Manzill Surolia

Analysis · 16 Jul 2026

SOC · SIEM · SOAR

Three acronyms, one pipeline. The SIEM sees, the SOAR acts, and the SOC decides — here is exactly where each begins and ends.

3layers: SOC · SIEM · SOAR
5SOC roles, T1 → manager
2clocks that grade you: MTTD & MTTR
24×7the SOC never closes
XDRwhere the three are merging

People say “SOC/SIEM/SOAR” as if it were one thing. It’s three, and they answer different questions. The SIEM is the sensor grid — it ingests logs and raises alerts. The SOAR is the reflex arc — it executes the repetitive response automatically. The SOC is the team and the judgement — the humans who triage, hunt and decide. Get the division of labour wrong and you drown analysts in alerts; get it right and you shrink the only two numbers that matter, MTTD and MTTR.

Sources
Firewalls, endpoints, cloud, apps, identity
SIEM
Ingest → correlate → alert
SOC
Triage → investigate → decide
SOAR
Enrich → contain → close

1 · The Three Layers, Side by Side

Each layer has a distinct input, job and output. The confusion in most teams is treating the SIEM as if it also does response, or expecting SOAR to make decisions it was never meant to make.

LayerWhat it isIts jobWhere it stops
SIEM
Security Information & Event Management
The log brainIngest & normalise logs, correlate events, detect (rules + behaviour), alert, report for complianceIt sees and flags — it does not act
SOC
Security Operations Center
The people & processTriage alerts, investigate, hunt, contain, run incident response 24×7It decides — humans own judgement
SOAR
Security Orchestration, Automation & Response
The reflex arcAutomate enrichment, run playbooks, create tickets, disable accounts, block IPs, manage casesIt acts on decisions — within guardrails

▸ A one-line memory hook: SIEM sees, SOC decides, SOAR acts. Buying one and expecting the others’ value is the most common security-ops mistake.

2 · Inside the SOC: Roles & the Escalation Pipeline

The SOC is a tiered assembly line. An alert flows up only as far as it needs to — most die at Tier 1; the interesting ones climb toward hunting and incident response, with the manager owning the numbers.

RoleOwnsTypical work
Tier 1 — AnalystTriageFirst look at every alert; dismiss false positives, escalate real ones
Tier 2 — AnalystDeep analysisInvestigate escalations, scope the impact, begin containment
Threat HunterProactive detectionSearch for threats that never raised an alert; write new detections
Incident ResponderContainment → recoveryContain, eradicate and recover from confirmed incidents
SOC ManagerStrategy & KPIsCoordinate the team, own MTTD/MTTR, report to leadership

▸ The whole machine is graded on two clocks: MTTD (mean time to detect) and MTTR (mean time to respond). Every tool and tier exists to pull those numbers down.

3 · Where SOAR Automation Actually Pays

A SIEM’s weakness is what it hands the SOC: high false-positive volume and investigations that are still manual, which slows response. SOAR earns its keep by automating the repetitive, deterministic parts — the steps an analyst does the same way every time — and leaving judgement to people.

SOAR playbookAutomatesAnalyst time saved on
Phishing responseParse report, detonate URL/attachment, pull related mail, quarantineRepetitive triage of look-alike reports
Credential-compromise responseDisable account, revoke sessions, force reset, notifyManual identity clean-up
Malware containmentIsolate endpoint, block hash, open ticketSwivel-chair between EDR & ITSM
Suspicious-login handlingEnrich geo/IP, check risk, step-up or blockCopy-paste threat-intel lookups
IP / domain blockingPush indicators to firewall/proxy, log the changeManual control-plane edits

▸ Automate the deterministic, escalate the ambiguous. SOAR’s payoff is faster, more consistent response and lower human error — not replacing the analyst’s judgement.

4 · The Convergence: It’s Becoming XDR

The classic SIEM + SOAR + EDR + NDR stack is fusing into a single detection-and-response plane branded XDR. The driver is the same pain this article describes: separate consoles mean analysts swivel between tools, correlation is manual, and MTTR suffers. XDR pre-correlates across endpoint, network and cloud and ships response actions in the box — folding much of what a bolt-on SIEM+SOAR did into one product.

▸ See The Cybersecurity Tooling Landscape for how XDR (and CNAPP, and the identity fabric) are absorbing the point tools around them.

Bottom line

  • SIEM sees, SOC decides, SOAR acts — three layers, three jobs; don’t buy one expecting another’s value.
  • The SOC is tiered — alerts climb T1 → T2 → hunt/IR only as far as they must; most die at triage.
  • Two clocks grade everything — MTTD and MTTR; every tier and tool exists to lower them.
  • Automate the deterministic — SOAR’s value is repeatable playbooks, not judgement.
  • The stack is converging — SIEM + SOAR + EDR + NDR are collapsing into XDR.

Sources & method. The layer responsibilities, SOC roles, SIEM capabilities/limitations and SOAR playbooks reflect standard security-operations practice (e.g. the roles and MTTD/MTTR goals used across SOC programmes). This is an original synthesis for orientation; no third-party graphics or text are reproduced.