Senior Security Analyst Intro
Explore the duties and exciting opportunities of a SOC Level 2 analyst.
easy
To access material, start machines and answer questions login.
Journey to Senior
Ready to take the next step beyond Level 1? The natural progression is to the Level 2 analyst role, where juniors grow into experienced, decision-making team members. This room serves as a roadmap for getting there: the technical skills, the broader toolkit, and the new challenges and responsibilities to expect. You'll also learn how to develop a senior mindset and prepare for even more advanced roles. Let's get started!
Today, You Will Learn
- How middle-senior responsibilities differ from junior ones
- Which skills you'd need, and how to prepare for promotion
- What a typical day as a Level 2 analyst looks like
Let's get started!
Level 2 Definition
The Level 2 analyst is a natural progression from Level 1: a middle- or senior-level technical role responsible for investigating escalated alerts and responding to threats. As Level 2, you are expected to excel at log analysis and take over basic engineering and incident response tasks. In addition, you should have strong soft skills to mentor juniors, take initiative, and properly communicate with different teams.
Typical expectations for L1 and L2 analysts from 0 to 100
New Tasks and Duties
Your schedule will typically be split between shift-based triage of escalated alerts (your core duty) and a range of supportive tasks. We'll cover L2 triage in the next room, but the supportive side of the role can be quite broad. Unless your company has a dedicated L3 position and team, you may take on lots of senior duties as an L2, for example:
- Build new detection rules and run threat hunting exercises
- Cooperate with the IT team to configure the network securely
- Respond to infections: clean malware and rotate credentials
- Participate in, or even lead in case of a major intrusion
- And, of course, triage complex alerts escalated by Level 1
Importance of Soft Skills
The biggest difference between L1 and L2 is not in technical knowledge, but in the soft skills: responsibility, attitude, and mindset. You will need to mentor juniors and help them grow alongside you, take initiative and lead discussions, communicate effectively within the team and externally, and much more! In the next few rooms, you will learn more about the teamwork and mentorship aspects of the L2.
Should you improve tech, soft, or both skills to become L2?
Fun of Being L2
We've talked about the duties of Level 2, but what about the benefits? Beyond the higher salary, you'll have a chance to broaden your worldview and grow in different areas: mentorship and leadership, closer cooperation with management, incident handling, engineering tasks, and much more. The role should push you out of your comfort zone and stop you from becoming a narrow specialist, incapable of doing anything beyond your favorite task:
Incident Handling
You'll deal with the most interesting cases, attacks that are too complex for L1 to investigate: infostealers that bypassed prevention, supply chain attacks, insider threats, Active Directory intrusions, and so on. You'll also move beyond -only triage and start doing on-host investigations, network and malware analysis, and even some . There, you'll:
- Learn how to respond to attacks using or a regular
- See the world beyond : host, cloud, and network points of view
- Observe the same attacks you read about in threat reports and blogs
As an L2, you often handle the incident first and find it in the news only a day later.
Engineering Tasks
Only large MSSPs can afford fully analytical L2 roles. Most companies merge L2 duties with detection engineering, maintenance, and security automation. That's actually great, because the more "side" tasks you take on, the wider your worldview becomes. The broad experience you build here is vital for your growth. Some tasks you can expect:
- Simulate an attack and build a detection rule to cover it
- Dig deeper into how SIEMs and EDRs work internally
- Automate a routine task and make your team's life easier
Have you wondered how most rules work? As L2, you'll find out!
General Security Tasks
You will dig deeper into how the company operates and what parts of it are covered by . Expect more opportunities to work with IT on patching vulnerabilities, tightening policies, and securing public services. Occasionally, you will help the compliance team, analyze pentest results, or even run red teaming exercises yourself. The skills you can build here:
- Learn about corporate processes and the daily life of other departments, especially IT
- Discover enterprise software such as SAP, Salesforce, Jira, Stripe, and the M365 suite
- Explore new security domains: pentesting, compliance, , AppSec, and more
By cooperating with IT, you will better understand how companies are breached.
Does exploring new security areas help you grow? (Yea/Nay)
Sense of Responsibility
Level 2 isn't just a technical step up, it's a mindset shift. As a senior, you take responsibility for your team and for the security posture of the whole organization. You can't say "it's not my fault" after a ransomware attack, because everyone now expects ownership from you, not excuses. And the first rule of the senior mindset is simple: never ignore a security concern, whether it was raised by you or someone else.
Whenever you see a security crack, raise the alarm, even if it's not your fault
Scenario
One of the L1 mentioned that we haven't seen any alerts from the servers for two weeks.
In the past, the servers regularly generated False Positives due to IT team actions.
- Junior mindset: No logs means no alerts, and no alerts means less work to do.
- Senior mindset: No alerts for weeks is not OK. Something is wrong with the logging.
The senior must be 100% sure that the critical servers are well monitored. They would work with engineers to identify the root cause of the issue, run a hunt to detect log tampering attempts, and ensure the team is better prepared next time.
Attacker Mindset
It is recommended that L2 have some red teaming experience because the more you understand how attacks occur, the easier it is to understand the adversary's behavior and predict their next steps. Combined with knowledge of and the Cyber Kill Chain, the attacker's mindset will help you read between the lines and run your investigations much more quickly and in a more organized way.
Thinking like an attacker helps you complete the attack puzzle:
What happened before the alert, and what's coming next
Scenario
An alert fires for a command spawned by the web server.
The command is a simple "whoami". No more commands are seen afterward.
- Junior mindset: The command is safe, this is likely expected web server activity.
- Senior mindset: Looks like a test of a web shell. Malicious commands will follow later.
Even if the command is safe, the senior would first assume breach and then spend time on deep log analysis or even forensics to prove that it was not a test before the full-scale attack, but rather the expected activity of a web server.
What mindset helps you see and predict how incidents unfold?
Challenge
Open the static site by clicking the View Site button below. You will start from a interface and go through a daily routine of the L2 analyst: triage of escalated alerts, rule development and tuning, and responding to urgent threats. Follow the instructions in the app and get your flag.
Note: For best experience, open the app in full screen mode.
What flag did you get after completing the challenge?
Preparing for Promotion
In this room, you have learned the duties and opportunities of the L2 role. Next, we'd suggest:
| # | Goal | Suggestions |
|---|---|---|
| 1 | Gain technical skills |
|
| 2 | Build up attacker's mindset |
|
| 3 | Broaden security awareness |
|
| 4 | Validate acquired skills |
|
See you in the next room!
Complete the room!
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in