This article is a bit of a retrospective for me. I'm starting my fifth year in cybersecurity, my third as a SOC Analyst in my current company. I believe this position is still one of the best ways to launch a cybersecurity career. I'll share what the job actually looks like (the good and the bad), what makes a solid analyst, my own journey to get here, and some concrete tips to help you land that first role.
What is a SOC Analyst from my perspective?
After more than two years, I can say that almost every day looks the same: handling alerts, creating tickets, and tweaking detection rules to fight alert fatigue.
But some days are different. A basic alert can hide a real threat and lead to a crisis situation, or at least a cool investigation. Recently, I've had the chance to work on a massive mailbox compromise, on a device infection coming from a ClickFix attack, and some other interesting situations. I occasionally have the chance to hunt threats or reversing malware samples. Unfortunately, if you are just a L1 or L2 SOC Analyst you are typically in an entry-level position in cybersecurity, so in most cases, if there is a real threat, the case will be forward to the Incident Response Team.
The Good Stuff
The best parts of this job really depend on what drives you. Most analysts love creating new alerts or improving existing ones (Detection Engineering), probably because the feedback loop is short: you tweak a rule, and immediately see fewer false positives or catch something new.
Personally, my favorite things are real and unprecedented incidents. There's a unique felling when, while analyzing a suspicious file, you confirm it's malware, identify the Command and Control (C2) server, and trace its origin. Even more so if you're the first to report it .
The Reality Check
However, while some days are cool, this is rarely a dream job. The day-to-day can be boring and repetitive. If you don't have a very proactive team, you can be overwhelmed by false positives, or if your client doesn't let you whitelist recurrent cases. It can also be frustrating when you hit a wall because you lack the rights, access, or log sources needed to complete an investigation.
AI. Of course
The major difference I've seen emerging since 2025 is AI (what a surprise). In my opinion, it's a double-edged sword. On one hand, you can use LLMs to optimize your queries or better understand complex attack vectors (as long as you sanitize the data first!). Some modern tools, like Google SecOps, now integrate AI directly to speed up investigations. On the other hand, that same intelligence can hallucinate, raising completely irrelevant alerts and wasting your time on rabbit holes that lead nowhere.
Skills
As I mentioned earlier, this is an entry-level position in cybersecurity. However, unlike other positions, you need broad IT knowledge to be a good analyst: a mile wide and an inch deep as we say. Depending on your scope, you might deal with network traffic one minute, system event logs the next, analyze a snippet of malicious code, or even investigate alerts from OT devices.
Stop Collecting Certifications
You don't need 10 acronyms after your name to land a junior role, and frankly, it won't drastically impact your paycheck at the start. Forget about the OSCP, CISSP, or CEH. They don't validate the specific skills needed for a SOC. A solid, practical certification (like the CDSA or BTL1) is enough to show you're serious and have hands-on experience. What matters most is your ability to apply that knowledge. You will not pass the technical interview if you can't explain a basic TCP handshake.
Hard skills
A SOC analyst doesn't need to be a kernel developer, but you need to understand how things work to know when they break.
- Networking: You need to know TCP/IP. Understand DNS, HTTP headers, and ports. If you can't tell why traffic on port 445 over the internet is suspicious, you're going to have a hard time.
- Operating Systems: Know your Windows artifacts (Event IDs, Scheduled Tasks, Registry) and Linux basics.
- Log Logic: Understand how to create a query, how to search in a SIEM.
Soft skills
- Curiosity: You have to want to know why that process spawned that child process, or why this process command line have this argument.
- Written Communication: You will spend 50% of your time writing tickets and reports. If your explanation is confusing, the remediation will be wrong. Clear writing saves time and prevents crises.
How I Got Here
I was definitely not the cliché of the kid coding in a dark room at 12 years old. I wasn't even interested in IT. I was (and still am) a huge sports fan. I've played football (soccer) since I was 8, and even reached a high competitive level when I was younger. My video game experience was basically limited to PlayStation, and on the family computer, I was just chatting on MSN and playing Habbo Hotel.
The Beginning: IT Basics (Apprenticeship)
I grew up in France. After high school, I started college with an Associate's degree in 2 years, majoring in Networking and Telecommunications. In my second year, I did what we call "alternance"(a work-study apprenticeship). It means that I spent half my time at school and the other half working in an IT role. I worked as a Helpdesk Technician. Even though it wasn't my dream job, I learned many soft skills, how a company works, and some network and systems knowledge.
Discovering Cybersecurity
After this degree, I enrolled in a Bachelor's program in cybersecurity, continuing with the work-study model. I asked my company, and they let me join the Security Team as a Junior GRC Analyst. This role focused on ISO 27001, governance, and risk management — much less technical and more process-oriented. To be honest, the transition was tough. GRC roles require deep knowledge across all IT and security fields to be credible. For example, you have to be confident enough to convince a Network Expert with 15 years of experience that they are doing the wrong thing.
Moving to the Blue Team
After graduating from my Bachelor's, I enrolled in a Master's program in Cybersecurity. I took this opportunity to leave the GRC world and pivot toward a more technical position: SOC Analyst.
I spent a year learning in a French SOC, understanding detection and response. Then I left France and secured a SOC Analyst position in North America, where I work today. In my current role, I've moved beyond basic analyst tasks. My scope has expanded to include threat hunting and malware reverse engineering, which keeps the job exciting and challenging.
Job Hunting: How to Land the Role
The market is competitive, but not impossible. Here is my pragmatic advice to break in.
Target MSSP first
Managed Security Service Providers (MSSPs) have high turnover and are always looking for fresh blood to cover shifts. Yes, it's intense, but you will learn in 6 months what others learn in 2 years. It's the best boot camp. If you spend a year in an MSSP, you'll be surprised by how much your skills have improved.
Show, Don't Just Tell
If you don't have experience, build it:
- Home Lab: Spin up an ELK stack or Splunk Free. You can find many tutorials online to set up a homelab
- Write-ups: Did you solve a TryHackMe room? Write about it.
- GitHub: Push your detection rules (Sigma/YARA) or small Python scripts.
A link to a blog or GitHub is worth more than a "passionate about cyber" line on a CV.
Ace the Interview
Technical interviews for juniors often focus more on logic and methodology.
Classic question: "You see traffic on port 445. What do you do?"
- Don't just say: "It's SMB."
- Say: "It's SMB. I'd check if it's internal-to-internal (normal) or internet-facing (critical). I'd check the source IP reputation, the volume of data, and if any authentication failures occurred." Show your thought process, not just your memory. Interviewers want to know how you think when you face a problem.
Finally, remember that you can't know everything. Don't be afraid to admit when you don't know an answer, but always offer how you would find it. Asking for clarification or a small hint is better than bluffing. Humility is a key quality in cybersecurity and in life.