In the world of cybersecurity, the term Security Operations Center (SOC) carries significant weight. It evokes images of highly skilled analysts working around the clock to detect, respond to, and mitigate cyber threats. However, not all SOCs live up to this expectation. If a SOC lacks core functions like triage, analysis, assessment, and remedial action, it’s not truly a SOC—it’s merely a contact center masquerading as one. Let’s explore why these functions are non-negotiable for a SOC and why their absence undermines the entire purpose of cybersecurity operations.

What Defines a SOC?

A Security Operations Center is a centralized unit responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents. Its primary goal is to protect an organization’s digital assets by proactively identifying threats and swiftly mitigating them. According to industry standards, such as those outlined by NIST and SANS, a SOC’s core responsibilities include:

• Triage: Prioritizing and categorizing incoming alerts to determine their severity and urgency.
• Analysis: Investigating alerts to understand the nature, scope, and impact of potential threats.
• Assessment: Evaluating the context of an incident to determine its risk and potential consequences.
• Remedial Action: Taking steps to contain, mitigate, and resolve incidents, often in collaboration with other IT and security teams.

These functions form the backbone of a SOC’s ability to defend against cyber threats. Without them, the SOC cannot fulfill its mission, leaving organizations vulnerable.

The Contact Center Trap

A contact center, by contrast, is designed to handle customer inquiries, log issues, and escalate them to appropriate teams. While contact centers are valuable in customer service, they lack the technical expertise, tools, and processes required for cybersecurity operations. If a SOC is reduced to merely logging alerts, answering calls, or passing tickets to other teams without performing triage, analysis, or remediation, it’s operating as a contact center, not a SOC.

Here’s why this distinction matters:

1. Missed Threats: Without triage and analysis, critical threats may go unnoticed or be deprioritized, allowing attackers to exploit vulnerabilities.
2. Delayed Response: A lack of remedial action means incidents linger, increasing the potential for damage.
3. Wasted Resources: Organizations invest heavily in SOCs, expecting robust protection. A contact center-style operation fails to deliver value, wasting time, money, and trust.
4. False Sense of Security: Labeling a contact center as a SOC creates the illusion of protection, leaving leadership unaware of gaps in their defenses.

The Consequences of a SOC in Name Only

When a SOC fails to perform its core functions, the consequences can be severe. Consider a scenario where a ransomware alert is received but not triaged or analyzed. Without understanding the scope of the attack, the “SOC” might simply log the alert and escalate it, delaying containment. By the time the issue reaches a capable team, the ransomware could have spread across the network, encrypting critical data and causing significant downtime.

Real-world examples underscore this risk. In 2021, the Colonial Pipeline ransomware attack highlighted the importance of rapid detection and response. A true SOC would have triaged alerts, analyzed indicators of compromise, and taken immediate remedial action to contain the threat. A contact center, however, would likely have slowed the response, exacerbating the damage.

Building a True SOC

To avoid the contact center trap, organizations must ensure their SOCs are equipped to perform all core functions. Here’s how:

• Invest in Skilled Analysts: Hire and train personnel with expertise in threat detection, incident response, and forensic analysis.
• Deploy Advanced Tools: Use Security Information and Event Management (SIEM) systems, threat intelligence platforms, and automation tools to support triage and analysis.
• Define Clear Processes: Establish standard operating procedures (SOPs) for triage, analysis, assessment, and remediation to ensure consistency and efficiency.
• Enable Remediation: Empower SOC teams to take immediate action, such as isolating compromised systems or blocking malicious IPs, rather than relying solely on escalation.
• Measure Performance: Track metrics like mean time to detect (MTTD) and mean time to respond (MTTR) to evaluate the SOC’s effectiveness.

Conclusion

A Security Operations Center is more than a name—it’s a commitment to proactive cybersecurity. Without triage, analysis, assessment, and remedial action, a SOC cannot protect an organization from modern cyber threats. At best, it’s a contact center, logging alerts and passing the buck. At worst, it’s a liability, creating a false sense of security while threats go unaddressed.

Organizations must invest in the people, processes, and technology needed to build a true SOC. Anything less is a disservice to their security posture and a gamble with their future. If your SOC isn’t triaging, analyzing, assessing, and remediating, it’s time to ask: Is it really a SOC, or just a contact center in disguise?

Summary

Ok, I used GROK to write this (This part is, hopefully as you can see, 100% me)! See I don’t try and hide when I use LLMs! But let’s think about this, the issue here is real, the MSP/MSSP markets are flooded with people selling volume based ‘SOC’ services where:

• Events/Alerts are not handled in a way that means the service is fulfilling SOC functions
• The response scope is so limited 90% of alerts basically get forwarded to customers to do the work
• Incidents occur and ‘THE SOC’ simply don’t act

SOC analysts have the word analyst in their title for a reason, the role of a L1/L2 SOC analyst is not contact centre, it’s not Helpdesk.

You should ask yourselves how your SOC is performing and if it’s of value both from a business point of view and from a security management perspective. You may even, I know god forbid, not even need a SOC….

Don’t just take my word for it, check out this NCSC Blog:

https://www.ncsc.gov.uk/blog-post/soc-or-not

Hopefully this blog has been useful, maybe you will find you have a contact centre and not a SOC, but either way, hopefully this has at least made you think!