SOC Tier Model (L1/L2/L3)
The SOC Tier Model organizes analysts into L1 (triage/monitoring), L2 (investigation/response), and L3 (hunting/engineering) levels to match task complexity with skill level and provide clear career progression.
Continue your mission
The SOC Tier Model organizes analysts into L1 (triage/monitoring), L2 (investigation/response), and L3 (hunting/engineering) levels to match task complexity with skill level and provide clear career progression.
# SOC Tier Model (L1/L2/L3)
The Security Operations Center tier model divides analyst roles into three functional levels, each defined by skill depth, task complexity, and decision authority. The model exists because not every security alert requires the same level of expertise, and routing every alert to senior analysts wastes scarce talent while slowing response. By matching task complexity to analyst capability, the tier model keeps high-volume, low-complexity triage work at the front line while preserving advanced analyst capacity for investigation, threat hunting, and detection engineering.
Organizations that implement the tier model correctly gain measurable improvements in mean time to detect (MTTD) and mean time to respond (MTTR), while also creating a structured career ladder that improves analyst retention in a field known for high burnout and turnover. The model is a staffing and workflow architecture, not a technology or tool. It governs how work flows through the SOC, how escalations are triggered, and how analyst development is structured over time.
The tier model is distinct from incident severity classifications (P1/P2/P3/P4), which describe the urgency and business impact of an incident rather than the analyst responsible for it. It is also distinct from the SOC maturity model, which measures how capable and process-driven a SOC is as an organization. A mature SOC may still use the tier model; a tiered SOC is not automatically a mature one.
Variants of the tier model exist in practice. Some organizations collapse L1 and L2 into a single "generalist analyst" role, particularly in smaller security teams where headcount does not support three distinct levels. Others add an L4 designation for staff who operate at a strategic level, such as threat intelligence analysts or red team members embedded in the SOC. Managed Security Service Providers (MSSPs) commonly use the three-tier model to differentiate service tiers sold to customers, with L3 services commanding premium pricing.
L1 analysts serve as the SOC's filtering mechanism, processing high-volume, low-complexity alerts through documented procedures. Their primary responsibility is determining whether an alert represents genuine malicious activity requiring investigation or a false positive that can be safely closed. This determination follows structured playbooks that minimize decision-making variance between analysts and shifts.
A typical L1 analyst handles 50 to 200 alerts per eight-hour shift, depending on environment size and detection rule tuning quality. Each alert follows a standardized workflow: validate the alert is not a known false positive, gather initial context from logs and asset records, apply severity classification based on predefined criteria, and either escalate to L2 or close with documentation.
Consider a real example: an L1 analyst receives a SIEM alert for "Suspicious Process Execution" triggered by an unsigned binary running from a temporary directory. The playbook instructs them to check the process name, parent process, digital signature status, and whether the endpoint has endpoint detection and response (EDR) coverage. The analyst finds the process is "winword.exe" spawning "powershell.exe" with encoded command line arguments, the PowerShell process has no parent-child relationship to any legitimate Office macro, and the endpoint shows recent web browsing to personal email sites. These indicators match the escalation criteria. The analyst creates an incident ticket, preserves initial evidence, and escalates to L2 within the defined SLA (typically 15-30 minutes for high-severity alerts).
L1 analysts do not perform deep investigation or containment actions beyond what their playbooks explicitly authorize. Their value is speed and consistency in separating signal from noise, allowing higher-tier analysts to focus on actual incidents rather than alert management.
L2 analysts own the complete incident lifecycle from initial escalation through containment and handoff to remediation teams. They possess intermediate skills in log correlation, endpoint forensics, network analysis, and malware analysis using commercial tools. L2 work is reactive but requires analytical thinking and technical judgment that cannot be reduced to procedural steps.
When L2 receives the PowerShell escalation from the previous example, they begin comprehensive investigation using EDR telemetry, network logs, and threat intelligence sources. They decode the PowerShell command and discover it downloads a second-stage payload from an external IP address. Cross-referencing the IP against threat intelligence feeds reveals association with a known malware distribution network. The L2 analyst pulls the full process tree from the EDR, identifies the payload as a remote access trojan (RAT), and determines it established command-and-control communication and attempted lateral movement to adjacent network shares.
With sufficient evidence to classify this as a confirmed intrusion, the L2 analyst initiates containment. They isolate the affected endpoint using EDR remote containment capabilities, preserve volatile memory for forensic analysis, coordinate credential resets with IT operations, and scan other endpoints for indicators of compromise (IOCs) derived from the investigation. They document the complete attack timeline, IOCs, containment actions, and recommended remediation steps in a formal incident report.
L2 analysts escalate to L3 when they encounter novel attack techniques they cannot fully analyze, when the scope of compromise exceeds their containment authority, or when the incident requires custom detection rule development to prevent recurrence.
L3 analysts perform the proactive and strategic functions that prevent SOC capability from stagnating over time. Their work falls into three primary categories: threat hunting, detection engineering, and advanced malware analysis. Unlike L1 and L2, whose work is driven by incoming alerts and escalations, L3 analysts operate on self-directed schedules aligned with threat intelligence priorities and detection coverage gaps.
Threat hunting involves forming hypotheses about adversary behavior that may not be generating alerts, then systematically searching available data to confirm or refute those hypotheses. For example, an L3 analyst reads a threat intelligence report describing a new ransomware group that uses legitimate remote access tools to avoid EDR detection. They develop a hunt hypothesis: "Adversaries may be using AnyDesk or TeamViewer on endpoints where these tools are not part of the standard software inventory." They build search queries across endpoint, network, and application logs looking for installation, execution, or network communication patterns associated with these tools on unauthorized systems. If the hunt identifies suspicious activity, it generates a formal incident that flows back through the standard L1/L2 process. If the hunt finds nothing, it still produces value by creating documented negative results and potentially generating new detection rules to catch similar techniques prospectively.
Detection engineering involves writing, testing, and maintaining the SIEM rules, EDR behavioral detections, and SOAR playbooks that generate the alerts L1 and L2 process. L3 analysts own detection quality and coverage. They review false positive patterns from L1 logs to identify rules that generate noise without value, tune detection thresholds based on environmental baselines, and develop new detections based on emerging threats and techniques. They also maintain the runbooks and escalation criteria that guide L1 and L2 decision-making.
Advanced malware analysis comes into play when investigations require understanding malware functionality beyond what automated sandboxes provide. L3 analysts perform static and dynamic analysis of malicious binaries, reverse-engineer custom tools and exploits, and produce technical intelligence that informs both immediate incident response and broader detection strategy.
L3 analysts also serve as technical mentors and quality assurance for L1 and L2 work. They conduct regular case reviews, provide feedback on escalation decisions, develop training scenarios based on real incidents, and ensure consistency in incident classification and response procedures across shifts and team members.
The tier model has direct, measurable impact on security effectiveness and operational efficiency. Organizations that operate without clear tier structure experience predictable failure modes that compromise both security outcomes and team sustainability.
The most common failure is senior analyst misallocation, where highly skilled staff spend the majority of their time on routine alert triage that junior analysts could handle procedurally. This wastes expensive talent and eliminates capacity for proactive work like threat hunting and detection engineering. When senior analysts are consumed by reactive tasks, detection capabilities stagnate, false positive rates increase, and the SOC becomes progressively less effective at identifying genuine threats.
The second common failure is under-escalation, where junior analysts lack clear guidance on when incidents require senior attention. This causes serious threats to stall in L1 queues past the point where rapid containment is still possible. The 2020 SolarWinds supply chain compromise provides a documented example: several affected organizations failed to escalate subtle network anomalies because the alerts were treated as routine false positives by triage staff who lacked the context or authority to investigate SUNBURST's deliberately subtle command-and-control patterns.
A well-implemented tier model prevents both failures by creating clear escalation criteria, protecting senior analyst capacity for high-value work, and ensuring that incidents reach the appropriate skill level quickly rather than slowly. Organizations frequently assume that adding escalation steps creates bureaucratic delay, but the opposite occurs in practice. Clear escalation criteria with defined service level agreements accelerate incident flow by eliminating the informal consultation and queue uncertainty that characterizes poorly structured SOCs.
The tier model also addresses SOC workforce challenges. Security analysis has high burnout rates driven by repetitive work, irregular hours, and unclear career progression. The tier model creates a structured development path from procedural L1 work through investigative L2 skills to strategic L3 capabilities. This gives analysts a roadmap for skill development and provides managers with objective criteria for promotion decisions. Organizations with well-defined tier progression retain analysts longer and build institutional knowledge more effectively than those where analyst roles are undifferentiated.
Some practitioners argue that automation makes the tier model obsolete by eliminating routine L1 tasks. This reflects a misunderstanding of both automation capabilities and human judgment requirements. Security orchestration, automation, and response (SOAR) platforms can handle repetitive data enrichment and simple disposition tasks, but they cannot replace human judgment at the boundary between procedural response and analytical investigation. The tier model adapts to include automation as a capability multiplier, not a replacement for human workflow structure.
CDA approaches the SOC Tier Model through the Planetary Defense Model (PDM) within the Threat Intelligence and Defense (TID) domain, applying the Predictive Defense Intelligence (PDI) methodology: see the threat before it sees you. This perspective fundamentally restructures how tier roles relate to threat detection and response.
Most organizations implement the tier model reactively. Alerts generate, L1 triages them, L2 investigates confirmed incidents, L3 provides escalation support for complex cases. This creates a SOC that is permanently behind the adversary decision cycle, responding to attacks after they have already achieved initial access and begun executing their mission.
CDA's approach inverts this relationship by making L3 functions primarily proactive rather than reactive. Instead of waiting for L1 escalations to drive L3 work, CDA-aligned SOCs run L3 threat hunting and detection engineering on forward intelligence cycles. L3 analysts consume finished threat intelligence about active adversary campaigns, map those campaigns to the specific organization's attack surface using PDM terrain analysis, and build detections and hunt queries before adversary techniques produce alerts.
In practical terms, this means CDA SOCs maintain continuous hunt calendars driven by threat intelligence priorities rather than incident volume. When a new adversary group targets the client's industry sector, L3 analysts immediately assess which techniques from that group's playbook are not covered by existing detection rules. They generate hunt hypotheses, conduct systematic hunts across available data sources, and either close with documented negative results or surface new malicious activity. In either case, the process generates both immediate security value and improved detection coverage.
This approach also changes how CDA structures tier staffing and development. Rather than hiring generically for analyst headcount, CDA assesses detection coverage gaps by technique category using MITRE ATT&CK mapping, identifies which gaps require L2 investigative capacity versus L3 engineering capacity, and structures hiring recommendations accordingly. This prevents the common failure where organizations over-hire L1 staff to manage alert volume while the root cause of that volume is poor detection tuning that only L3 investment can resolve.
CDA also applies PDI to tier escalation criteria by incorporating threat intelligence context into escalation decision-making. Rather than escalating based solely on technical indicators, CDA tier models include current threat intelligence priorities in escalation logic. An alert that would normally be closed as low-priority at L1 gets escalated if it matches techniques associated with groups currently targeting the organization's sector, even if the technical indicators are ambiguous.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.