How to Become a SOC Manager

You start the morning reviewing the overnight incident summary. Two medium-severity incidents handled cleanly by the night shift. One SLA near-miss on a high-severity alert because the Tier 1 analyst got pulled into a parallel investigation. You make a note to discuss queue management in the next team sync. You pull up the metrics dashboard: MTTD trending down over the past quarter, false positive rate on the new credential-stuffing rule still too high at 78%.

You assign tuning to your detection engineer. A critical incident from last night needs your review. You read the Tier 2 analyst's report, validate the containment decision to isolate three workstations, and draft a briefing for the CISO covering business impact and remediation timeline. Mid-morning: workforce planning meeting. One analyst is leaving for a vendor role, another wants to move to threat hunting.

You propose backfilling the open seat and creating a six-month rotation program to retain the threat hunting candidate. After lunch, you run a one-on-one with a Tier 1 analyst interested in advancing to Tier 2. You outline a development plan: specific SIEM query skills to build, GCIH certification by Q4, and three supervised escalation investigations over the next two months. A SOAR vendor demo follows.

Their integration with your SIEM looks solid, but the pricing model does not scale well for your alert volume. You document the evaluation. Late afternoon: quarterly SOC performance report. You highlight detection coverage improvements, the 22% MTTR reduction since adding the new EDR integration, and the three areas where additional staffing or tooling would close gaps.

You end the day observing the shift handoff, making sure active investigations transfer cleanly between afternoon and night teams.