Alert Triage & Escalation: SOC Analyst Core Skill

Q: What is alert triage in cybersecurity?

Alert triage is the process SOC analysts use to evaluate, classify, and prioritise security alerts. Each alert is investigated and classified as a True Positive (genuine threat), False Positive (no actual threat), or Benign True Positive (correct detection of authorised activity). The analyst then takes action — escalating confirmed threats, closing false positives with documentation, or flagging patterns for detection rule tuning.

Q: What is the difference between a true positive and a false positive?

A true positive (TP) is an alert that correctly identifies a genuine security threat — real malware, an actual intrusion, or confirmed malicious activity that requires response. A false positive (FP) is an alert that fired incorrectly — the detection rule triggered but there is no actual threat. A benign true positive (BTP) is when the detection is technically correct but the activity is authorised, such as a vulnerability scanner triggering an IDS alert during a scheduled scan.

Q: Why are there so many false positives in a SOC?

False positives result from detection rules that are deliberately sensitive — it is better to alert on something benign than to miss a real threat. The Ponemon Institute found that 70-90% of SOC alerts are false positives. Contributing factors include overly broad detection rules, legitimate tools that resemble attack tools, scheduled scans and maintenance activities, and the sheer volume of normal network activity that can match suspicious patterns.

Q: When should a Tier 1 analyst escalate an alert?

Escalate when you confirm a true positive (malware execution, successful compromise, data exfiltration), when the severity is Critical or High, or when you are uncertain after investigation. The principle is clear: a false escalation costs a senior analyst 15 minutes, while a missed true positive can cost the organisation millions. When in doubt, escalate with your findings and let the senior analyst make the final call.

Q: What should I include when I escalate an alert?

Include: the alert summary and severity, a chronological timeline of events, affected systems and user accounts, IOC lookup results from threat intelligence sources, your classification and reasoning, actions you have already taken, and the SIEM queries you used. A good escalation saves the Tier 2 analyst time. A poor escalation forces them to redo your investigation from scratch.

Q: How do I handle alert fatigue and burnout?

Alert fatigue is the exhaustion from reviewing thousands of false positives. Prevention strategies include: taking breaks away from screens, following a structured triage process rather than rushing, focusing on accuracy over speed, building skills to increase efficiency over time, communicating workload concerns to your SOC lead, and recognising that alert fatigue is an organisational problem (understaffing, poor rule tuning) not a personal failure. Most analysts advance beyond Tier 1 within 12-24 months.

Q: How can I practise alert triage without a SOC job?

LetsDefend offers a free SOC simulator with a realistic alert queue and scoring. TryHackMe SOC Level 1 provides structured triage training with real-world scenarios. Building a home lab with Splunk Free, Sysmon, and Atomic Red Team lets you generate and investigate alerts in your own environment. Document every investigation as a triage note — this builds the documentation habit and creates a portfolio for interviews.

Q: What triage questions come up in SOC analyst interviews?

Common formats include: 'Walk me through how you would triage this alert' (they want to see a structured approach), 'How do you handle uncertainty?' (the right answer is escalate), 'How do you prioritise multiple alerts?' (critical severity first, check for related alerts, communicate with the team), and 'Tell me about an investigation you did' (use home lab or TryHackMe examples and focus on your process, not just the outcome).

What Is Alert Triage and Why Does It Define the SOC Analyst Role?

Alert triage is the process of evaluating, classifying, and prioritising security alerts to determine which represent genuine threats and which are false alarms. According to the NIST SP 800-61 (Computer Security Incident Handling Guide), triage is the critical first step in the Detection and Analysis phase of incident response — the point where a human analyst decides whether an alert warrants investigation, escalation, or closure.

In practice, alert triage is what SOC analysts do for the majority of every shift. The Ponemon Institute (2023) found that SOC teams receive an average of 4,484 alerts per day, and 70-90% of those are false positives. That means the vast majority of your working hours are spent confirming that alerts are not threats. The skill is not just knowing what a real threat looks like — it is maintaining the discipline and judgement to investigate each alert thoroughly, even when you suspect it is benign, because the one real alert you catch in that sea of noise is the one that prevents a breach.

The SANS 2023 SOC Survey confirmed that alert fatigue — the exhaustion that comes from reviewing thousands of false positives — is the number one challenge facing SOC teams. Effective triage skills do not just make you a better analyst. They protect you from burnout.

Alert triage is where I think career changers have an unexpected advantage. If you have ever worked in healthcare, customer service, or emergency response, you already understand prioritisation under pressure. In aged care, I triaged situations every shift — which resident needs attention first, what can wait, what needs to be escalated to a nurse immediately. The security context is new, but the decision-making skill is the same. When I realised that, cybersecurity stopped feeling like an alien field and started feeling like a new application of something I already knew how to do.

Certification objective: CompTIA Security+ SY0-701 covers security monitoring and alert analysis (Domain 4.1, 4.4). CompTIA CySA+ CS0-003 tests alert triage, threat classification, and escalation procedures extensively across the Security Operations domain.

How Does the Triage Decision Process Work?

Every alert that appears in your SIEM queue needs to pass through the same structured decision process. Rushing through alerts or skipping steps is how real threats get missed.

Alert Triage Decision Tree

The structured workflow SOC analysts follow for every alert

Alert Received

Step 1

Read alert details

Note severity and source

Check if alert is a known pattern

Check Context

Step 2

Is this normal for this user/system?

What time did it occur?

Has this alert fired before?

Verify IOCs

Step 3

Check IPs/domains on VirusTotal

Look up file hashes

Query threat intelligence feeds

Classify

Step 4

True Positive — real threat

False Positive — no threat

Benign True Positive — authorised activity

Act

Step 5

Escalate TP to Tier 2 / IR

Close FP with documentation

Update detection rules if needed

Idle

Step-by-Step Triage Process

When an alert lands in your queue, here is the exact process experienced Tier 1 analysts follow:

Step 1 — Read the alert details. What detection rule fired? Which system is involved? What user account? What was the specific activity that triggered the alert? Do not start investigating until you understand what the alert is actually telling you.

Step 2 — Check the context. Context separates good analysts from poor ones. The same activity can be completely normal at 10 a.m. on a Tuesday and deeply suspicious at 3 a.m. on a Sunday. Ask:

Is this user expected to be active at this time?
Is this system normally accessed from this location?
Is there a scheduled maintenance window or deployment happening?
Has this exact alert fired before for this user/system, and what was the outcome?

Step 3 — Verify indicators of compromise (IOCs). Look up any IP addresses, domain names, or file hashes associated with the alert against threat intelligence sources:

VirusTotal — check files, URLs, IPs, and domains against 70+ security vendors
AbuseIPDB — community-reported malicious IP addresses
AlienVault OTX — open threat intelligence exchange
Internal threat intel — your organisation’s own IOC database

Step 4 — Classify the alert. Based on your investigation, assign one of three classifications:

Classification	Definition	Example	Action
True Positive (TP)	Alert is real — genuine security threat	Malware confirmed by hash lookup, attacker confirmed by IOC match	Escalate immediately per severity SLA
False Positive (FP)	Alert fired but no actual threat exists	Antivirus flagged a legitimate admin tool, IDS triggered on normal traffic	Close with documentation explaining why it is benign
Benign True Positive (BTP)	Detection is technically correct, but the activity is authorised	Vulnerability scanner triggered IDS during a scheduled scan	Close with documentation noting the authorised activity

Step 5 — Act and document. Every alert gets one of three outcomes: escalation, closure, or further investigation. Every outcome gets documentation. No exceptions.

What Are Severity Levels and SLA Expectations?

Not all true positives are equal. Severity determines how fast you must respond and who gets notified. Most SOCs use a four-tier severity model aligned with their incident response plan.

Severity	Definition	Response Time Target	Escalation Path	Examples
Critical (P1)	Active compromise, data exfiltration in progress, ransomware spreading	<15 minutes	Immediate escalation to Tier 2/3 and IR lead; SOC manager notified	Active ransomware, confirmed data breach, compromised admin account
High (P2)	Confirmed threat but not yet actively causing damage	<1 hour	Escalate to Tier 2 within 30 minutes; begin containment	Malware on single endpoint, successful phishing compromise, lateral movement detected
Medium (P3)	Suspicious activity that requires investigation but is not confirmed malicious	<4 hours	Investigate at Tier 1; escalate if confirmed	Unusual login patterns, policy violations, suspicious but unconfirmed IOCs
Low (P4)	Informational alerts, minor policy violations, vulnerability notifications	<24 hours	Investigate when queue allows; batch similar alerts	Failed login attempts below threshold, outdated software detected, informational threat intel

SLA expectations vary by organisation. MSSPs (Managed Security Service Providers) often have contractual SLAs with penalties for missed response times. Internal SOCs may be more flexible. Regardless, the principle is the same: critical alerts get immediate attention, and everything else is triaged in priority order.

How to Handle Multiple Alerts at Once

In a busy SOC, you will regularly have multiple alerts in your queue. Here is how to prioritise:

Critical and High severity first — always, regardless of the order they arrived
Check for related alerts — five alerts from the same source might be one incident, not five separate events
Known false positives last — if you recognise a pattern that has been classified as FP before, it can wait while you handle unknowns
Communicate — if your queue is overflowing, tell your SOC lead. Silently drowning in alerts helps nobody

What Does Good Triage Look Like Compared to Bad Triage?

The difference between a good analyst and a liability is not technical knowledge — it is approach and discipline.

Good Triage Habits vs Bad Triage Habits

Good Triage Habits

What effective Tier 1 analysts do

Investigate every alert — Even when you suspect it is a false positive — verify before closing
Document your reasoning — Explain why you classified the alert the way you did — future analysts will thank you
Check context before IOCs — Understand the user, system, and time before jumping to threat intel lookups
Correlate across sources — Check related logs — firewall, proxy, endpoint, DNS — not just the alerting source
Ask for help when uncertain — Escalating an uncertain alert is better than closing a real threat as a false positive

Bad Triage Habits

Mistakes that get analysts (and organisations) in trouble

Closing alerts without investigation — Marking alerts as FP to clear the queue — this is how breaches happen
No documentation — Closing alerts with 'FP' and nothing else — useless for audits, handoffs, and pattern recognition
Jumping to conclusions — Assuming an alert is benign because a similar one was benign yesterday — each alert is unique
Working in isolation — Investigating for hours without communicating — the team cannot help if they do not know you are stuck
Ignoring low-severity alerts — Low severity does not mean no severity — attackers chain low-severity events into high-severity compromises

Verdict: Good triage is methodical, documented, and humble. Bad triage is rushed, undocumented, and overconfident. The difference shows up in interview scenarios and on the job within the first week.

Use case

Every SOC analyst interview will include a triage scenario. Demonstrating good habits — especially documentation and knowing when to escalate — is what gets you hired.

When Should You Escalate an Alert?

Knowing when to escalate and when to handle something yourself is one of the hardest judgement calls for new analysts. Here are clear criteria.

Escalate Immediately When:

Confirmed malware execution — a process matching known malicious behaviour is running on an endpoint
Successful compromise after brute-force — multiple failed logins followed by a successful logon from a suspicious source
Data exfiltration indicators — large volumes of data leaving the network to an unknown destination
Ransomware indicators — file encryption activity, ransom notes appearing, shadow copies being deleted
Lateral movement — an internal host connecting to multiple other internal hosts in a short window using admin credentials
Compromised privileged account — any confirmed compromise of a domain admin, service account, or other high-privilege account
You are not sure — if you have investigated and cannot determine whether an alert is real or benign, escalate. A false escalation wastes 15 minutes of a senior analyst’s time. A missed true positive can cost millions.

Handle at Tier 1 When:

Clear false positive — you can explain exactly why the detection fired and why the activity is benign, with evidence
Known benign true positive — the activity matches a documented exception (e.g., scheduled vulnerability scan)
Low-severity informational alerts — below threshold events that require documentation but no immediate action
Duplicate alerts — the same event generating multiple alerts that can be consolidated

What to Include When You Escalate

A good escalation saves the Tier 2 analyst time. A bad escalation forces them to redo your work. Always include:

Field	What to Provide	Example
Alert summary	What the alert is and what triggered it	”Multiple failed RDP logons followed by successful logon for jsmith from 203.0.113.47”
Timeline	When events occurred, in chronological order	”47 failed logons between 01:45-02:16 UTC, successful logon at 02:17 UTC”
Affected systems	Hostnames, IP addresses, user accounts	”WORKSTATION-07 (10.1.2.34), user jsmith, source IP 203.0.113.47”
IOC findings	Results from threat intel lookups	”203.0.113.47 flagged on AbuseIPDB (brute-force, 89% confidence), no VirusTotal hits”
Your classification	What you believe this is and why	”Assessed as True Positive — brute-force compromise. Post-logon activity shows reconnaissance commands.”
Actions taken	What you have already done	”Queried last 24h of events for this account and IP. No containment actions taken pending Tier 2 review.”
Queries used	The SIEM queries that produced your findings	”index=main sourcetype=WinEventLog Account_Name=jsmith (EventCode=4624 OR EventCode=4625)“

How Do You Recognise Common False Positive Patterns?

Recognising false positives quickly — without skipping the verification step — is what makes you efficient. Here are the patterns you will see most often.

Top False Positive Categories

Pattern	Why It Triggers	How to Verify	Tuning Action
Vulnerability scanner activity	Scanner probes ports and services, triggering IDS/IPS alerts	Check the source IP against the list of authorised scanners and the scan schedule	Add scanner IPs to an allowlist in the detection rule
IT admin remote access	Admin using RDP, PsExec, or PowerShell remoting during business hours	Confirm the source is a known admin workstation and the user is a known admin	Create a BTP documentation template for admin activity
Antivirus flagging legitimate tools	Security tools (Nmap, Wireshark, PuTTY) flagged as “potentially unwanted”	Verify the tool version and source, confirm it is authorised for the user’s role	Add the hash to the antivirus allowlist (after approval)
Password reset attempts	Multiple failed logins when a user forgets their password	Check the source — is it the user’s known workstation? Did they call the help desk?	Set a minimum threshold before the alert fires
Cloud sync traffic	Large outbound transfers to OneDrive, SharePoint, Google Drive	Verify the destination is a sanctioned cloud service and the volume is consistent with the user’s role	Add sanctioned cloud destinations to a proxy allowlist
Monitoring tool activity	Network health checks, synthetic monitors, SIEM agents generating self-referential alerts	Verify the source is a known monitoring system	Exclude monitoring IPs from network-based detection rules
Patch deployment	Multiple systems installing new services simultaneously	Check the change management calendar for scheduled patch windows	Create time-based exceptions during maintenance windows

The Golden Rule of False Positives

Never close an alert as a false positive based solely on your assumption. Always verify with evidence. “I think this is an FP because it looks like one” is not documentation. “This is an FP because the source IP (10.1.5.22) is the Qualys vulnerability scanner, the scan was scheduled for 02:00-04:00 UTC per change ticket CHG-4521, and the detected activity matches the scan profile” is documentation.

How Do You Write Effective Triage Notes?

Your triage notes serve three audiences: the next analyst who inherits the ticket, the SOC manager who reviews your work, and the auditor who checks your classifications months later. Write for all three.

What to Include in Every Triage Note

ALERT: [Alert name and ID]
TIME: [When the alert fired]
SEVERITY: [P1/P2/P3/P4]

INVESTIGATION:
- Reviewed [specific logs/data sources]
- Checked [IOCs] against [threat intel sources] — results: [findings]
- Correlated with [related events] — findings: [details]
- Context: [user/system/time context that informed your decision]

CLASSIFICATION: [TP / FP / BTP]
RATIONALE: [Why you classified it this way — specific evidence]

ACTION TAKEN: [Escalated to Tier 2 / Closed / Containment actions]
QUERIES USED: [SIEM queries for reproducibility]

Example Triage Note — False Positive

ALERT: IDS-2847 — Port scan detected from 10.1.5.22
TIME: 2026-03-20 02:34 UTC
SEVERITY: P3 (Medium)

INVESTIGATION:
- Source IP 10.1.5.22 is the Qualys vulnerability scanner (asset inventory confirmed)
- Change ticket CHG-4521 authorises weekly scan window 02:00-04:00 UTC every Thursday
- Today is Thursday. Scan activity matches the Qualys scan profile (ports 22, 80, 443, 445, 3389)
- No anomalous traffic from this IP outside the expected scan profile

CLASSIFICATION: Benign True Positive (BTP)
RATIONALE: Detection is accurate — port scanning did occur — but the activity is authorised per CHG-4521.

ACTION TAKEN: Closed. No tuning needed — scan schedule is documented and the alert serves as an audit trail.
QUERIES USED: index=ids src_ip=10.1.5.22 | stats count by dest_port | sort -count

Example Triage Note — True Positive (Escalated)

ALERT: SIEM-9012 — Brute-force followed by successful logon for jsmith
TIME: 2026-03-20 02:17 UTC
SEVERITY: P1 (Critical) — escalated from initial P2

INVESTIGATION:
- 47 failed RDP logon attempts (Event ID 4625) from 203.0.113.47 targeting jsmith between 01:45-02:16 UTC
- Successful RDP logon (4624, type 10) at 02:17 UTC from the same IP
- Post-logon activity: cmd.exe spawning whoami, net user, net group "domain admins" (Event ID 4688) at 02:18-02:19 UTC
- New service installed (Event ID 7045) at 02:23 UTC — service path: C:\Windows\Temp\svc_update.exe
- 203.0.113.47 flagged on AbuseIPDB (89% confidence, brute-force category)
- jsmith is a standard user (not admin) — reconnaissance commands suggest attacker is assessing privileges

CLASSIFICATION: True Positive — confirmed brute-force compromise with post-exploitation activity
RATIONALE: External brute-force source, IOC-confirmed malicious IP, successful logon followed by reconnaissance and persistence installation matches MITRE ATT&CK T1110 -> T1087 -> T1543.003.

ACTION TAKEN: Escalated to Tier 2 (analyst: M.Chen, ticket INC-3847). No containment actions taken — awaiting Tier 2 direction. Recommended: isolate WORKSTATION-07, disable jsmith account, block 203.0.113.47 at perimeter.
QUERIES USED:
- index=main sourcetype=WinEventLog Account_Name=jsmith (EventCode=4624 OR EventCode=4625) earliest=-24h
- index=main sourcetype=WinEventLog host=WORKSTATION-07 EventCode=4688 earliest=-24h
- index=main sourcetype=WinEventLog host=WORKSTATION-07 EventCode=7045 earliest=-24h

How Do You Build Triage Skills Without a SOC Job?

You can develop real triage skills using free and low-cost platforms that simulate SOC alert queues.

Recommended Practice Platforms

Platform	What It Offers	Why It Helps	Cost
TryHackMe — SOC Level 1	Structured path covering alert analysis, SIEM queries, and investigation workflows	Builds the exact skills Tier 1 roles require, with guided exercises	$14/month
LetsDefend	SOC simulator with realistic alert queue, triage interface, and scoring	The closest thing to a real SOC experience outside of employment — you triage alerts and get feedback on your classifications	Free tier available
Blue Team Labs Online	Blue team investigation challenges with varying difficulty	Practise investigation and documentation skills with real-world scenarios	Free tier available
CyberDefenders	Digital forensics and incident response challenges	Deeper investigation practice — particularly useful for preparing for Tier 2 work	Free
Splunk BOTS (Boss of the SOC)	Competition dataset with realistic enterprise logs	Practise writing SIEM queries and investigating multi-stage attacks in Splunk	Free (requires Splunk Free)

Home Lab Triage Practice

Set up Splunk Free + Sysmon + Atomic Red Team in your home lab (see the Home Lab Setup page)
Run Atomic Red Team tests — each test generates specific log entries that map to MITRE ATT&CK techniques
Triage your own alerts — write up each investigation as if you were submitting a ticket in a real SOC
Mix in normal activity — generate benign traffic alongside attack simulations so you practise distinguishing real threats from noise
Document everything — build a portfolio of triage write-ups that you can show in interviews

What Interviewers Ask About Triage

Every SOC analyst interview includes at least one triage scenario. Common formats:

“Walk me through how you would triage this alert.” — They give you a scenario and want to see your structured approach: read the alert, check context, verify IOCs, classify, act, document.
“How do you handle a situation where you are not sure if an alert is real?” — The right answer is “I escalate with my findings so far.” The wrong answer is “I close it as a false positive.”
“You have 15 alerts in your queue and a critical alert just arrived. What do you do?” — Drop everything for the critical alert. Communicate to your team that lower-priority alerts need coverage.
“Tell me about a time you investigated something and found it was a false positive.” — Use a home lab or TryHackMe example. Walk through your process, not just the outcome.

The study tracker maps out triage practice alongside your SIEM learning — so you build both skills together instead of studying them in isolation.

Career Roadmap & Study TrackerAvailable Now

Step-by-step roadmap with study tracker worksheets and certification decision framework.

Get the Guide → $27

Summary and Key Takeaways

Alert triage is the defining skill of the SOC analyst role. It is what you will do for most of every shift, and it is what interviewers test for in every hiring process.

70-90% of alerts are false positives (Ponemon Institute). Your job is to find the real threats hidden in the noise — and to investigate every alert thoroughly, even the ones you suspect are benign.
Classify every alert as TP, FP, or BTP. This three-category framework is universal across SOCs and gives you a clear decision structure.
Context is everything. The same activity can be normal or malicious depending on the user, system, time, and organisational context. Check context before jumping to IOC lookups.
Severity determines speed. Critical alerts get <15 minutes. Low-severity alerts get <24 hours. Know your SLA expectations.
Escalate when uncertain. A false escalation costs a senior analyst 15 minutes. A missed true positive can cost millions. The math is clear.
Document your reasoning, not just your classification. “FP” tells the next analyst nothing. A clear rationale with evidence tells them everything.
Good triage habits separate you from the field. Investigate thoroughly, document clearly, correlate across sources, and ask for help when you need it.
You can build real triage skills for free using LetsDefend, TryHackMe SOC Level 1, and a home lab with Splunk Free and Atomic Red Team.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

SOC Analyst Playbook for the full picture of the daily SOC analyst workflow
Log Analysis for reading the logs that underpin every triage investigation
Incident Response for what happens after an alert is escalated and confirmed as an incident
Home Lab Setup to build the practice environment for triage exercises

Frequently Asked Questions

What is alert triage in cybersecurity?

Alert triage is the process SOC analysts use to evaluate, classify, and prioritise security alerts. Each alert is investigated and classified as a True Positive (genuine threat), False Positive (no actual threat), or Benign True Positive (correct detection of authorised activity). The analyst then takes action — escalating confirmed threats, closing false positives with documentation, or flagging patterns for detection rule tuning.

What is the difference between a true positive and a false positive?

A true positive (TP) is an alert that correctly identifies a genuine security threat — real malware, an actual intrusion, or confirmed malicious activity that requires response. A false positive (FP) is an alert that fired incorrectly — the detection rule triggered but there is no actual threat. A benign true positive (BTP) is when the detection is technically correct but the activity is authorised, such as a vulnerability scanner triggering an IDS alert during a scheduled scan.

Why are there so many false positives in a SOC?

False positives result from detection rules that are deliberately sensitive — it is better to alert on something benign than to miss a real threat. The Ponemon Institute found that 70-90% of SOC alerts are false positives. Contributing factors include overly broad detection rules, legitimate tools that resemble attack tools, scheduled scans and maintenance activities, and the sheer volume of normal network activity that can match suspicious patterns.

When should a Tier 1 analyst escalate an alert?

Escalate when you confirm a true positive (malware execution, successful compromise, data exfiltration), when the severity is Critical or High, or when you are uncertain after investigation. The principle is clear: a false escalation costs a senior analyst 15 minutes, while a missed true positive can cost the organisation millions. When in doubt, escalate with your findings and let the senior analyst make the final call.

What should I include when I escalate an alert?

Include: the alert summary and severity, a chronological timeline of events, affected systems and user accounts, IOC lookup results from threat intelligence sources, your classification and reasoning, actions you have already taken, and the SIEM queries you used. A good escalation saves the Tier 2 analyst time. A poor escalation forces them to redo your investigation from scratch.

How do I handle alert fatigue and burnout?

Alert fatigue is the exhaustion from reviewing thousands of false positives. Prevention strategies include: taking breaks away from screens, following a structured triage process rather than rushing, focusing on accuracy over speed, building skills to increase efficiency over time, communicating workload concerns to your SOC lead, and recognising that alert fatigue is an organisational problem (understaffing, poor rule tuning) not a personal failure. Most analysts advance beyond Tier 1 within 12-24 months.

How can I practise alert triage without a SOC job?

LetsDefend offers a free SOC simulator with a realistic alert queue and scoring. TryHackMe SOC Level 1 provides structured triage training with real-world scenarios. Building a home lab with Splunk Free, Sysmon, and Atomic Red Team lets you generate and investigate alerts in your own environment. Document every investigation as a triage note — this builds the documentation habit and creates a portfolio for interviews.

What triage questions come up in SOC analyst interviews?

Common formats include: 'Walk me through how you would triage this alert' (they want to see a structured approach), 'How do you handle uncertainty?' (the right answer is escalate), 'How do you prioritise multiple alerts?' (critical severity first, check for related alerts, communicate with the team), and 'Tell me about an investigation you did' (use home lab or TryHackMe examples and focus on your process, not just the outcome).

More resources

NIST SP 800-61 Rev. 2 — Detection and Analysis

The authoritative NIST guide covering alert triage as part of the incident response lifecycle.

Visit SANS SOC Operations Guide

Practical guidance for SOC workflows, triage processes, and alert handling procedures.

Visit MITRE ATT&CK Framework

Maps adversary techniques to detection opportunities — essential for understanding what your alerts are detecting.

Visit LetsDefend SOC Simulator

Free SOC simulator with realistic alert triage practice — the closest experience to a real SOC outside of employment.

Visit

Sources: NIST SP 800-61, SANS Institute SOC Survey 2023, Ponemon Institute, MITRE ATT&CK, CompTIA Security+ SY0-701 objectives. Last verified: March 2026.