Home
Blog
AI
June 26, 2025
4
min read

The Evolution of SOC Structure: From Rigid Tiers to Flexible Operations

Security Operations Centers are evolving from traditional three-tier analyst structures to more flexible, outcome-driven models. This comprehensive guide explores the benefits and challenges of tiered vs. tierless SOC approaches, examining how MDRs and MSPs are reshaping traditional hierarchies. Learn why tier one erosion is accelerating, how tierless models enable end-to-end case ownership, and the trade-offs between specialist expertise and operational flexibility. Discover how AI is transforming SOC operations by automating repetitive tasks and democratizing knowledge across analyst teams. Whether you're considering restructuring your SOC, evaluating outsourcing options, or implementing AI-powered investigations, this analysis provides actionable insights for security leaders. Expert perspective from 24+ years of industry experience covers practical considerations for organizations of all sizes, from compliance requirements to budget constraints.

AI
investigations
Security Operations
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

Security Operations Centers (SOCs) have relied on tiered analyst structures for years, but this traditional approach is rapidly evolving. After 24 years in the industry, I've witnessed the transformation from rigid three-tier hierarchies to more flexible, outcome-driven models. The question isn't whether tiers will disappear entirely—it's how different organizations can adapt their structure to maximize efficiency while maintaining expertise.

The traditional tiered approach for the SOC: Structure with trade-offs

The tiered SOC model originated from traditional IT help desk operations, where tier one handles initial triage using standard playbooks, tier two tackles more complex analysis, and tier three conducts deep forensics and threat hunting. This structure offers clear benefits: formal processes, defined accountability, standardized workflows, and built-in compliance documentation.

When a process fails or an incident escalates unexpectedly, tiered structures provide clear audit trails. You can trace exactly where the breakdown occurred and implement corrective measures. This formality becomes crucial for organizations facing regulatory requirements or those needing to demonstrate due diligence.

MDRs and MSSPs have complicated this traditional model. Some providers offer full-spectrum services covering all three tiers, while others focus primarily on tier one triage. Many organizations now supplement their SOCs with external providers for 24/7 coverage or completely outsource/offshore their tier one operations due to budget constraints or staffing challenges.

The tierless movement: Ownership from start to finish

Tierless SOCs eliminate formal tier boundaries, allowing analysts to own investigations from initial alert to final resolution. Instead of handing off cases through multiple levels, one or two analysts shepherd the entire lifecycle of an investigation.

This approach addresses several pain points I've observed. In traditional tiered structures, analysts often get stuck in their roles. Organizations lack the budget or investment to formally train tier one analysts for tier two responsibilities. The only career advancement becomes leaving for another company—where that analyst might start over at tier one again because their previous employer couldn't provide advancement opportunities.

Job satisfaction while dealing with repetitive, routine daily tasks becomes a critical factor. I've met analysts whose daily routine consists entirely of phishing investigations with no automation support. This monotony contributes heavily to burnout and turnover, which remains rampant in our industry.

Benefits and challenges of going tierless

Eliminating handoffs creates immediate value for case management and efficiency. Analysts see investigations through completion rather than passing cases into a "black hole of invisibility." This end-to-end ownership reduces context loss and time wasted on handover briefings.

Single accountability layers emerge naturally. When one analyst handles the entire investigation, you recoup time normally lost during escalations where previous work must be explained and re-contextualized.

However, tierless approaches create new challenges. The same analysts working through entire investigations can erode specialist expertise. You lose deep visibility into specific technologies when everyone becomes a generalist. The cost of analysts increases because each person needs full-spectrum understanding across your entire product suite—network, endpoint, cloud, and everything in between.

For larger organizations with diverse technology stacks, this knowledge requirement becomes substantial. Every analyst must achieve near-expert status across all deployed technologies, significantly increasing training costs and ramp-up time.

How AI is reshaping security operations

AI is accelerating the transformation regardless of your chosen tier structure within the SOC. The most obvious impact is automation acceleration. Tier one work is increasingly automated, and even MDRs and MSSPs incorporate significant AI capabilities into their service delivery.

AI for SOC addresses one of the biggest challenges in tierless operations: knowledge gaps. When analysts encounter unfamiliar technologies, they traditionally spend considerable time researching through Google, Reddit, and technical forums. AI chatbots like ChatGPT, Claude, and Perplexity allow analysts to quickly understand what they're looking at, why it matters, and how to investigate it effectively.

This knowledge democratization doesn't eliminate the need for subject matter expertise. Deep forensics and nuanced investigations will always require human experts. The key is using AI to augment analyst capabilities while maintaining that critical "trust but verify" approach. You still need enough expertise to validate AI outputs and avoid hallucinations.

The future of SOC tiers

Organizations with hiring capacity and compliance requirements will maintain structured tiers. These companies benefit from formal processes and have the resources to invest in progressive career development through tiered advancement.

Smaller organizations will continue struggling with traditional models. You'll see full outsourcement for small businesses and continued tier one erosion for medium-sized companies. The deluge of alerts combined with difficulty obtaining and retaining expertise drives this trend.

The most likely outcome is an amalgamation of tier two and tier three roles. Some organizations will find success with tierless models, while others will implement more structure as they grow. The erosion of tier one appears inevitable as automation and outsourcing handle initial triage more effectively.

Picking the right tier structure for your SOC

The decision between tiered and tierless structures depends on your specific context. Consider your budget constraints, compliance requirements, technology diversity, and ability to hire and retain talent.

Larger organizations with complex compliance needs and substantial budgets will likely maintain some tier structure. Smaller organizations or those struggling with tier one staffing may benefit from tierless approaches, especially when combined with AI augmentation and strategic outsourcing.

The most successful SOCs will be those that remain flexible—adapting their structure as technology, threats, and organizational needs evolve. Whether you choose tiers or go tierless, the goal remains the same: enabling your analysts to deliver their best work while efficiently protecting your organization.

Command Zero empowers tier-2+ analysts through autonomous and user-led cyber investigations, regardless of your SOC structure. Learn more at cmdzero.io.

Eric Hulse
Director of Security Research

Continue reading

AI
Highlight

If Your AI SOC Can’t Show Its Work, You’ve Got a Compliance Problem Coming

The era of unregulated "black box" AI in security operations is ending due to new legal frameworks like the EU AI Act. With the EU Act now enforceable law and full compliance for high-risk systems required by August 2026, security leaders face strict mandates for transparency, auditability, and human oversight. The author warns that "showing your work" is no longer just a best practice, but a regulatory necessity with significant financial penalties for non-compliance. While the US lacks a single federal law, a patchwork of state regulations in Colorado, California, and Texas is creating similar pressure for explainability. Because AI-driven SOC tools make consequential autonomous decisions—such as blocking traffic or dismissing threat alerts—they fall squarely into these high-risk categories. The piece contends that if a security platform cannot produce a clear reasoning chain or audit trail for its actions, it creates a dangerous compliance gap. The article concludes by positioning Command Zero’s platform as a solution specifically designed to meet these rigorous transparency standards.
James Therrien
Feb 3, 2026
7
min read
AI
Highlight

The Federated Truth: Why Data Lakes Are Failing Investigations

The Federated Truth This article argues that traditional security architectures based on data centralization (Data Lakes and SIEMs) are failing to meet the needs of modern investigations due to prohibitive storage costs, data ingestion lags, and incomplete visibility. The author identifies a "SecOps Last Mile" problem, where analysts lose critical time switching between disconnected consoles to access data that was never ingested into the central repository. The proposed solution is a Federated Data Model, such as Command Zero, which queries data directly where it resides (EDR, Identity Providers, etc.) via APIs rather than moving it. This approach eliminates ingestion delays, provides access to 100% of real-time data, and reduces infrastructure costs. By leveraging AI to normalize these distributed queries, the federated model allows analysts to investigate threats in seconds rather than hours, shifting the focus from data management to rapid threat resolution.
Eric Hulse
Jan 27, 2026
10
min read
AI
Highlight

The Black Box SOC AI Agent Problem (And How to Fix It)

Security Operations Centers face a difficult paradox where AI agents offer necessary speed but create unacceptable liability due to their "black box" nature. CISOs remain hesitant to deploy these autonomous systems because they cannot explain the reasoning behind actions like blocking users or terminating processes, which leads to compliance failures and a lack of trust. Traditional AI models prioritize prediction over the transparency required for complex, iterative cyber investigations. Command Zero addresses this critical gap by introducing a "glass box" architecture designed for verified autonomy rather than blind trust. This approach transforms the investigation process into a visible, auditable "stack trace" where every query, source, and decision is exposed to the analyst. Beyond simple transparency, the system ensures pivotability, allowing human analysts to seamlessly take over and inject expertise into autonomous workflows without losing baseline data. By combining this visibility with the ability to customize investigation logic for specific environments, Command Zero allows organizations to safely leverage the speed of AI automation while maintaining the rigorous oversight and explainability essential for modern security operations.
Eric Hulse
Jan 23, 2026
8
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All