Security Operations Center (SOC) Maturity Model Framework

Level 1: Initial (Ad-Hoc)

Level 1: Initial (Ad-Hoc)

Organizational Characteristics

The SOC operates reactively with minimal formal processes. Security monitoring is inconsistent, with limited tooling and undefined responsibilities. Incident response is chaotic and driven by individual heroics rather than documented procedures.

SFIA Skills Required by Role

SOC Analyst (Tier 1) - Junior/Entry Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 2	Assist with logging and tracking security incidents using basic ticketing systems
SCAD	Security administration	Level 2	Assist with monitoring basic security tools (antivirus, firewall logs)
NTAS	Network support	Level 2	Understand basic network protocols and connectivity for incident context
USUP	User support	Level 2	Respond to user-reported security concerns and provide initial guidance
Know	Knowledge management	Level 1-2	Document incident activities and maintain basic records

SOC Analyst (Tier 2) - Intermediate Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 3	Apply incident response procedures independently for common scenarios
FORS	IT forensics	Level 2-3	Assist with or apply basic forensic evidence collection
SCAD	Security administration	Level 3	Apply security controls and respond to security events
VISL	Vulnerability assessment	Level 2	Assist with vulnerability identification and basic analysis

SOC Manager

SFIA Skill Code	Skill Name	Required Level	Application in Role
IRMG	Information security	Level 3-4	Apply security principles and enable basic security operations
INCA	Incident management	Level 4	Enable effective incident response and ensure team capability
PEDG	People management	Level 3-4	Apply team management and enable performance under constraints
BURM	Business risk management	Level 3	Apply risk assessment to security decisions

Real-World Example

A small healthcare clinic with 200 employees has one IT person handling security reactively, checking antivirus alerts when time permits, with no formal processes or documentation.

Level 2: Developing (Repeatable)

Level 2: Developing (Repeatable)

Organizational Characteristics

The SOC has defined basic processes and some automation. Security monitoring occurs during business hours with documented escalation paths. Basic playbooks exist for common scenarios.

SFIA Skills Required by Role

SOC Analyst (Tier 1) - Foundational Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 3	Apply documented playbooks and escalation procedures independently
SCAD	Security administration	Level 3	Apply SIEM queries and monitor security events using defined processes
BUAN	Business analysis	Level 2-3	Analyze alert patterns and identify false positives
EMRG	Vulnerability research	Level 2	Assist with identifying and categorizing security vulnerabilities
KNOW	Knowledge management	Level 2-3	Contribute to knowledge base and document procedures
ITMG	IT management	Level 2	Understand the IT environment and business context for incidents

SOC Analyst (Tier 2) - Intermediate Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
FORS	IT forensics	Level 3	Apply forensic techniques to investigate incidents independently
INCA	Incident management	Level 3-4	Apply advanced incident analysis and enable team response
SCAD	Security administration	Level 3-4	Apply security controls and enable threat detection capabilities
PROG	Programming/software development	Level 2-3	Assist with or apply scripting for automation (Python, PowerShell)
VISL	Vulnerability assessment	Level 3	Apply vulnerability analysis and prioritization
EMRG	Vulnerability research	Level 3	Apply threat research and IoC analysis
MALW	Malware analysis*	Level 2-3	Assist with or apply basic malware identification and analysis

*Note: MALW is not a standard SFIA code but represents specialized security analysis

SOC Analyst (Tier 3) / Threat Hunter

SFIA Skill Code	Skill Name	Required Level	Application in Role
EMRG	Vulnerability research	Level 3-4	Apply threat hunting techniques and enable proactive defense
INCA	Incident management	Level 4	Enable complex incident response and mentor junior analysts
BUAN	Business analysis	Level 3-4	Apply behavioral analysis and anomaly detection
SCAD	Security administration	Level 4	Enable custom detection rule development

SOC Manager

SFIA Skill Code	Skill Name	Required Level	Application in Role
IRMG	Information security	Level 4	Enable security operations aligned with frameworks (NIST, SANS)
INCA	Incident management	Level 4-5	Enable effective incident management and ensure process maturity
PEDG	People management	Level 4	Enable team performance through leadership and development
BURM	Business risk management	Level 4	Enable risk-based decision making for security operations
CFMG	Financial management	Level 3-4	Apply budget management for SOC operations
SUPP	Supplier management	Level 3-4	Apply vendor management for security tools and services
MEAS	Measurement	Level 3-4	Apply metrics tracking (MTTD, MTTR) and reporting

Security Engineer

SFIA Skill Code	Skill Name	Required Level	Application in Role
SCAD	Security administration	Level 3-4	Apply SIEM administration and enable tool integration
ARCH	Solution architecture	Level 3	Apply security architecture principles to SOC infrastructure
DESN	Systems design	Level 3	Apply design principles for security tool deployment
SYSP	Systems integration	Level 3-4	Apply integration of security tools via APIs and agents

Real-World Example

A financial services company with 1,000 employees operates a 5-person SOC (8x5). They use a SIEM with documented playbooks for ransomware, phishing, and DDoS attacks, following standardized procedures with defined escalation paths.

Level 3: Defined (Managed)

Level 3: Defined (Managed)

Organizational Characteristics

The SOC operates 24x7 with clear roles, standardized processes, and continuous improvement. Proactive threat hunting occurs regularly with strong integration across security functions and business units.

SFIA Skills Required by Role

SOC Analyst (Tier 1) - Foundational Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 3-4	Apply complex incident procedures and enable automated workflows
SCAD	Security administration	Level 4	Enable SIEM mastery and multi-source alert correlation
BUAN	Business analysis	Level 3	Apply cloud security monitoring and alert correlation
ITMG	IT management	Level 3	Apply knowledge of IT infrastructure including cloud (AWS/Azure/GCP)
VISL	Vulnerability assessment	Level 3	Apply vulnerability context to security events
GOVN	Governance	Level 2-3	Assist with or apply compliance requirements (PCI-DSS, HIPAA, ISO 27001)
EMRG	Vulnerability research	Level 3	Apply threat intelligence consumption and IoC analysis

SOC Analyst (Tier 2) - Intermediate Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
FORS	IT forensics	Level 4	Enable network and memory forensics investigations
INCA	Incident management	Level 4	Enable advanced incident response including APT investigations
SCAD	Security administration	Level 4	Enable security across hybrid and cloud environments
PROG	Programming/software development	Level 3-4	Apply scripting and enable automation development
EMRG	Vulnerability research	Level 4	Enable malware reverse engineering and threat actor profiling
METL	Methods and tools	Level 4	Enable MITRE ATT&CK framework application and kill chain analysis
ARCH	Solution architecture	Level 3	Apply understanding of cloud architecture security
NTAS	Network support	Level 4	Enable deep packet inspection and network forensics

SOC Analyst (Tier 3) / Threat Hunter - Advanced Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
EMRG	Vulnerability research	Level 4-5	Enable hypothesis-driven threat hunting and ensure detection effectiveness
INCA	Incident management	Level 4-5	Enable complex investigations and ensure team capability
BUAN	Business analysis	Level 4	Enable statistical analysis and behavioral anomaly detection
SCAD	Security administration	Level 4-5	Enable custom detection engineering at scale
DTAN	Data analysis	Level 4	Enable data science for security analytics
PROG	Programming/software development	Level 4	Enable automation and tool development (Python, R)
METL	Methods and tools	Level 4-5	Enable TTPs mapping and ensure MITRE ATT&CK utilization

Incident Response Lead

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 5	Ensure effective incident command and coordination
FORS	IT forensics	Level 4-5	Enable DFIR and ensure forensic integrity
BURM	Business risk management	Level 4-5	Enable business impact analysis and ensure risk communication
RLMT	Relationship management	Level 4-5	Enable stakeholder coordination including legal and regulatory
GOVN	Governance	Level 4	Enable compliance during incident response
КОМ	Communication*	Level 5	Ensure effective crisis communication

*Note: Using approximation as SFIA doesn't have direct "communication" code

SOC Manager

SFIA Skill Code	Skill Name	Required Level	Application in Role
IRMG	Information security	Level 5	Ensure strategic security operations aligned with business objectives
INCA	Incident management	Level 5	Ensure program effectiveness and advise on incident management strategy
PEDG	People management	Level 4-5	Enable team development and ensure succession planning
BURM	Business risk management	Level 4-5	Enable risk frameworks and ensure risk-based decisions
CFMG	Financial management	Level 4-5	Enable budget optimization and resource allocation
PRMG	Programme management	Level 4	Enable SOC improvement programs and initiatives
RLMT	Relationship management	Level 4-5	Enable executive communication and stakeholder management
MEAS	Measurement	Level 4-5	Enable advanced metrics and ensure performance reporting

Security Engineer/Architect

SFIA Skill Code	Skill Name	Required Level	Application in Role
ARCH	Solution architecture	Level 4-5	Enable security architecture design and ensure alignment
SCAD	Security administration	Level 4-5	Enable SIEM/SOAR engineering and ensure optimization
PROG	Programming/software development	Level 4	Enable API development and integration
DESN	Systems design	Level 4	Enable security infrastructure design
EMRG	Vulnerability research	Level 4	Enable detection engineering at scale
HCEV	Systems development management	Level 3-4	Apply infrastructure as code (Terraform, Ansible)

Threat Intelligence Analyst

SFIA Skill Code	Skill Name	Required Level	Application in Role
EMRG	Vulnerability research	Level 4	Enable OSINT collection and threat actor tracking
INCA	Incident management	Level 3-4	Apply intelligence to incident context
BUAN	Business analysis	Level 4	Enable intelligence analysis and reporting
INFO	Information management	Level 4	Enable indicator management and sharing (STIX, TAXII)
KNOW	Knowledge management	Level 4	Enable intelligence documentation and dissemination

Real-World Example

A multinational manufacturing company with 10,000 employees operates a 15-person SOC across two geographies. When behavioral analytics detect anomalous database queries at 2 AM, automated enrichment workflows trigger, SOAR platform creates tickets, and automated containment actions execute while the Tier 2 analyst investigates credential compromise.

Level 4: Managed (Quantitatively Controlled)

Level 4: Managed (Quantitatively Controlled)

Organizational Characteristics

The SOC operates as a strategic business enabler with predictable, measurable outcomes. Advanced analytics, machine learning, and threat intelligence drive decision-making. Performance is measured against industry benchmarks with continuous optimization.

SFIA Skills Required by Role

SOC Analyst (Tier 1) - Foundational Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 4	Enable advanced automation and orchestration workflows
SCAD	Security administration	Level 4-5	Enable cross-domain correlation and ensure detection quality
BUAN	Business analysis	Level 4	Enable ML alert interpretation and risk-based prioritization
DTAN	Data analysis	Level 3-4	Apply advanced analytics to security data
GOVN	Governance	Level 3-4	Apply compliance automation and reporting

SOC Analyst (Tier 2) - Intermediate Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
FORS	IT forensics	Level 4-5	Enable advanced forensics and ensure investigative excellence
INCA	Incident management	Level 4-5	Enable complex response and ensure incident handling quality
EMRG	Vulnerability research	Level 5	Ensure threat research quality and advise on emerging threats
PROG	Programming/software development	Level 4-5	Enable tool development and automation at scale
SCAD	Security administration	Level 5	Ensure security control effectiveness across enterprise
METL	Methods and tools	Level 5	Ensure methodology application and tool optimization

SOC Analyst (Tier 3) / Threat Hunter - Expert Level

SFIA Skill Code	Skill Name	Required Level	Application in Role
EMRG	Vulnerability research	Level 5-6	Ensure advanced threat detection and initiate hunting programs
DTAN	Data analysis	Level 5	Ensure analytics-driven threat detection and predictive modeling
INCA	Incident management	Level 5	Ensure hunting program effectiveness and advise on threats
SCAD	Security administration	Level 5	Ensure detection engineering excellence
BUAN	Business analysis	Level 5	Ensure behavioral analytics and business-aligned threat priorities
PROG	Programming/software development	Level 5	Ensure automation and advanced tool development
KNOW	Knowledge management	Level 5	Ensure knowledge sharing and industry contribution

Incident Response Lead / DFIR Manager

SFIA Skill Code	Skill Name	Required Level	Application in Role
INCA	Incident management	Level 5-6	Ensure IR program excellence and initiate strategic improvements
FORS	IT forensics	Level 5-6	Ensure forensic program quality and initiate advanced capabilities
BURM	Business risk management	Level 5	Ensure risk quantification and advise executives
RLMT	Relationship management	Level 5	Ensure stakeholder engagement including law enforcement
GOVN	Governance	Level 5	Ensure regulatory compliance and advise on legal matters
METL	Methods and tools	Level 5	Ensure methodology adherence and continuous improvement

SOC Manager / SOC Director

SFIA Skill Code	Skill Name	Required Level	Application in Role
IRMG	Information security	Level 5-6	Ensure security operations excellence and initiate strategic programs
INCA	Incident management	Level 5-6	Ensure incident program maturity and initiate industry improvements
PEDG	People management	Level 5-6	Ensure team excellence and initiate talent development programs
BURM	Business risk management	Level 5-6	Ensure risk-based operations and initiate risk management strategy
CFMG	Financial management	Level 5	Ensure budget effectiveness and value demonstration
PRMG	Programme management	Level 5	Ensure program delivery and strategic initiative success
RLMT	Relationship management	Level 5-6	Ensure executive alignment and initiate strategic partnerships
MEAS	Measurement	Level 5	Ensure metrics program and predictive performance analysis
GOVN	Governance	Level 5	Ensure compliance and advise on security governance

Principal Security Architect

SFIA Skill Code	Skill Name	Required Level	Application in Role
ARCH	Solution architecture	Level 5-6	Ensure architecture excellence and initiate strategic designs
SCAD	Security administration	Level 5-6	Ensure platform excellence and initiate next-gen capabilities
TECH	Emerging technology monitoring	Level 5	Ensure awareness of emerging threats and technologies
DESN	Systems design	Level 5	Ensure design quality and innovation
PROG	Programming/software development	Level 5	Ensure development standards and automation architecture
IRMG	Information security	Level 5	Ensure security architecture alignment with strategy

Lead Threat Intelligence Analyst

SFIA Skill Code	Skill Name	Required Level	Application in Role
EMRG	Vulnerability research	Level 5-6	Ensure intelligence program quality and initiate threat research
BUAN	Business analysis	Level 5	Ensure intelligence drives business decisions
INFO	Information management	Level 5	Ensure intelligence sharing and industry collaboration
KNOW	Knowledge management	Level 5	Ensure knowledge dissemination and thought leadership
RLMT	Relationship management	Level 5	Ensure external intelligence partnerships (ISACs, law enforcement)

Security Data Scientist

SFIA Skill Code	Skill Name	Required Level	Application in Role
DTAN	Data analysis	Level 5	Ensure advanced analytics and predictive modeling
PROG	Programming/software development	Level 4-5	Enable ML/AI model development for security
SCAD	Security administration	Level 4	Enable security data pipeline and analytics integration
METL	Methods and tools	Level 5	Ensure analytical methodology and statistical rigor

Real-World Example

A global technology company with 50,000 employees operates a 40-person SOC with predictive threat modeling. Machine learning detects credential stuffing patterns before widespread compromise. Automated SOAR playbooks handle 85% of routine incidents. The SOC publishes threat research, shares intelligence with ISACs, and regularly briefs the board with quantified risk metrics. Annual red team exercises show measurable year-over-year improvements in detection and response times.

Level 5: Optimizing (Continuously Improving)

Level 5: Optimizing (Continuously Improving)

Organizational Characteristics

The SOC is an industry leader driving innovation in threat detection and response. Continuous optimization through advanced research, automation, and strategic intelligence. The organization influences industry standards and contributes to the global security community.

SFIA Skills Required by Role

SOC Leadership (Director/VP Level)

SFIA Skill Code	Skill Name	Required Level	Application in Role
IRMG	Information security	Level 6-7	Initiate industry-leading security operations and set organizational strategy
INCA	Incident management	Level 6	Initiate global incident response capabilities and influence industry standards
STPL	Strategic planning	Level 6-7	Set security operations strategy aligned with business transformation
BURM	Business risk management	Level 6	Initiate risk management innovation and influence enterprise risk strategy
ORDI	Organizational design	Level 5-6	Ensure organizational structure supports innovation and strategic goals
PEDG	People management	Level 6	Initiate talent programs and inspire security professionals globally
RLMT	Relationship management	Level 6-7	Initiate strategic partnerships and influence industry direction

Principal/Distinguished Engineer

SFIA Skill Code	Skill Name	Required Level	Application in Role
ARCH	Solution architecture	Level 6-7	Initiate revolutionary security architectures and set industry direction
TECH	Emerging technology monitoring	Level 6	Initiate research programs and influence technology adoption
EMRG	Vulnerability research	Level 6	Initiate advanced research and publish industry-recognized findings
IRMG	Information security	Level 6	Initiate security innovation and influence global security practices

Senior Staff Roles (All Functions)

SFIA Skill Code	Skill Name	Required Level	Application in Role
KNOW	Knowledge management	Level 6	Initiate knowledge sharing programs and influence industry education
METL	Methods and tools	Level 6	Initiate methodology development and set industry standards
GOVN	Governance	Level 6	Initiate governance frameworks and influence regulatory approaches

Real-World Example

A Fortune 100 financial institution operates a 100+ person global SOC that has published multiple CVEs, contributes to MITRE ATT&CK, and partners with national CERTs. Their custom ML models predict zero-day exploitation with 72-hour lead time. They've open-sourced threat hunting frameworks used by 500+ organizations globally. The CISO regularly testifies before regulatory bodies on cybersecurity best practices.