People say “SOC/SIEM/SOAR” as if it were one thing. It’s three, and they answer different questions. The SIEM is the sensor grid — it ingests logs and raises alerts. The SOAR is the reflex arc — it executes the repetitive response automatically. The SOC is the team and the judgement — the humans who triage, hunt and decide. Get the division of labour wrong and you drown analysts in alerts; get it right and you shrink the only two numbers that matter, MTTD and MTTR.
1 · The Three Layers, Side by Side
Each layer has a distinct input, job and output. The confusion in most teams is treating the SIEM as if it also does response, or expecting SOAR to make decisions it was never meant to make.
| Layer | What it is | Its job | Where it stops |
|---|---|---|---|
| SIEM Security Information & Event Management | The log brain | Ingest & normalise logs, correlate events, detect (rules + behaviour), alert, report for compliance | It sees and flags — it does not act |
| SOC Security Operations Center | The people & process | Triage alerts, investigate, hunt, contain, run incident response 24×7 | It decides — humans own judgement |
| SOAR Security Orchestration, Automation & Response | The reflex arc | Automate enrichment, run playbooks, create tickets, disable accounts, block IPs, manage cases | It acts on decisions — within guardrails |
▸ A one-line memory hook: SIEM sees, SOC decides, SOAR acts. Buying one and expecting the others’ value is the most common security-ops mistake.
2 · Inside the SOC: Roles & the Escalation Pipeline
The SOC is a tiered assembly line. An alert flows up only as far as it needs to — most die at Tier 1; the interesting ones climb toward hunting and incident response, with the manager owning the numbers.
| Role | Owns | Typical work |
|---|---|---|
| Tier 1 — Analyst | Triage | First look at every alert; dismiss false positives, escalate real ones |
| Tier 2 — Analyst | Deep analysis | Investigate escalations, scope the impact, begin containment |
| Threat Hunter | Proactive detection | Search for threats that never raised an alert; write new detections |
| Incident Responder | Containment → recovery | Contain, eradicate and recover from confirmed incidents |
| SOC Manager | Strategy & KPIs | Coordinate the team, own MTTD/MTTR, report to leadership |
▸ The whole machine is graded on two clocks: MTTD (mean time to detect) and MTTR (mean time to respond). Every tool and tier exists to pull those numbers down.
3 · Where SOAR Automation Actually Pays
A SIEM’s weakness is what it hands the SOC: high false-positive volume and investigations that are still manual, which slows response. SOAR earns its keep by automating the repetitive, deterministic parts — the steps an analyst does the same way every time — and leaving judgement to people.
| SOAR playbook | Automates | Analyst time saved on |
|---|---|---|
| Phishing response | Parse report, detonate URL/attachment, pull related mail, quarantine | Repetitive triage of look-alike reports |
| Credential-compromise response | Disable account, revoke sessions, force reset, notify | Manual identity clean-up |
| Malware containment | Isolate endpoint, block hash, open ticket | Swivel-chair between EDR & ITSM |
| Suspicious-login handling | Enrich geo/IP, check risk, step-up or block | Copy-paste threat-intel lookups |
| IP / domain blocking | Push indicators to firewall/proxy, log the change | Manual control-plane edits |
▸ Automate the deterministic, escalate the ambiguous. SOAR’s payoff is faster, more consistent response and lower human error — not replacing the analyst’s judgement.
4 · The Convergence: It’s Becoming XDR
The classic SIEM + SOAR + EDR + NDR stack is fusing into a single detection-and-response plane branded XDR. The driver is the same pain this article describes: separate consoles mean analysts swivel between tools, correlation is manual, and MTTR suffers. XDR pre-correlates across endpoint, network and cloud and ships response actions in the box — folding much of what a bolt-on SIEM+SOAR did into one product.
▸ See The Cybersecurity Tooling Landscape for how XDR (and CNAPP, and the identity fabric) are absorbing the point tools around them.
Bottom line
- SIEM sees, SOC decides, SOAR acts — three layers, three jobs; don’t buy one expecting another’s value.
- The SOC is tiered — alerts climb T1 → T2 → hunt/IR only as far as they must; most die at triage.
- Two clocks grade everything — MTTD and MTTR; every tier and tool exists to lower them.
- Automate the deterministic — SOAR’s value is repeatable playbooks, not judgement.
- The stack is converging — SIEM + SOAR + EDR + NDR are collapsing into XDR.
Sources & method. The layer responsibilities, SOC roles, SIEM capabilities/limitations and SOAR playbooks reflect standard security-operations practice (e.g. the roles and MTTD/MTTR goals used across SOC programmes). This is an original synthesis for orientation; no third-party graphics or text are reproduced.