The SOC team usually comprises a mix of backgrounds and roles. In addition to the SOC manager, who is in charge of the SOC and oversees security operations in general, there are security engineers, security analysts, and threat hunters. Threat hunters detect and contain advanced threats, such as advanced persistent threats (APTs), zero days, or other novel threats that get past existing defenses.

Security engineers build and manage the security architecture. This involves evaluating and testing security tools, and then maintaining them once they are put to work. Security engineers also typically engage with developers and DevSecOps teams to ensure that security is part of the software development lifecycle (SDLC).

Security analysts are responsible for monitoring the IT estate for threats and responding to security incidents. Much of this work involves investigating alerts and performing triage, with the goal of prioritizing the most serious issues. They then oversee the incident response workflow, perhaps using a SOAR solution and its various playbooks. This can be quite challenging, because sometimes a seemingly minor alert is an indication of a major security incident, while many false positives form a problematic distraction. The work can be stressful, with burnout a common difficulty facing security analysts.