Short Definition
SOC teams operate in three structured tiers. L1 analysts perform initial triage, L2 analysts conduct investigations and enrichment, and L3 analysts handle advanced threat hunting, correlation logic, malware analysis, and complex incidents.
Deep Technical Explanation
The tiered SOC model ensures an efficient flow of security alerts while matching expertise to the complexity of each incident.
L1 Analyst Role (Triage and First Response)
💾 Download the “SOC Analyst L1” JD template docx file.
L1 handles the highest alert volume. Their job is to identify which alerts are real, prioritize them, and escalate appropriately.
Core responsibilities:
- monitor dashboards and SIEM alerts
- validate whether an alert is legitimate
- classify severity
- gather basic context
- perform initial checks (logs, users, devices)
- escalate real threats to L2
L1 is critical for reducing noise and ensuring fast reaction time.
L2 Analyst Role (Deep Investigation and Analysis)
💾 Download the “SOC Analyst L2” JD template docx file.
L2 handles validated incidents that require greater technical skill.
Responsibilities:
- full investigation
- cross-log correlation
- analyzing endpoint behavior
- reconstructing attacker activity
- enriching events with threat intelligence
- preparing incident reports
- coordinating with IT during containment
L2 analysts need a strong understanding of attacker behavior and MITRE ATT&CK.
L3 Analyst Role (Advanced Threat Hunting and Engineering)
💾 Download the “SOC Analyst L3” JD template docx file.
L3 deals with the most complex security events.
Responsibilities:
- reverse engineering malware
- advanced threat hunting
- building SIEM correlation rules
- tuning EDR detections
- analyzing cloud security posture
- researching new TTPs
- guiding L1 and L2 analysts
- designing response playbooks
L3 analysts often act as security architects inside the SOC.
How BlueGrid.io Uses It
Our SOC operates with a tiered structure where each alert is processed efficiently. L1 provides rapid triage, L2 performs deep analysis, and L3 builds detection logic and handles complex incidents.