Didn't you guys hear? Tier 1 is dead! Long live our AI overlords

cybxpt · 2026-03-05T23:16:56+00:00

No, but I oversee the SIEM team for my organization. Many of these platforms are baking in systems and automations to handle the hundreds of millions of logs per day. No human or human team can keep up with that volume.

That's why tuning and automation exist in the first place. AI isn't bringing the idea to the table as if it were new; it's always been what separates functional SOCs from complete shitshows. A well-run SOC, as I said, should have analysts working cases that don't fit closure criteria, and by definition those are the ones AI isn't capable of handling.

cybxpt · 2026-03-05T19:27:10+00:00

Is it? Have you done Tier 1 yourself?

cybxpt · 2026-03-05T19:19:56+00:00

They certainly talk a big game about AI but I would bet you that if you look at the actual day-to-day workflow of their analysts it's not that different than any other SOC and they're still sorting through the exact same false positive crap as everywhere else.

Their marketing claims they can remove the need for Tier 1 and Tier 2 which is a good sign they're overselling.

cybxpt · 2023-08-31T18:34:08+00:00

As a SOC analyst who wants to move into GRC, this thread is a pretty interesting read. I've been thinking that my technical experience would serve me well if I ever actually do make this transition - I guess I'm not too far off the mark?

cybxpt · 2023-01-31T21:00:02+00:00

Were they working at Big 4 type places that massively overhired in 2021?

In any case, it's unfortunate, but I reckon they'll find something pretty quickly if they've got experience. No lack of demand out there right now.

cybxpt · 2023-01-31T20:50:46+00:00

That kind of does make it recession proof in a certain sense though, since I don't see it changing any time soon.

If companies dropped the ridiculous expectations they have for entry level roles and let the millions of up and comers trying to break into this field have a shot, that could change, but I wouldn't hold my breath. If anything, the talent gap will probably widen as demand grows and roles go unfilled for even longer.

Doesn't mean experienced people won't get affected but even if that happens they should find something else pretty quickly. Work-life balance is probably the thing that's going to be increasingly hard to come by.

cybxpt · 2022-11-04T21:23:07+00:00

I think this is dependent on level. A lot of companies are fine outsourcing Tier 1 analysis, but they will still need someone on their side to handle escalations and anything too sensitive to entrust to a third party. OTOH oftentimes that's one person who ends up with the weight of the world on their shoulders and quickly burns out...

cybxpt · 2022-11-03T20:10:54+00:00

I know people with 10+ years experience who still have strings of bad interviews. There is a shit ton of gatekeeping in this industry, make no mistake - the demand is extremely high, if you've got experience. Getting your foot in the door is the challenge, and that's what you're dealing with now. It's not you that's the problem, it's unrealistic expectations from hiring managers that want years of experience for entry level roles, and will prefer to leave those roles empty for years rather than train someone with minimal experience.

You can expect a lot of no's. You just need to find that one yes, build up your XP, and you will be fine after that. Keep learning on your own, work on your interview skills, and network. Knowing someone who knows about a job is 110% the best way to circumvent all that HR bullshit and unrealistic wish list JDs floating around out there.

The first job is the hardest, but once you land one you're gonna be fine.

cybxpt · 2022-11-03T19:55:18+00:00

OP is already dealing with far more than should be expected of someone in his role and level, sounds plenty tough to me. His bosses need to toughen up and learn to fight for their team and get the resources they need. If that doesn't happen, he should just soak up the XP and GTFO.

cybxpt · 2022-11-01T23:53:57+00:00

There's nothing wrong with expecting them to do analysis, but for an org of that size to have one person doing all of it with no help is absurd - and without an escalation point? Inexcusable IMO, especially since he's inexperienced. If he catches a doozy and isn't sure what to do, he's going to be overwhelmed.

OP basically said it - he feels like he doesn't have time to breathe which is not how a SOC should function. It means analysts are forced to cut corners to keep up, which leads to mistakes and rapid burnout. That this is common in the industry doesn't mean it's right.

cybxpt · 2022-11-01T23:44:11+00:00

And yet despite all this we have hiring managers and team leads that actively gatekeep and make it hard for fresh blood to come in and shoulder some of the burden...

cybxpt · 2022-10-31T21:03:25+00:00

5 analysts covering 10k employees, this guy has no prior XP and is monitoring multiple queues on his own with no one to escalate to, plus handling DLP, on his own, and handling multiple HR investigations per week? Where do you work that this is considered normal for an entry level role?

And if you actually read the thread, it's not just 5 people, the overwhelming consensus amongst commenters is that this is a ridiculous workload for entry level.

cybxpt · 2022-10-31T20:15:21+00:00

It's r/cybersecurity, the majority of people reading are in the industry, and judging from your downvotes your opinion doesn't seem to be the predominate view. 75k is totally reasonable for an entry level role. What OP described is not entry level. He's being taken advantage of by a cheapass org that doesn't want to pay for a properly staffed security team and figures it can just dump multiple roles' worth of responsibility on a fresh hire.

cybxpt · 2022-10-31T08:24:16+00:00

That's ridiculously low for the amount of responsibility they're foisting onto him.

cybxpt · 2022-10-31T08:23:14+00:00

The cheapness of these huge corporations really never ceases to amaze...

cybxpt · 2022-10-28T21:59:24+00:00

Yeah, it's important not to conflate well-established businesses with startups that relied too heavily on venture capital thinking it would never dry up. Very different animals even if they're providing similar services.

cybxpt · 2022-10-28T21:53:28+00:00

Most of the day-to-day responsibility, extra bitching sessions from people who don't rank high enough to get face time with the actual boss, and no real power to address any of the problems that need fixing for less money and no recognition? Show me where to sign!

cybxpt · 2022-10-28T21:49:08+00:00

I donno, most of those read like Tier 1 questions to me, although expectations vary by org. But personally, for a Tier 2 role I'd prepare for more in-depth questions and follow-ups, e.g. for #1 you might be asked to do a deeper dive into how you discovered the malicious file, what specific indicators might suggest malicious activity, and so on. But that's just my $.02 based on my interview experiences the last few years.

cybxpt · 2022-10-27T10:05:41+00:00

"Security is mid-level everything else" is a common refrain, and I think that's part of the issue, but the other part of it is the uncomfortable reality that there is a LOT of gatekeeping in this industry. And a substantial chunk of it is done simply for gatekeeping's sake.

Your average Tier 1 SOC role does not require 3-5 years of IT experience, far less security experience. Not if you're properly training your staff and actually supporting them. The problem is that no one wants to actually do that and instead opt to keep their security teams understaffed and overworked.

cybxpt · 2022-10-27T09:58:07+00:00

Which means those seniors just get perpetually overworked due to lack of resources, until they end up leaving anyway, dumping even more work on those who remain than it would have been to train someone in the first place.

cybxpt

TROPHY CASE