Surviving Your First 90 Days as a SOC Analyst
A practical roadmap for new SOC analysts covering onboarding, alert triage, tools, and habits that build credibility fast.
Starting a SOC analyst role is exciting and disorienting at the same time. You're handed access to a dozen tools, a queue of alerts, and vague expectations about how fast you should be catching real threats. The first 90 days set the trajectory for your entire career in the role, so it's worth approaching them deliberately rather than just surviving them.
Weeks 1-2: Absorb Before You Act
Resist the urge to immediately start closing tickets like a veteran. Early on, your job is to understand the environment: what does normal traffic look like, which assets are crown jewels, what's the escalation path, and who owns what. Read the runbooks even if they're outdated — outdated runbooks tell you a lot about tribal knowledge gaps you'll need to fill later.
Spend time in the SIEM just querying, not triaging. Get comfortable with the data sources feeding it: firewall logs, EDR telemetry, DNS logs, authentication logs. If you don't know where a log source lives or how it's normalized, ask now. Nobody expects fluency in week one, and questions asked early read as diligence, not incompetence.
Weeks 3-5: Shadow, Then Triage Under Supervision
This is when you start working real alerts, but paired with a senior analyst or a clear escalation buddy. Focus on building a repeatable triage habit:
- Confirm the alert fired correctly — check the raw log, not just the alert summary.
- Establish context — is this asset a workstation, a server, a service account? What's its baseline behavior?
- Scope the blast radius — did this touch other hosts, other accounts, other timeframes?
- Document as you go — your notes today are the institutional knowledge someone else relies on in six months.
A common mistake at this stage is closing alerts too quickly to look efficient. Speed matters eventually, but accuracy and reasoning matter more right now. A senior analyst can teach you shortcuts later; they can't easily un-teach bad habits.
Weeks 6-8: Build Your Own Playbook Instincts
By now you should be handling common alert types — phishing reports, brute-force attempts, suspicious PowerShell execution — with less hand-holding. Start noticing patterns the existing detection rules miss. Maybe a particular alert always fires on a benign backup job. Maybe a real technique keeps slipping through because the rule logic is too narrow. Bring these observations to your team; contributing tuning suggestions this early signals initiative. This is also the point to get comfortable with basic threat intel lookups — checking IPs, hashes, and domains against sources like VirusTotal or your organization's threat intel platform — and understanding how that context changes an alert's severity.
Weeks 9-12: Take Ownership and Ask for Feedback
In the final stretch, push for more autonomy on your shift while still confirming escalations before closing anything ambiguous. Start tracking your own metrics informally: how many alerts you handled, how many were false positives, how often you had to reopen something. This isn't about proving productivity — it's about noticing where your judgment is solid and where it still needs calibration.
Ask your lead directly: "What am I missing that a more experienced analyst would catch?" Most SOC leads respect a direct request for feedback far more than silent uncertainty. This is also a good time to identify a specialization interest — detection engineering, threat hunting, incident response, malware analysis — because SOC work opens doors in a lot of directions, and showing curiosity about a specific path helps shape how your manager assigns you stretch work.
Habits Worth Building From Day One
A few things pay off regardless of your specific SOC's tooling or maturity level:
- Write clean, timestamped notes on every investigation, even closed ones.
- Learn the network topology, not just the log fields — knowing what's supposed to talk to what makes anomalies obvious faster.
- Practice writing incident summaries that a non-technical manager could understand; this skill compounds throughout your career.
- Stay curious about false positives — tuning bad detections is often more valuable than closing tickets quickly.
The first 90 days aren't about becoming an expert. They're about building the judgment, habits, and relationships that let you become one over the next few years.
If you want to sharpen the technical foundations behind SOC work — log analysis, network fundamentals, or incident response workflows — explore the related Blue Team and Digital Forensics segments on Korra Studio.
This article was generated with AI assistance and published to the Korra Studio knowledge base.
This is one note from the Korra Studio knowledge base — the platform pairs every topic with 1-to-1 mentoring.
Get started freearrow_forward