analysis credentials that support SOC context and escalation.

CredentialDifficultyCostRelationshipWhy it appears here
GIAC Cyber Threat Intelligence (GCTI)GIAC (SANS) · specialist
50/100Moderate$999 examstrong signalGIAC Cyber Threat Intelligence (GCTI) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source

Network defense

3 mapped

Network security, traffic analysis, and defensive infrastructure credentials.

CredentialDifficultyCostRelationshipWhy it appears here
50/100Moderate$999 examstrong signalGIAC Certified Intrusion Analyst (GCIA) maps to SOC Analyst as a strong role signal based on its cited cybersecurity keyword:soc or security operations signal.Official source
Cisco CCNA CybersecurityCisco · associate
50/100Moderate$300 examstrong signal after foundationCisco CCNA Cybersecurity covers security monitoring host analysis network intrusion analysis and policies for cyber operations routes.Official source
CompTIA CySA+CompTIA · intermediate
75/100Hard$439 examstrong signal after foundationCySA+ maps more directly to analyst and monitoring work after Security+ or equivalent foundations.Official source

Vendor SOC platforms

4 mapped

Vendor-specific SOC, security operations, and analyst-platform credentials.

CredentialDifficultyCostRelationshipWhy it appears here
40/100ModerateCost not verifiedstrong signalMicrosoft Certified: Security Operations Analyst Associate maps to SOC Analyst as a strong role signal based on its cited name keyword:security:soc or security operations signal.Official source
45/100Moderate$200 examstrong signalFortinet NSE 7 - Security Operations 7.6 Architect maps to SOC Analyst as a strong role signal based on its cited name keyword:security:soc or security operations signal.Official source
Certified SOC Analyst (CSA)EC-Council · intermediate
55/100ModerateCost not verifiedstrong signalCertified SOC Analyst (CSA) maps to SOC Analyst as a strong role signal based on its cited name keyword:security:soc or security operations signal.Official source
60/100HardCost not verifiedadvanced adjacentMicrosoft Certified: Cybersecurity Architect Expert maps to SOC Analyst as an advanced credential for progressing toward/within this role, not an entry signal.Official source

Difficulty is the RoleMath Difficulty Score, not a pass rate. Certification mappings are planning context, not employer requirements, job guarantees, salary claims, or ROI claims.

BLS wage context

National salary context

BLS wage range with explicit occupation-level caveat.

Occupation-level onlyNot a certification salary, personal prediction, ROI, placement, or guarantee.
10th percentileU.S. national occupation-level wage context only.
$75,090
MedianNot a certification salary or personal prediction.
$129,180
90th percentileRequires SOC mapping caveat; use metro pages for local wages.
$199,850
BLS wage dataSOC mapping caveatSource posture
View salary table fallback
MeasureValueSource layerCaveat
10th percentile$75,090bls occupation contextU.S. national occupation-level wage context only.
Median$129,180bls occupation contextNot a certification salary or personal prediction.
90th percentile$199,850bls occupation contextRequires SOC mapping caveat; use metro pages for local wages.

Transition evidence

Career Transition Map

Node-edge transition map with relationship-confidence guardrail.

Relevance, not promiseall edges have evidence type and confidence
  1. Current pageSOC Analyst

    O*NET/BLS role context only; not a guaranteed progression.

    O*NET role evidence
  2. Related roleSOC Analyst

    Role mapping is source context, not a hiring or salary guarantee.

    O*NET role evidence
  3. Credential optionCompTIA Security+

    Credential facts come from official/vendor sources; employer use varies.

    Official certification source
  4. Relationship evidencestrong signal, priority 5/5

    Relationship confidence explains relevance only; it is not outcome proof.

    Role-cert relationship evidence
  5. Next actionCompare fit, cost, study time, and local labor context

    Personalized sequencing requires intake answers and review.

    Role-cert relationship evidence
O*NET role evidence

Tasks, skills, knowledge, work activities, job zone, and role-fit inputs.

Does not support: Salary, demand, certification requirement, individual fit guarantee.
Official certification source

Exam name, credential level, exam objectives, prerequisites, renewal, official resources.

Does not support: Salary, demand, ROI, placement, pass rate, job guarantee.
Role-cert relationship evidence

Why a certification is related to a role, skill, task, or transition stage.

Does not support: Employer requirement proof, guaranteed hiring advantage, salary increase.
Employer language sample

Title variants, wording, common tools, and resume/quiz phrasing.

Does not support: Demand, salary, probability of hire, certification requirement unless officially stated.
Not claimed here
  • Pass Rate
  • Placement Rate
  • Job Guarantee
  • Certification Specific Salary
  • Personal Salary Prediction
  • Roi Or Payback
View transition table fallback
NodeValueSource layerCaveat
Current pageSOC Analystonet role featureO*NET/BLS role context only; not a guaranteed progression.
Related roleSOC Analystonet role featureRole mapping is source context, not a hiring or salary guarantee.
Credential optionCompTIA Security+oem credential factCredential facts come from official/vendor sources; employer use varies.
Relationship evidencestrong signal, priority 5/5role cert relationshipRelationship confidence explains relevance only; it is not outcome proof.
Next actionCompare fit, cost, study time, and local labor contextrole cert relationshipPersonalized sequencing requires intake answers and review.

Work reality

SOC Analyst

Role-reality cards separating official and qualitative evidence.

Evidence boundaryOfficial role evidence is separated from employer and community wording.
Official evidenceOfficial tasks

O*NET evidence

Separate official evidence from qualitative phrasing.
Official evidenceSkills/tools

role feature evidence

Separate official evidence from qualitative phrasing.
Qualitative signalEmployer language

qualitative only

Separate official evidence from qualitative phrasing.
Qualitative signalBeginner friction

reviewed themes

Separate official evidence from qualitative phrasing.
O*NET role evidence

Tasks, skills, knowledge, work activities, job zone, and role-fit inputs.

Does not support: Salary, demand, certification requirement, individual fit guarantee.
Employer language sample

Title variants, wording, common tools, and resume/quiz phrasing.

Does not support: Demand, salary, probability of hire, certification requirement unless officially stated.
Community question signal

Common questions, anxieties, misconception themes, and content-priority signals.

Does not support: Factual authority, demand, salary, outcomes, provider ratings without rights review.
View role reality table fallback
SignalValueSource layerCaveat
Official tasksO*NET evidenceonet role featureSeparate official evidence from qualitative phrasing.
Skills/toolsrole feature evidenceonet role featureSeparate official evidence from qualitative phrasing.
Employer languagequalitative onlyonet role featureSeparate official evidence from qualitative phrasing.
Beginner frictionreviewed themesonet role featureSeparate official evidence from qualitative phrasing.
Answer blocks

Common Questions

Will AI replace cybersecurity / SOC analysts?

We won't mint a replacement number or date. AI changes tasks inside security operations (alert triage, summarization, detection tuning) — task shift, not role elimination. BLS projects strong growth for the related occupation through 2034, though BLS does not model rapid AI, so that growth is not an AI forecast either.

Tier B (factual): BLS puts Information security analysts (SOC 15-1212) at a 2024–2034 projected change of +28.5%, with ~16,000 annual openings a year — a forecast, not a guarantee. AI appears among demand drivers cited for the broader computer & mathematical group, but BLS disclaims precise long-term AI impact, so we attach no AI causation. Task exposure means the work shifts toward judgment and oversight, not that the role disappears. Tier A (research): a cited exposure index would need registered research sources we don't yet carry; we decline to forecast.

Citations: U.S. BLS — Employment Projections 2024–2034, SOC 15-1212 (src_bls_employment_projections_2024_2034, bls.gov).

Plan a security path with eyes open on how the work is changing. Build my personalized career plan.

How to become a SOC Analyst

Quick Verdict

A SOC analyst monitors security alerts, triages incidents, and escalates threats using SIEM workflows. A realistic career-changer path: build networking and security fundamentals, then a baseline credential like CompTIA Security+ (RoleMath difficulty: Moderate - a structural score, not a pass rate). BLS reports a $129,180 median wage (2025) for Information Security Analysts - occupation context, not a guarantee.

Cited Detail

SOC analyst shares its occupation with cybersecurity analyst: Information Security Analysts (SOC 15-1212). Top skills: monitoring, critical thinking, reading comprehension, clear writing. Realistic sequence (planning context, not a promise): start with CompTIA Security+ (SY0-701) as a baseline, then hands-on SIEM, networking, and incident-triage practice. CompTIA CySA+ (CS0-003) maps more directly to analyst work after foundations - RoleMath rates it Hard (structural band, not a pass rate). Cisco's CCST Cybersecurity (100-160) is a useful pre-entry fit-check; Cisco CCNA Cybersecurity (200-201) is a stronger signal once you've built foundations. Outlook: BLS projects Information Security Analysts to grow 28.5% over 2024-2034, ~16,000 openings/yr - a multi-year occupation-level projection, not live postings, not a guarantee for this title or for you.

AI & this career

What we can — and can’t — tell you about AI and this role

Cited context only: an occupation-level outlook, descriptive usage data, an employer-language sample, and attributed research — kept separate. No RoleMath AI score, no automation timeline, no job-loss prediction. How we source this →

Occupation outlook · BLS

Where the occupation is projected to go

BLS projects Information security analysts at 28.5% employment change for 2024-2034, with 16 thousand annual openings. U.S. Bureau of Labor Statistics

A forecast, not a guarantee; occupation-level, not about you - and BLS does not model rapid AI adoption, so this is never an AI prediction.

How AI shows up in the work

Descriptive usage, not demand or loss

For this shared SOC, the May 2026 usage sample reports 23.90% augmentation-labeled and 76.10% automation-labeled Claude conversations. Anthropic Anthropic Economic Index dataset, CC-BY.

Across all occupations the same dataset splits 51.4% augmentation / 48.6% automation (May 2026) — shown so a single role’s number is never read as an outlier.

Descriptive Claude usage data, not employment demand, not job loss, and not a personal forecast; CC-BY attribution required.

Employer language · sample

What a posting sample mentions

a sample of 6 postings (as of 2026-06-12) mentions these AI-related terms RoleMath public ATS employer-language pilot

Employer-language sample only; not official demand, market-size, salary, or certification ROI evidence.

Published research · attributed

What independent research says (not RoleMath’s claim)

  • Eloundou et al. estimate that about 80% of U.S. workers have at least 10% of their work tasks exposed to large language model capabilities (Science 2024). American Association for the Advancement of Science exposure = task overlap, not job loss.
  • Eloundou et al. estimate that about 19% of U.S. workers have at least 50% of their work tasks exposed to large language model capabilities (Science 2024). American Association for the Advancement of Science exposure = task overlap, not job loss.
  • Eloundou et al. explicitly disclaim any forecast of AI adoption or timing, describing their measure as capability overlap with tasks rather than a prediction of job loss (Science 2024). American Association for the Advancement of Science exposure = task overlap, not job loss.
  • OECD reports that high-skill occupations are the most exposed to AI on task-overlap measures (OECD Employment Outlook 2023). Organisation for Economic Co-operation and Development exposure = task overlap, not job loss.
  • OECD reports that, as of 2023, there is little empirical evidence of negative employment effects from AI (OECD Employment Outlook 2023). Organisation for Economic Co-operation and Development exposure = task overlap, not job loss.
  • OECD and the AIOE research find that AI exposure and automation risk often run in opposite directions, with the most-exposed high-skill occupations tending to be the least at risk of automation. Organisation for Economic Co-operation and Development exposure = task overlap, not job loss.
  • Felten, Raj and Seamans construct an occupation-level AI Occupational Exposure index by linking AI capabilities to O*NET occupational abilities (Strategic Management Journal). Strategic Management Journal (Wiley) exposure = task overlap, not job loss.
  • Stanford Digital Economy Lab researchers find a roughly 16% relative decline in employment for workers ages 22-25 in the most AI-exposed occupations, based on high-frequency ADP payroll data (Canaries in the Coal Mine, working paper). Stanford Digital Economy Lab correlational usage data, not proof.
  • The ILO notes that AI-exposure indicators measure potential task overlap and cannot by themselves establish job loss (Workers' exposure to AI). International Labour Organization exposure = task overlap, not job loss.
  • The Anthropic Economic Index reports no measured systematic rise in unemployment attributable to AI in its usage data. Anthropic correlational usage data, not proof.

Tier A research stays attributed and separate from BLS outlook and employer-language samples.

Every figure on this page, sourced

The claims above trace to these records — the source, and when it was last checked. If a figure has no row here, we did not publish it.

IDSupportsSourceChecked
CIT-01Supports occupation-level wage context for SOC Analyst.SOC Analyst BLS OEWS wage source2026-06-25T08:28:38+00:00
CIT-02Supports occupation-level outlook context for SOC Analyst.SOC Analyst BLS Employment Projections source2026-06-25T08:27:06+00:00
CIT-03Supports skills, tasks, interests, and fit context for SOC Analyst.SOC Analyst O*NET source2026-06-25T10:06:39+00:00

Ready to see how this fits your background?

Build my personalized career plan.