Security Operations Centre — Technology Wiki

Overview

Direct Answer

A Security Operations Centre (SOC) is a centralised facility where security analysts monitor networks, systems, and security tools in real-time to detect, analyse, and respond to cybersecurity incidents. It functions as the operational hub for an organisation's incident detection and response capabilities.

How It Works

SOCs aggregate security telemetry from firewalls, intrusion detection systems, endpoint protection platforms, and log management tools into a unified monitoring interface. Analysts triage alerts using playbooks and threat intelligence, escalating confirmed incidents to incident response teams who contain, investigate, and remediate threats according to established procedures.

Why It Matters

Centralised monitoring reduces mean time to detection (MTTD) and mean time to response (MTTR), minimising breach impact and financial loss. Organisations leverage SOCs to maintain continuous compliance with regulatory frameworks such as ISO 27001 and PCI-DSS whilst demonstrating effective security governance to stakeholders.

Common Applications

Financial institutions operate SOCs to monitor transaction anomalies and prevent fraud. Healthcare organisations use SOCs to protect patient data under regulatory obligations. Large enterprises maintain SOCs to detect advanced persistent threats across geographically distributed infrastructure.

Key Considerations

SOC effectiveness depends heavily on analyst expertise and alert tuning; poorly calibrated systems generate alert fatigue that degrades detection quality. Many organisations struggle with staffing costs and skill shortages, leading some to augment in-house teams with managed security service providers (MSSPs).

Cross-References(1)

Cybersecurity

Related in Defensive Security

Intrusion Detection System

A system that monitors network traffic or system activities for malicious activity or policy violations.

Next-Generation Firewall

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Endpoint Detection and Response

Security technology that monitors endpoint devices to detect, investigate, and respond to cyber threats.

Security Orchestration Automation and Response

Technology that automates security operations by orchestrating tools and processes for incident response.

Incident Response Plan

A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents.

Digital Forensics

The process of collecting, preserving, and analysing electronic evidence for investigating security incidents.

Honeypot

A decoy system designed to attract attackers and study their methods while protecting real systems.

Extended Detection and Response

A unified security platform that integrates data from endpoints, networks, cloud workloads, and email to provide holistic threat detection, investigation, and automated response.

Security Orchestration, Automation and Response

A technology stack that integrates security tools and automates incident response workflows, enabling faster triage, investigation, and remediation of security alerts.

Threat Hunting

The proactive search for cyber threats within an organisation's environment that have evaded automated detection, using hypotheses, threat intelligence, and advanced analytics.

More in Cybersecurity

Denial of Service Attack

Offensive Security

An attack designed to make a machine or network resource unavailable by overwhelming it with traffic.

Cross-Site Scripting

Offensive Security

A web security vulnerability allowing attackers to inject malicious scripts into web pages viewed by other users.

Zero Trust Architecture

Network Security

A security model that requires strict identity verification for every person and device accessing resources regardless of location.

Cybersecurity

Offensive Security

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Intrusion Prevention System

Offensive Security

A network security technology that examines network traffic to detect and prevent vulnerability exploits.

Attack Vector

Offensive Security

The specific path, method, or scenario used by an attacker to gain unauthorised access to a system.

Firewall

Network Security

A network security device that monitors and filters incoming and outgoing network traffic based on security rules.

Encryption

Data Protection

The process of converting plaintext data into ciphertext using an algorithm, making it unreadable without the decryption key.