How to Structure a SOC Team: Roles, Tiers, and Staffing Models

Bright curved horizon of a planet glowing against the dark backdrop of space.

Most security operations leaders inherit their SOC structure rather than choose it. The team grows over time, the Tier 1, Tier 2, Tier 3 model gets adopted because it's documented and recognizable, and the question of whether the structure actually fits the work tends to stop getting asked.

This guide covers what a SOC team is responsible for, the roles you will see across most SOCs, how the traditional tiered model works, the alternative structures that have emerged alongside it, and a practical view of how to actually build a team for your environment. The right structure depends on team size, environment complexity, and where you want investigation work to actually happen.

TL;DR:

A SOC team owns the operational side of security: monitoring, triage, investigation, response coordination, and detection tuning. Governance, compliance, and architecture sit in adjacent functions.
Most SOCs converge on the same baseline role set, with mature teams adding specialists. The roles matter more than the titles.
The traditional Tier 1, Tier 2, Tier 3 model is the industry default. Pod-based, follow-the-sun, managed, and co-managed structures fit different operating realities.
Building a team starts with the work. Decide what you want this team to actually own, then size, structure, and phase the team to support that.

What a SOC Team Does, and What Sits Outside Its Scope

The SOC owns security operations. That boundary matters because security teams at mid-market organizations often carry responsibilities that belong to adjacent functions, and overloading the SOC with governance or architecture work is one of the fastest ways to erode operational capacity.

Inside the SOC:

Alert monitoring, triage, and incident investigation
Incident response coordination
Detection tuning and detection engineering
Threat hunting (in mature teams)
Operational reporting, metrics, and security tool administration (SIEM, SOAR, EDR)

Outside the SOC (typically):

Compliance and GRC (SOC 2, ISO 27001, risk management frameworks)
Security architecture and product security
Vulnerability remediation (the SOC identifies; infrastructure owns patching)

In smaller organizations, the same person often wears multiple hats. That is a staffing reality and not a structural recommendation. Making the boundary explicit helps SOC managers push back when governance or architecture work starts consuming analyst time that should go to investigation.

Core SOC Roles and Responsibilities

Most SOCs converge on the same baseline role set, even when titles vary. The mature team adds specialists; the early-stage team covers the same functions with fewer people.

SOC Manager / Head of SecOps: Owns process, staffing, escalation paths, vendor relationships, and metrics. Reports to the CISO or VP of Security.
SOC Analysts: The operational core: triage, investigate, document, route. In a tiered model, these split across Tier 1 and Tier 2. In a flatter model, they own broader investigation responsibilities end to end.
Incident Responders: Lead containment, eradication, recovery, and post-incident review on confirmed threats.
Threat Hunters: Run hypothesis-based and IOC-based hunts for activity that existing detection rules miss.
Detection Engineers: Build and tune detections, maintain SIEM and EDR integrations, manage detection rule libraries.
Threat Intelligence Analysts: Feed detection engineering and hunting with adversary context and provide intelligence during active incidents.

Strong SOCs are explicit about which role owns which process, tool, or investigation. Weaker SOCs blur those lines until the same senior analyst is doing detection engineering, incident response, threat hunting, and Tier 2 investigation simultaneously. That is not versatility. That is a staffing gap wearing a job title.

How the Traditional Tiered SOC Works

The standard enterprise model has historically been Tier 1, Tier 2, Tier 3, with work flowing upward as complexity increases. That model emerged from human staffing constraints and alert-volume management rather than from investigation quality optimization. It is still the most common pattern in enterprise operating models.

Tier 1: alert monitoring and initial triage. Watch the queue, acknowledge alerts, run basic enrichment, close obvious false positives, escalate the rest.
Tier 2: deeper investigation and incident handling. Investigate across multiple tools, make containment decisions, coordinate response.
Tier 3: threat hunting, advanced analysis, detection engineering. Build detections, hunt for what existing rules miss, lead complex incidents.

The model's logic is resource efficiency through progressive filtering, minimizing the amount of investigation work performed by senior analysts. High-volume, low-complexity work stays at the lower tier, and more novel or multi-system cases move upward. It became the default because it was documented and repeatable, not because it was tested against alternatives.

Teams running this model commonly hit a few constraints as their environment scales. Tier 1 work is repetitive, and a Tines survey reported by Dark Reading found that 71% of SOC analysts experience burnout, with turnover concentrated at the entry level. Cases handed off between tiers usually transfer with a ticket and notes, so investigation context erodes at the seam, and shift transitions add additional handoffs.

SANS research found that two-thirds of SOC teams cannot keep pace with alert volume. These constraints are not unique failures, they are structural and they show up wherever the model is deployed at scale, and they motivate the alternatives that follow.

SOC Team Structures Beyond the Tiered Model

The structural alternatives below reflect real choices about where ownership sits, how coverage is delivered, and what work the team actually does. Each is described bottom line up front: what it is, who it fits, and what the tradeoff is.

Centralized In-House SOC

One team, one escalation path, one detection ruleset. All SOC functions sit under a single team with unified tooling and a shared detection library. Centralized architecture remains the most common operating model and fits organizations with the technical depth to run security operations as a core competency, or where compliance and data residency requirements rule out external providers. The risk is concentration: when the team is overstretched, there is no structural buffer.

Pod-Based SOC

Small cross-functional teams own the full detection-to-response lifecycle, eliminating handoff loss at the cost of higher analyst skill requirements. Each pod handles investigation and response for a defined scope, whether by business unit, geography, or technology stack.

Removing the escalation seam removes the most common source of context loss in tiered models. This works best where the team has enough senior analysts to carry broader ownership without concentrating all complex work on a handful of people.

Follow-the-Sun Model

Coverage distributed across time zones so no one works overnight. Each region's analysts work normal business hours, and the shift transitions rather than the people. The cost is higher total headcount and coordination overhead. The primary operational risk is context loss at handoffs, which requires explicit investment in documentation discipline and tooling that preserves investigation state across regions.

Shift-Based Model

A local team provides 24/7 coverage through rotating shifts. Headcount requirements are lower than follow-the-sun, but the model carries the burnout and handoff-quality problems the alternatives are designed to address. As alert volume grows, shift analysts absorb more repetitive work and handoff quality degrades under pressure. Teams running this model need tight detection tuning and runbook discipline to keep escalation volume manageable.

Managed SOC / MDR

An MDR provider operates SOC functions on the customer's behalf, with depth that varies significantly across vendors. At the lighter end, providers forward enriched alerts and partial investigations back to the customer team. At the deeper end, providers investigate across all systems, determine what occurred, and complete containment and remediation workflows while involving the customer.

The right evaluation question is not which integrations the provider supports, but how much work is complete before a case lands in your queue and what that case looks like when it arrives.

Co-Managed / Hybrid

The customer team retains ownership of detection engineering and IR authority while a provider handles continuous monitoring and first-line investigation. Co-managed operating models are particularly common where internal teams want to retain ownership of detections, investigations, and risk decisions but cannot sustain continuous investigation coverage alone.

What stays inside in a co-managed model is ownership of risk decisions, IR authority on critical systems, and the relationship with leadership and the board. What goes to a provider is monitoring, investigation, and first-line response within agreed scope.

Distributed / Federated SOC

Multiple semi-autonomous SOC nodes operate across geographic or organizational boundaries with a coordinating function above them. The distributed SOC is a decentralized pool of resources spread across the organization rather than centralized in a single team.

This structure fits large enterprises with distinct geographic or regulatory boundaries that require locally accountable security operations. Without explicit investment in shared tooling, escalation paths, and detection standards, federated nodes drift apart operationally and produce inconsistent coverage.

How to Actually Build a SOC Team

Most SOC structure conversations skip the practical step. Before deciding whether to run pod-based or shift-based or co-managed, decide what work this team needs to own. The team you build is downstream of that answer.

1. Where to Start

The first SOC hire after the manager is almost always a generalist analyst who can cover triage, basic investigation, and incident response with vendor support. Specialists come later. A reasonable rough sizing logic by org size:

Under 50 employees. Most organizations do not even have a full-time security person at this stage. Security responsibilities are typically handled by IT, engineering, or a security-minded generalist, with external providers used selectively for specialized expertise.
50 to 500 employees. Security teams often begin with one or more generalists responsible for a broad mix of security operations, tooling, compliance, and incident response. Continuous monitoring becomes relevant as the environment grows in complexity, though 24/7 coverage is rarely a primary requirement outside highly regulated industries.
500 to 2,000 employees. Dedicated security operations capabilities become more common. At this stage, organizations often evaluate whether to build internal investigation capacity, adopt a managed service, or combine the two to achieve broader coverage and deeper expertise.
2,000 employees and up. A full team with specialists across detection engineering, IR, threat hunting, and threat intelligence. Structure choice (pod, centralized, federated, follow-the-sun) becomes a real decision

These numbers vary with environment complexity and risk profile. A 500-person SaaS company with multi-cloud infrastructure and a sensitive customer data set needs more SOC capacity than a 1,500-person manufacturer with a flat on-premises network.

2. Choose a Structure That Fits

Match the structure to team size, environment, and where investigation work needs to happen. A centralized in-house SOC works for organizations with technical depth and a team of five or more analysts who share tooling and a single escalation path. Pod-based structures fit teams with at least six analysts where the depth supports end-to-end ownership by domain or business unit, which reduces handoff loss but raises the skill floor.

Follow-the-sun makes sense for global organizations with the headcount budget to staff multiple regions and the discipline to manage handoffs cleanly, while shift-based works for organizations that need 24/7 coverage but lack global presence and plan explicitly for the burnout and handoff-quality risks the model carries.

Managed SOC or MDR fits organizations that want investigation depth and continuous operational coverage that would be difficult to sustain internally. Co-managed sits between the two and tends to fit organizations with a strong internal team that wants to keep detection engineering and IR ownership but needs help with overnight coverage and first-line investigation.

The wrong choice in either direction is expensive. Building an in-house centralized SOC at a company that can only sustainably staff three analysts produces burnout. Outsourcing entirely at an organization with strong internal expertise produces a managed-service relationship that internal staff resent.

3. Phase Specialists In as the Team Matures

Specialists come in after the generalist core is stable. The first specialist hire after the manager and a generalist or two is usually a detection engineer. The role pays for itself in noise reduction and detection quality, and treating detection engineering as a distinct discipline rather than a part-time analyst task is what improves alert fidelity over time.

Once incident frequency justifies it, a dedicated incident responder stops the manager from being on call for every confirmed threat. A threat hunter becomes valuable when detection engineering is mature enough that hunting can build on existing context rather than start from scratch.

A threat intelligence analyst is the latest addition for most teams, valuable once the team can consume intelligence productively rather than passively.

Signals that the team needs to add a role: alert backlog growth that detection tuning cannot solve, repeated incidents in the same class without root-cause closure, escalations stalling on missing context, or weekend pages from the same analyst clusters.

4. Build, Buy, or Co-Manage

The build-vs-buy decision is not just about budget. It is about which work the organization wants to actually do internally and which work makes more sense to consume as a service.

When in-house SOC fits:

The organization has the headcount, leadership commitment, and technical depth to run security operations as a core competency
Compliance, regulatory, or data residency requirements favor internal control
The threat profile or environment complexity benefits from deep institutional knowledge that lives inside the company

When managed SOC or MDR fits:

Limited security headcount and no realistic path to hiring at scale
24/7 coverage requirement that in-house staffing cannot meet sustainably
Multi-cloud or identity-driven environments where investigation depth exceeds the team's current capacity
Repeated cases where investigations stall on missing context or off-hours gaps

When co-managed fits:

A strong internal team that wants to own detection engineering and IR coordination but needs help with overnight coverage and Tier 1 work
A specific capability gap (cloud, identity, or specialized investigation) that the internal team does not currently have

The cost comparison cuts both ways. Building an in-house SOC requires headcount, recruiting time, retention investment, and tooling, typically costing hundreds of thousands a year in fully loaded cost before the team reaches operational maturity.

Managed services distribute their cost across a customer base, but the depth of what the provider actually owns varies dramatically. The useful comparison is not the dollar figure but the work delivered: who is investigating at 2 AM, how much context they bring, and what work is already done before your team is involved.

Frequently Asked Questions About SOC Team Structure

Should a New SOC Start With the Tiered Model?

Not necessarily. Organizations building a SOC today should start from "what work needs to happen" rather than "which tier handles it." Pod-based structures, managed services, and co-managed models can all serve as viable starting points depending on team size and environment complexity.

What Is the Most Important SOC Role to Hire First After a Manager?

A generalist analyst who can cover triage, basic investigation, and incident response. The first specialist hire after that is usually a detection engineer. Treating detection engineering as a dedicated role rather than a side responsibility is what produces higher-quality alerts and a lower analyst load over time.

What Metrics Indicate a SOC Structure Is Failing?

A growing alert backlog is the most immediate signal. Beyond that, watch for declining investigation quality on escalated cases, rising false-positive rates that persist without correction, and analyst turnover concentrated in Tier 1 roles. Investigation backlog, investigation quality, escalation burden, and unresolved operational ownership gaps are stronger indicators of SOC health than raw ticket metrics.

How Often Should a SOC Reassess Its Structure?

There is no fixed cadence that works for everyone. The honest reassessment cycle should be triggered by signals (backlog growth, attrition, cost mismatches) more than by the calendar. A quarterly review is a reasonable default for most teams, with more frequent check-ins after material changes to environment, headcount, or threat profile.

How Do You Decide Between Hiring an Analyst and Engaging a Managed Service?

The decision turns on what investigation depth the organization actually needs and whether 24/7 coverage is sustainable in-house. Smaller teams (under five analysts) usually cannot sustain 24/7 coverage without burnout, which makes a managed service or co-managed model the more reliable answer. The practical MDR vs MSSP distinction matters here too: alert-forwarding and full-investigation managed services produce very different daily realities for the in-house team.