Three SOC Paradoxes To Fix in 2025

I recently had the opportunity to participate in the SANS 2025 SOC Survey Forum, to discuss findings from the SANS Institute's annual survey of security operations practitioners. When I first saw the underlying data, I was incredibly confused. Surely there had been a mistake somewhere? The numbers just didn't add up for me.

Then I realized, the numbers themselves were accurate - it was the underlying SOC practices that are contradictory. No wonder practitioners get burnt out! The following three areas particularly stood out to me as detrimental to building a high-performing SOC:

Calculating team workload based only on tickets

According to SANS survey data, nearly 40% of teams calculate analyst workloads based on when an analyst starts and closes a ticket. Approximately 30% take a similar approach by calculating the number of SIEM alerts worked per analyst.

On the surface, this sounds reasonable enough. The paradox is that tickets and alerts are only a tiny fraction of a SOC team's set of responsibilities!

Budgeting a team's time based solely on alert management is like budgeting your personal expenses based solely on your monthly rent: pretty soon, you're going to wonder why you're coming up short each month.

You don't have to install employee tracking software to get a better view of analyst workload, either. Consider mapping your team's time to something like the FIRST.org CSIRT Services Framework. Even with rough estimates like "an average threat hunt takes about four hours for a single analyst, and we want to run two threat hunts per week," you've already eaten up 0.2 FTEs time without even blinking.

Running 24/7 coverage with a ten-person team

According to SANS data, the most common size of a fully-staffed SOC is between 2-10 people, but 79% of SOCs are operational 24/7. Even if you factor in triage outsourcing to an MDR provider or MSSP, this still creates an intense operational burden:

• Assuming an average 8-hour shift, you need 3 people just to get to full 24 hour coverage.
• Most people don't want to work 7 days per week. You'll need an additional 1.2 people to ensure that everyone gets a 5-day, 40 hour workweek. If you round up, that's now a SOC team of 5.
• People take vacations, get sick, and so forth. To avoid forced overtime or coverage gaps, you need at least one more person than your coverage minimum, bringing you to a team of 6.
• But wait! This only gets us to full monitoring coverage. What happens when a real incident kicks off? We need at least one more person, since incident response is an integrated function for the majority of SOCs, and we can't leave a coverage gap while someone is handling an incident. Now we're at a SOC team of 7.

We could get into even more complicated math here, if we wanted. What about the ratio of juniors to seniors on the team? What if we need the capability of handling more than one simultaneous incident? What about all the other capabilities in the SOC arsenal?

I think you get the idea, though. Round-the-clock coverage isn't something a SOC can take on lightly. If senior leadership insists on that capability, they must be willing to fund it accordingly.

Reactive work misaligned with career progress

What happens when you align your SOC workload to tickets, and insist on 24/7 coverage without adequate headcount? You get graphs like this one:

And this one:

In short: you get a team heavily skewed towards performing repetitive reactive work, without enough time for them to do proactive defense or deep learning. If someone is spending their entire work week triaging tickets, what opportunities do they have to learn DFIR or threat intelligence skills?

I don't think it's any coincidence that many security professionals end up leaving SecOps to advance their careers. It's not because they don't have managers who care, or leadership that doesn't understand the importance of having talented individuals in the SOC. It's because we need to resolve these paradoxes in order to ensure that a career in SecOps is meaningful and sustainable over the long run.

If you want to read the full SANS 2025 SOC Survey report, my employer, Tines, has made a copy available for free here.