SOC Analyst Role Bundle (Tier 1-3)

A structured operations guide for security operations center analysts across all tiers. This bundle replaces reactive, ad-hoc alert handling with repeatable engagement patterns that produce consistent triage decisions, accurate incident timelines, and detection improvements that feed back into the monitoring pipeline.

When to Use

Invoke this role bundle when any of the following conditions are true:

• Alert triage required. A SIEM or detection tool has fired an alert and an analyst needs a structured workflow to determine whether it is a true positive, false positive, or requires escalation.
• Threat hunting engagement. The team wants to proactively search for adversary activity that existing detections are not catching, based on threat intelligence or hypotheses derived from the ATT&CK framework.
• Active incident investigation. A confirmed incident is in progress or recently occurred and the SOC needs to build a timeline, identify scope, contain the threat, and produce a post-incident report.
• Detection gap identified. Existing detection rules are producing too many false positives, missing known attack techniques, or a recent incident revealed a blind spot in monitoring coverage.

If the ask is a single tactical task (e.g., "write a Sigma rule for Kerberoasting"), use the individual skill directly. This bundle is for operational workflows that span multiple skills.

Skills: All skills referenced in this bundle are available: cve-triage, threat-modeling, secure-code-review, alert-triage, log-analysis, detection-engineering, siem-rules, ir-playbook, containment, forensics-checklist, post-incident-review.