2026-03-08
By Emre SalmanogluSecurity Operations Center (SOC): The Complete Guide for Compliance and Security Teams
Learn how to build and operate a Security Operations Center that satisfies ISO 27001, SOC 2, NIS2, and DORA requirements. Covers SOC models, SIEM integration, incident detection, threat hunting, and compliance evidence.
SOC
security operations
threat detection
incident response
compliance
What Is a Security Operations Center?
A Security Operations Center (SOC) is the centralised function responsible for continuously monitoring an organisation's IT environment, detecting cybersecurity threats, and coordinating incident response. It brings together security analysts, detection technologies, and defined processes to provide round-the-clock protection against cyberattacks.
For compliance-driven organisations, the SOC serves a dual purpose: protecting the business from threats and generating the continuous monitoring evidence that auditors and regulators require under ISO 27001, SOC 2, NIS2, and DORA.
SOC Operating Models
| Model | Description | Best For | Cost |
|---|---|---|---|
| In-house SOC | Fully internal team and infrastructure | Large enterprises with mature security programmes | High |
| Managed SOC / MDR | Outsourced to managed security service provider | SMEs needing 24/7 coverage without building a team | Medium |
| Hybrid SOC | Internal team augmented by external services | Mid-size organisations needing specialised skills | Medium-High |
| Virtual SOC | Distributed team without physical facility | Remote-first organisations, multi-location businesses | Medium |
| SOCaaS | Cloud-based SOC as a Service | Startups and scale-ups with limited security headcount | Low-Medium |
SOC Team Structure
| Role | Tier | Responsibilities | Key Skills |
|---|---|---|---|
| SOC Analyst | Tier 1 | Alert triage, initial investigation, routine incident handling | SIEM operation, basic forensics |
| Incident Responder | Tier 2 | Deep investigation, threat hunting, complex incident handling | Advanced forensics, malware analysis |
| Threat Hunter | Tier 3 | Proactive threat hunting, adversary emulation, tool development | Threat intelligence, scripting, reverse engineering |
| SOC Manager | Management | Operations oversight, metrics, compliance reporting, staffing | Leadership, compliance frameworks, budgeting |
| SOC Engineer | Engineering | Tool deployment, detection rule development, automation | SIEM engineering, SOAR development, scripting |
SOC Technology Stack
| Layer | Technology | Purpose |
|---|---|---|
| Log management | SIEM (Splunk, Microsoft Sentinel, Elastic) | Aggregate, correlate, and analyse security logs |
| Endpoint | EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender) | Monitor and respond to endpoint threats |
| Network | NDR (Darktrace, Vectra, Zeek) | Detect network-based threats and anomalies |
| Automation | SOAR (Palo Alto XSOAR, Splunk SOAR, Tines) | Automate playbooks and orchestrate response |
| Threat intel | TIP (MISP, Anomali, Recorded Future) | Enrich alerts with threat intelligence context |
| Vulnerability | Vulnerability scanners (Qualys, Tenable, Rapid7) | Identify and prioritise vulnerabilities |
| Ticketing | ITSM (ServiceNow, Jira, PagerDuty) | Track incidents, document response, generate evidence |
Detection and Response Process
| Phase | Activities | Output |
|---|---|---|
| Collection | Aggregate logs from endpoints, network, cloud, applications | Centralised log repository |
| Detection | Correlation rules, anomaly detection, threat intelligence matching | Security alerts |
| Triage | Validate alerts, determine severity, check for false positives | Prioritised incident queue |
| Investigation | Analyse scope, identify affected assets, determine root cause | Investigation report |
| Containment | Isolate affected systems, block indicators of compromise | Contained threat |
| Eradication | Remove malware, patch vulnerabilities, close attack vectors | Clean environment |
| Recovery | Restore systems, verify integrity, monitor for recurrence | Restored operations |
| Lessons learned | Post-incident review, detection rule improvements, process updates | Updated playbooks and rules |
SOC Metrics
| Metric | Target | Why It Matters |
|---|---|---|
| Mean Time to Detect (MTTD) | < 24 hours | Measures detection speed |
| Mean Time to Respond (MTTR) | < 4 hours | Measures response effectiveness |
| False positive rate | < 30% | Indicates detection quality |
| Alert-to-incident ratio | 10:1 or better | Shows alert tuning effectiveness |
| Dwell time | < 14 days | Time threats persist undetected |
| Coverage ratio | > 95% | Percentage of assets monitored |
| Analyst utilisation | 60-80% | Ensures capacity for surges |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Continuous monitoring | A.8.15-A.8.16 | CC7.2 | Art. 21(2)(b) | Art. 10(1) |
| Incident detection | A.5.25 | CC7.3 | Art. 21(2)(b) | Art. 10(1) |
| Log management | A.8.15 | CC7.2 | Art. 21(2)(g) | Art. 10(2) |
| Incident response | A.5.26 | CC7.4 | Art. 23 | Art. 17 |
| Threat intelligence | A.5.7 | CC3.2 | Art. 21(2)(a) | Art. 13 |
| Reporting | A.5.27 | CC7.3 | Art. 23 | Art. 19 |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| SOC operating procedures | Documented processes for monitoring, detection, and response | All frameworks |
| Alert and incident logs | Records of alerts generated, investigated, and resolved | All frameworks |
| Detection rule inventory | Catalogue of active correlation rules and their coverage | ISO 27001, SOC 2 |
| Incident response reports | Documented investigations with timeline and resolution | All frameworks |
| SOC metrics dashboard | Monthly metrics showing MTTD, MTTR, alert volumes | All frameworks |
| Shift handover records | Documentation of coverage continuity and pending items | ISO 27001, DORA |
| Threat intelligence reports | Evidence of threat feed integration and analysis | NIS2, DORA |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| Alert fatigue from untuned rules | Analysts miss real threats among noise | Continuously tune detection rules, aim for < 30% false positive rate |
| No 24/7 coverage | Threats go undetected during off-hours | Implement follow-the-sun, managed SOC, or on-call rotation |
| Collecting logs but not analysing them | Compliance checkbox without security value | Build correlation rules and conduct regular threat hunting |
| No incident playbooks | Inconsistent, slow response to incidents | Create and test playbooks for top 10 incident types |
| Siloed SOC and IT operations | Delayed containment and remediation | Integrate SOC with IT operations and cloud teams |
| No metrics or reporting | Cannot demonstrate SOC value or compliance | Implement monthly SOC metrics dashboard and trend reporting |
How Orbiq Supports SOC Compliance
Orbiq helps you demonstrate security operations effectiveness:
- Evidence collection — Centralise SOC procedures, incident reports, and metrics dashboards
- Continuous monitoring — Track SOC coverage and incident response performance
- Trust Center — Share your security monitoring posture via your Trust Center
- Compliance mapping — Map SOC capabilities to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- SIEM — The core technology platform for SOC operations
- Incident Response — Structured incident handling processes
- Threat Modeling — Proactive threat identification
- Endpoint Security — Protecting the endpoints SOC monitors
- Network Security — Securing the network layer
- Vulnerability Management — Managing vulnerabilities the SOC detects