In a SOC's tiered analyst model, how do Level 1 and Level 2 analysts differ in what they do?
Level 1 analysts triage and filter incoming alerts (exclude false positives, register and categorise); Level 2 analysts perform deeper analysis, propose counter-measures and escalate.
* SOC escalation — Event becomes Alert; L1 triages (dropping false positives); L2 analyses real cases and escalates. *
A tiered SOC uses an escalation funnel. Level 1 (L1): the front line — they handle the high volume of alerts from the SOC platform, weed out false positives, register and categorise/prioritise the rest. Level 2 (L2): the deeper specialists — they analyse the genuine incidents L1 escalates, decide and propose counter-measures, and escalate further (to L3 or to customer/IT) when needed. This division keeps scarce senior expertise focused on real threats rather than noise.