Definition
A Security Operations Center (SOC) is the centralized team and facility responsible for continuous security monitoring, detection, investigation, and incident response. SOCs are typically structured in tiers: Tier 1 (alert triage, initial investigation), Tier 2 (deep investigation, containment), Tier 3 (threat hunting, advanced response). The SOC consumes data from SIEM, EDR, network sensors, identity events, threat intelligence; output is detected and contained incidents. Enterprise SOCs run 24x7 with regional handoff; smaller organizations often use a Managed Security Service Provider (MSSP) for after-hours coverage. SOC effectiveness depends more on people and process than tools.
Related terms
- SIEM (Security Information and Event Management) - Platform that aggregates security events from across the environment for correlation, search, and alerting.
- SOAR (Security Orchestration, Automation and Response) - Platform that automates security operations workflows: playbook execution, integrations, case management.
- EDR (Endpoint Detection and Response) - Endpoint security capability focused on detection, investigation, and response to threats that have evaded prevention.
- MSSP (Managed Security Service Provider) - Third-party provider that runs security monitoring and operations on a customer's behalf.