Incident response is where the real investigation happens. While SOC Tier 1 analysts triage alerts and filter noise, IR analysts take over when something genuinely bad is confirmed: they determine the scope of a compromise, contain it, eradicate the attacker, and reconstruct exactly what happened. It is more demanding, more autonomous, and better paid.
The path from first SOC role to IR analyst is one of the most clearly defined career progressions in cyber security. Here is how it works and how to build toward it.
What Is the Difference Between a SOC Analyst and an IR Analyst?
The distinction is depth versus breadth.
SOC Tier 1 is breadth and speed - cycling through dozens of alerts per hour with a decision tree that is mostly muscle memory after the first few months. Tier 2 is depth and patience. A Tier 2 investigation might take three days. You are reading raw log data, building timelines, coordinating with system administrators who need to know whether their server was compromised, and writing incident reports that non-technical leadership can actually understand.
IR analysts operate at Tier 2 and above. They take escalated incidents and own them end to end: determining how the attacker got in, how far they moved laterally, what systems and data were affected, and what needs to happen to restore normal operations securely. While SOC analysts monitor for threats and raise alerts, incident responders take the lead when those alerts confirm a genuine attack.
The skill set is not entirely different. It is built on the same foundations - SIEM proficiency, log analysis, threat intelligence - but extends into forensics, malware triage, memory analysis, and the ability to run an investigation from initial alert to executive briefing without a playbook telling you what to do at each step.
What Does the Career Progression Actually Look Like?
| Stage | Typical timeline | What the work actually involves | US salary range | TryHackMe credential |
|---|---|---|---|---|
| SOC Tier 1 Analyst | 0 to 2 years | Alert triage, false positive filtering, initial investigation, escalation. High volume, structured playbooks. Breadth over depth. | $55,000 to $75,000 | SAL1 - live SOC simulator exam, backed by Accenture and Salesforce |
| SOC Tier 2 / Junior IR Analyst | 2 to 4 years | Deep-dive investigation on escalated incidents. Full attack chain reconstruction. Malware triage, forensic analysis, multi-source log correlation. Depth over breadth. | $75,000 to $100,000 | SAL2 - advanced investigation scenarios, endorsed by NCC Group |
| IR Analyst | 3 to 6 years | Leads incident investigations end to end. Scopes compromise, coordinates containment, produces forensic findings and executive briefings. | $84,500 to $109,500 | DFIR module + GCIH (GIAC Certified Incident Handler) |
| Senior IR / DFIR Specialist | 6+ years | Programme leadership, large-scale breach investigations, threat intelligence integration, red team collaboration, crisis management. | $122,500 to $150,000+ | Threat Hunting module + GCFA / GREM |
Salary data from ZipRecruiter and Unihackers (2026). Ranges vary by location, employer type, and specialisation.
Which Skills Bridge SOC to IR?
The skills that separate a capable Tier 1 analyst from an IR-ready practitioner are specific and learnable. These are the areas to invest in during your Tier 1 years.
Memory forensics. Volatility is the standard framework. The ability to extract running processes, network connections, injected code, and attacker artefacts from a RAM dump is a core IR capability that most Tier 1 analysts have never touched. TryHackMe's DFIR module covers memory forensics hands-on.
Disk and file system forensics. Autopsy, FTK Imager, and Eric Zimmermann's tool suite for Windows artefact analysis. Timeline reconstruction from file system metadata, registry analysis, prefetch files, and shellbags builds the investigative picture that determines how an attacker moved.
Malware triage. Being able to assess a suspicious binary without executing it - static analysis of strings, imports, and file headers - and identify its likely capabilities and persistence mechanisms. You do not need to be a malware reverse engineer at IR analyst level. You need to be able to characterise what something is doing quickly enough to inform containment decisions.
Network traffic analysis. PCAP analysis in Wireshark, Zeek log interpretation, command and control traffic identification. IR investigations almost always involve a network layer and the ability to reconstruct attacker activity from traffic data is consistently tested at interview.
Documentation and reporting. This cannot be overstated. IR analysts write reports that go to executives, lawyers, and in serious cases, regulators and law enforcement. Clear, accurate, evidence-anchored documentation is what separates good IR practitioners from technically skilled analysts who cannot communicate findings.
Which Certifications Matter at Each Stage?
Entry level (Tier 1): SAL1 from TryHackMe validates practical SOC skills and is the most direct credential for this stage. Backed by Accenture and Salesforce.
Mid level (Tier 2 / junior IR): SAL2 from TryHackMe for SOC Tier 2 validation. GCIH (GIAC Certified Incident Handler) is the most widely recognised IR-specific credential and a strong signal to hiring managers that your investigation skills are independently validated.
Advanced (senior IR / DFIR): GCFE (GIAC Certified Forensic Examiner) and GCFA (GIAC Certified Forensic Analyst) for forensics depth. GREM (GIAC Reverse Engineering Malware) for specialists moving into malware analysis. These are expensive certifications - the return on investment is highest after you are in the role and your employer contributes.
What Does the 2026 Market Look Like?
Strong, particularly at Tier 2 and above. One important 2026 trend: many Tier 1 SOC tasks are being automated through AI and SOAR platforms, compressing entry-level analyst salaries slightly while increasing demand and compensation for Tier 2 to 3 specialists who can manage AI-driven detection tools. That makes upskilling from Tier 1 to Tier 2 faster than ever before a smart career move.
IR specifically benefits from this trend. The investigations that AI-assisted triage surfaces still require human analysts to run. The complexity and sensitivity of those investigations is increasing as attackers also use AI to move faster and cover their tracks more effectively. Experienced IR practitioners are not facing automation pressure - they are facing demand pressure.
How Do You Start Building Toward IR?
Start in a SOC Tier 1 role and invest deliberately in the skills above during your first 18 months. Every investigation you conduct is an opportunity to practise the documentation habits that IR requires. Every alert you triage is a data point in building the threat landscape knowledge that makes IR investigations faster.
TryHackMe's SOC Level 1 path is the most direct structured preparation for your first role. The DFIR module builds the forensics skills that bridge Tier 1 to IR analyst work. The Threat Hunting module extends into the proactive capability that distinguishes senior IR practitioners.
The progression is clear. The demand is real. Start building.
Nick O'Grady