Strategy 2: Achieve Balance Between Size and Agility

The SOC’s structure must balance three needs:

  1. The need to have a cohesive CND team
  2. The need to maintain logical, physical, proximity to the assets being monitored
  3. The budgetary and authority limitations inherent in the constituency served.

Picking an Organizational Model

The further an analyst is separated from monitored assets—logically or physically—the less they are able to maintain context and sense of what is normal and abnormal behavior on those hosts and networks, and respond in a relevant or timely manner.


  1. Size of company
  2. Frequency of incidents
  3. Company concerns about incident response

Structuring the SOC

Small SOC (5-20 people)

  1. Tier 1
  2. Tier 2
  3. System Admin
  4. Advanced Capabilities (optional)

SOC Org Chart

Large SOC 

  1. Tier 1
  2. Tier 2
  3. Trending
  4. Scanning
  5. VA/PT
  6. System Admin
  7. Engineering

Synchronizing CND Across Sites and Organizations

Goals and Drivers


Where to Place the Main SOC

The best place for the SOC is at or very near the company headquarters.

Small and Large Centralized SOCs

Incorporating Remote Analysts


Centralized SOC with Continuity of Operations


Centralized SOC with Follow the Sun


Tiered SOC


Coordinating SOCs