IronSights

Detection & response

Security Operations CentreSOC

A centralised function — either internal or outsourced — responsible for continuously monitoring an organisation's security posture, detecting threats, and coordinating incident response.

Also known asSOCsecurity operations center

In plain English

A SOC is the team (and the tools they use) that watches for cyber attacks around the clock. They monitor alerts from security systems, investigate suspicious activity, and respond when something looks wrong. Most SMEs don't run their own SOC — they rely on a managed security provider to perform this function on their behalf.

Full definition

A SOC is not a product you buy. It is a function: people, process, and tooling working continuously to detect and contain threats before they cause serious damage. Analysts monitor alerts from and endpoint detection platforms, triage what is real versus noise, investigate the ones that matter, and respond. When an account starts behaving strangely at 2am on a Sunday, someone needs to be watching. Most attacks do not wait for business hours.

Building this in-house is expensive. A 24/7 SOC needs at minimum six to eight analysts to cover shifts, plus tooling, subscriptions, and management overhead. For most Australian SMEs, that cost is not realistic. A managed SOC delivers the same capability under a shared model, with analysts who see threat patterns across many client environments rather than just one.

In a Fortify engagement, the SOC function sits on top of and Defender. Analysts have context about your environment from day one: what your normal traffic patterns look like, which users have privileged access, which systems are internet-facing. That context matters. Generic alert triage without it produces too much noise and too many missed detections.

Keep learning

More terms in the IronSights Glossary.