SOC Analyst Resume
Skills & ATS Keywords

The SIEM platforms, EDR consoles, email-security gateways, threat-intel feeds, IR playbooks, forensic utilities, and scripting tools a SOC Analyst resume should carry in 2026, ranked the way a security-operations lead weighs them and worded so an ATS parser catches every token. Built on 12 years of recruiting experience, including many years at Google, reading SOC and IR resumes.

Emmanuel Gendre, former Google Recruiter and Tech Resume Writer

Authored by

Emmanuel Gendre

Tech Resume Writer

Last updated: May 19th, 2026 · 2,940 words · ~12 min read

What this page covers

The SOC Analyst resume skills and keywords that matter in 2026

SOC leads screen for the queue you actually worked

You are sharpening a SOC Analyst resume. Security-operations leads and ATS parsers are reading for the SIEM you triaged alerts in, the EDR you ran live-response sessions on, the phishing queue you closed tickets against, the threat-intel feeds you pivoted IOCs through, the case-management product you owned shift hand-offs inside, the forensic tools you grabbed memory with, and the scripting languages you used to automate the dull half of the queue. ATS keywords drive the first cut. The real lift on a 2026 SOC file is which platforms are non-negotiable for the tier you are aiming at, which queue metrics a SOC manager scans for first, which certifications still move the needle, and how to word any of it so a SOC hiring panel reading the page in ninety seconds believes you operated inside the SOC console rather than just sat through a SANS course.

A queue-operator cheat sheet, not a generic cyber list

Under this band sits the prioritized inventory: a SOC Analyst resume's hard skills, soft skills, and ATS keywords for 2026, grouped by operational surface and laid against the SOC tier ladder. The phrasing comes off 12 years of recruiting experience, including many years at Google. Want the editable shell that already carries the SIEM, EDR, email-security, intel, and forensics rows? Open the SOC Analyst resume template.

SOC Analyst resume keywords & skills at a glance

The fast answer, two ways

Below this band is the long-form read on SOC Analyst resume skills and ATS keywords. If a couple of minutes is all you have, grab one of the two helpers in this section: the ranked roster of SIEM platforms, EDR consoles, threat-intel feeds, and IR frameworks that recur across most US SOC Analyst reqs (the safe default), or the JD scanner that lets you measure the file against the specific posting open in your other browser tab.

Industry-standard SOC Analyst resume skills

The 18 SIEM platforms, EDR consoles, threat-intel feeds, IR frameworks, and certifications that surface most often across US SOC Analyst postings in 2026. With no specific role in hand, treat this as a baseline floor. Tint reads the priority: blue sits on the mandatory tier, teal covers the supporting evidence a SOC manager expects to see, and grey marks the differentiator that tips a borderline shortlist.

  1. 1Splunk (SPL, ES)86%
  2. 2Microsoft Sentinel (KQL)78%
  3. 3MITRE ATT&CK80%
  4. 4CrowdStrike Falcon74%
  5. 5Incident Response (NIST 800-61)72%
  6. 6CompTIA Security+68%
  7. 7Phishing Analysis62%
  8. 8Microsoft Defender for Endpoint58%
  9. 9Threat Hunting56%
  10. 10SentinelOne50%
  11. 11Proofpoint / Defender for O36548%
  12. 12MISP / Recorded Future46%
  13. 13Wireshark / Zeek42%
  14. 14CySA+ / GCIH38%
  15. 15Sigma Rules32%
  16. 16Volatility / KAPE28%
  17. 17SOAR (Tines, XSOAR consumer)24%
  18. 18Python / PowerShell22%

Extract SOC Analyst resume keywords from a JD

Paste a SOC Analyst or security-operations job description into the box and the scanner pulls out the SIEM names, EDR consoles, email-security gateways, threat-intel feeds, and IR frameworks worth keeping on the file, grouped by tier band. The match stays inside this browser session: nothing uploads, nothing logs server-side.

SOC Analyst: Hard Skills

8 categories to carry in a SOC Analyst Technical Skills block

Starred chips flag the products a SOC lead is actively scanning the page for. Each card closes with a copy-paste line wired to slot straight into the row label it lives under.

SIEM (the SOC's main tool)

The console you live in for the entire shift. Splunk Enterprise Security with deep SPL fluency (saved searches, correlation searches, notable events, lookups, ES dashboards) is the most common spine across US SOC reqs in 2026; Microsoft Sentinel with KQL workbooks and Logic Apps covers Azure-heavy estates. IBM QRadar still anchors a slice of banking and fed-adjacent SOCs; Elastic SIEM, Chronicle (Google SecOps), Exabeam, and Sumo Logic Cloud SIEM cover the long tail. Carry the actual query language inline, not just the platform name.

Splunk ES (SPL, saved searches) Microsoft Sentinel (KQL) IBM QRadar Elastic SIEM Chronicle (Google SecOps) Exabeam Sumo Logic Cloud SIEM Notable events, correlation searches Dashboards & workbooks

Splunk Enterprise Security (deep SPL, saved searches, correlation searches, notable events, ES dashboards), Microsoft Sentinel with KQL, IBM QRadar, Elastic SIEM, Chronicle / Google SecOps, Exabeam, Sumo Logic Cloud SIEM

EDR & XDR

The endpoint console you reach for the moment an alert points to a host. CrowdStrike Falcon (deep, with Real-Time Response sessions, IOA tuning, scheduled hunts, Falcon Forensics) is the default at most modern SOCs; SentinelOne Singularity and Microsoft Defender for Endpoint with KQL hunting sit close behind. VMware Carbon Black and Trellix anchor a slice of legacy estates; Palo Alto Cortex XDR and Cisco Secure Endpoint cover Palo and Cisco-heavy networks. Name the interaction patterns (host isolation, process-tree pivots) alongside the vendor.

CrowdStrike Falcon (RTR, IOA, hunts) SentinelOne Singularity Microsoft Defender for Endpoint (KQL) VMware Carbon Black Trellix Palo Alto Cortex XDR Cisco Secure Endpoint Host isolation playbooks Process-tree pivots

CrowdStrike Falcon (deep: RTR, IOA tuning, scheduled hunts, Falcon Forensics), SentinelOne Singularity, Microsoft Defender for Endpoint with KQL hunting, VMware Carbon Black, Trellix, Palo Alto Cortex XDR, Cisco Secure Endpoint, host-isolation playbooks, process-tree investigation

Threat Frameworks & Intel

The vocabulary that ties an alert to a real adversary motion. MITRE ATT&CK is the spine: tactics, techniques, sub-techniques, and ATT&CK Navigator coverage views. MITRE D3FEND covers the defensive countermeasure mapping; the Cyber Kill Chain and Pyramid of Pain still surface in interview prompts. Threat-intel platforms (MISP, OpenCTI, Anomali, Recorded Future, Mandiant Advantage) and STIX / TAXII feed ingestion give the intel pivot a real backing. Each named framework should pair with a hunt or a triage call you ran.

MITRE ATT&CK (techniques, sub-techniques) ATT&CK Navigator MITRE D3FEND Cyber Kill Chain Pyramid of Pain MISP / OpenCTI Recorded Future Anomali / Mandiant Advantage STIX / TAXII feeds

MITRE ATT&CK tactics, techniques, sub-techniques, and ATT&CK Navigator coverage; MITRE D3FEND; Cyber Kill Chain; Pyramid of Pain; MISP, OpenCTI, Anomali, Recorded Future, Mandiant Advantage; STIX / TAXII threat-intel feeds

Incident Response (analyst tier)

The runbook side of the SOC chair. NIST 800-61 phases (preparation, detection and analysis, containment, eradication, recovery, post-incident review) carry the framework signal. Pair it with concrete IR craft: playbook authorship, evidence acquisition with KAPE, FTK Imager, or Velociraptor, live-response triage, memory analysis basics on Volatility, chain-of-custody discipline, and a clean post-incident report you can show to a hiring panel. Name the SEV tiers and the bridge role you held, not the verb “led” alone.

NIST 800-61 IR phases IR playbook authorship KAPE / FTK Imager Velociraptor Volatility (memory basics) Live-response triage Chain-of-custody Post-incident reports DFIR workflow

NIST 800-61 IR phases, IR playbook authorship, evidence acquisition with KAPE, FTK Imager, Velociraptor, live-response triage, memory analysis with Volatility, chain-of-custody discipline, post-incident reports, DFIR workflow on SEV1 and SEV2 events

Network & Cloud Telemetry

The packet, flow, and audit-log surface a SOC reads behind every endpoint alert. Zeek (formerly Bro) and Suricata cover IDS and protocol analysis; Snort still anchors a slice of legacy estates; NetFlow and IPFIX feed the volumetric view. On the cloud side, AWS CloudTrail plus GuardDuty alerts, Azure Activity Logs plus Defender alerts, and GCP audit logs plus Security Command Center give the analyst tier its visibility into IaaS workloads. Pair the tooling with the actual practice: full-packet captures in Wireshark, firewall-log triage, and DNS-tunneling pivots.

Zeek (Bro) Suricata Snort NetFlow / IPFIX AWS CloudTrail + GuardDuty alerts Azure Activity Logs + Defender alerts GCP audit logs + SCC Wireshark (PCAPs) Firewall-log triage

Zeek (Bro), Suricata, Snort, NetFlow and IPFIX, AWS CloudTrail and GuardDuty alerts, Azure Activity Logs and Defender alerts, GCP audit logs and Security Command Center, Wireshark packet captures, firewall-log triage, DNS-tunneling pivots

Detection Tuning & Hunting (consumer tier)

The everyday craft on a T2 ladder: tuning what Security Engineering wrote and running threat hunts against the gap. Saved-search tuning, false-positive reduction work, and hypothesis-driven hunt cycles (ATT&CK Navigator coverage gaps, intel-driven hunts) are the bread and butter. Reading Sigma rules and authoring minor edits sits inside the analyst tier; full detection-engineering authorship belongs on a Security Engineer file. SOAR shows up here at consumer tier: running Tines, Cortex XSOAR, or Splunk SOAR playbooks, not authoring them end-to-end.

Saved-search tuning False-positive reduction Threat-hunt cycles (hypothesis-driven) ATT&CK Navigator coverage Sigma rule reading (minor authoring) Tines (consumer) Cortex XSOAR (consumer) Splunk SOAR (consumer)

Saved-search tuning, false-positive reduction across detection families, hypothesis-driven threat-hunt cycles aligned to ATT&CK Navigator coverage gaps, Sigma rule reading with minor authoring, SOAR consumer work on Tines, Cortex XSOAR, and Splunk SOAR (running playbooks, not authoring)

Malware & Phishing Analysis

The phishing-triage queue is one of the busiest tickers on a SOC console. Microsoft Defender for Office 365, Proofpoint TRAP, Cofense, and KnowBe4 sit at the centre of the user-reported pipeline. URL detonation through URLscan and Joe Sandbox, plus Any.Run for interactive sandbox runs, cover the manual investigation tier. Static analysis at the analyst level (CAPA, FLOSS, PEStudio) pulls quick indicators off a sample without spinning the full reverse-engineering loop. Email-header analysis and Indicator-of-Compromise (IOC) management round out the row.

Microsoft Defender for O365 Proofpoint TRAP Cofense KnowBe4 URLscan / Joe Sandbox Any.Run sandbox CAPA / FLOSS / PEStudio Email-header analysis IOC management

Phishing-triage queue on Microsoft Defender for Office 365, Proofpoint TRAP, Cofense, KnowBe4; URL detonation on URLscan and Joe Sandbox; Any.Run interactive sandbox; static analysis on CAPA, FLOSS, PEStudio; email-header analysis; IOC management

SOC Operations & Compliance

The plumbing that holds the SOC together across shifts and weeks. Name the tier structure you sat inside (T1, T2, T3 with the escalation pattern), the shift-handoff discipline you ran, and the case-management product (ServiceNow SIR, IBM Resilient, TheHive) you closed tickets in. SLA tracking, post-incident reports, and regulatory IR support (PCI-DSS 12.10, HIPAA breach notification, SOX-IT) read well at T2 and above. Park the certs on the same row when they share a SANS lineage so the file reads tidy: Security+, CySA+, GCIA, GCIH, GCFA, BTL1.

SOC tier structure (T1, T2, T3) Shift-handoff discipline ServiceNow SIR / Resilient / TheHive SLA tracking Post-incident reports PCI-DSS 12.10 / HIPAA breach Security+ / CySA+ GCIA / GCIH / GCFA BTL1 (Security Blue Team)

SOC tier structure (T1, T2, T3 with escalation pattern), shift-handoff discipline, ServiceNow SIR / Resilient / TheHive case management, SLA tracking, post-incident reports, regulatory IR support on PCI-DSS 12.10, HIPAA breach notification, SOX-IT; CompTIA Security+, CySA+, GCIA, GCIH, GCFA, BTL1

SOC Analyst: Soft Skills

How to incorporate soft skills in your SOC Analyst resume

Dropping “detail-oriented” or “strong communicator” into a chip cluster does nothing on a SOC file. The place these traits earn weight is inside the bullets that name the SEV1 bridge you held, the shift-handoff note you authored, the junior analyst you coached through their first containment, the legal counsel you walked through a breach-notification call, or the playbook tweak that took 14 false-positive alerts a shift off the T1 queue. Five soft signals follow, each paired with a bullet template you can rework against your own SOC.

Composure during a SEV1 bridge

The SOC lead reading the file wants the analyst who can sit on a 3am bridge while CrowdStrike is firing, the on-call IR lead is asking for memory captures, and the comms team is asking for an exec-line update every ten minutes. Naming the role you held, the platform, and the containment window is what reads as senior-tier on the page.

How to show it

Held first responder on a SEV1 token-theft event traced through CrowdStrike Falcon RTR, ran host isolation on 14 endpoints inside 9 minutes, anchored a 3-hour bridge with IR Lead, IT, and Legal, and shipped the post-incident note with four playbook updates rolled out across the T1 queue the next week.

Clean shift-handoff writing

Half of SOC work is the note the next shift reads on their first coffee. A SOC manager scoring a candidate hard on operational hygiene reads for the analyst who hands off a live investigation without dropping context, leaving open IOCs hanging, or leaving the inbound shift to triage cold.

How to show it

Authored the SOC shift-handoff template adopted across the follow-the-sun rotation (US, EMEA, APAC), cutting repeat-investigation tickets from roughly 18 per week to 5 and pulling the inbound-shift catch-up window from 40 minutes to 12 across the past quarter.

Plain-language calls with non-security stakeholders

A T2 analyst gets pulled into calls with Legal, HR, Customer Support, and the occasional executive line whenever an incident touches a customer record or a regulated control. The signal worth carrying on the page is the one that proves you can walk a non-technical reader through the timeline without letting jargon obscure the lift.

How to show it

Briefed General Counsel and the Privacy lead on a credential-stuffing event affecting 1,200 customer accounts, translated the Sentinel KQL hunt trail, MFA-bypass attempts, and IP-geolocation pivots into a plain-language breach-notification summary adopted as the standing format for customer-facing IR write-ups.

Coaching the bench below you

Starting around T2, the SOC ladder rewards the analyst who lifts the floor under them. A SOC lead scanning the file for senior signal reads less for personal alert count and more for the number of T1 analysts who closed their first independent incident after pairing through triage cycles with you.

How to show it

Ran the T1 triage clinic for 3 incoming SOC analysts, paired through the Splunk saved-search backlog and CrowdStrike RTR fundamentals, owned the weekly alert-quality review, and authored the T1 ramp guide now handed to every new analyst inside their first week on the floor.

Judgment on escalation timing

Calling escalation too early floods the T2 queue with low-value tickets; calling it too late lets dwell time climb past the SLA window. The trait a senior SOC manager flags is the analyst who reads the alert chain, weighs the IOC strength, and knows when to hold the ticket inside T1 and when to flip it up the ladder.

How to show it

Held T1-to-T2 escalation at 12 percent of queue volume across a 9-person SOC, down from a baseline of 28 percent the year prior, through saved-search tuning, IOC-strength scoring on every alert, and a two-question pre-escalation checklist adopted by the T1 chairs as the standing escalation gate.

ATS keywords

How ATS read your SOC Analyst resume keywords

The mechanics of how screening software grades a security-operations file in 2026, the workflow for pulling the right SIEM, EDR, intel, and IR names off a target posting, and the 25 keywords any SOC Analyst resume should be able to back up with a concrete bullet.

01

Tagged Skills rows outscore wall-of-text bullets

The parser stack on heavy duty across SOC and security-ops req pipelines (Greenhouse, Lever, Ashby, Workday, iCIMS) breaks the resume into structured chunks and grades each against the SOC lead's keyword list at the moment the req opens. Nothing instantly rejects you; the file just drops a few positions down the ranked stack. A missing Splunk, CrowdStrike, or MITRE ATT&CK token is the difference between landing on page one of the recruiter screen and getting buried six pages deep.

02

Where on the page the token sits matters

A slice of parsers add weight to a SOC platform name when it sits inside a labeled Skills block on the top half of page one rather than tucked into a job-history sentence two pages later. A Splunk chip near the top scores higher than the same word buried in a job paragraph on page two. Plant the SIEM and EDR names on the labeled Skills row first, then echo them inside bullets after the row already carries them.

03

Echo at a working cadence, never keyword-stuff

A Splunk entry on the Skills row plus two bullets that reference SPL or saved searches is the pattern the parser expects to see. Pasting Splunk twenty-three times in a 1pt white-text strip flags the file for human review and routes it straight to the rejection folder. A SIEM or EDR name showing up twice in Skills and twice across the work bullets is the tempo a parser reads as natural.

Mining your target JD

A 3-step extraction loop for SOC Analyst postings

STEP 01

Stack five reqs at your tier and vertical

Grab five SOC Analyst postings at the tier and vertical you want next (MSSP, SaaS, fintech, healthcare, e-commerce, federal). Drop them into one scratch document so the phrasing from each posting sits next to the others instead of living across five browser tabs you keep losing focus on.

STEP 02

Flag the recurring platforms and frameworks

Underline every SIEM, EDR, email-security gateway, threat-intel feed, case-management product, sandbox, forensic utility, and certification body that shows up in three or more of the five reqs. Those products automatically belong on the Skills rows. Terms that surface in only one or two postings get a margin note: include only if I can defend the platform in a triage screen.

STEP 03

Pair each flagged platform with a queue bullet

Every recurring product needs a chair on the Skills row AND a backing bullet that ties it to an alerts-per-shift figure, an MTTR delta, an escalation rate, an incident-count, an FP-reduction percentage, or a threat-hunt cycle. When a chair has no bullet behind it, either earn the bullet honestly through a small home-lab project before applying, or treat the req as a wrong-fit chair and move on to the next one in the queue.

The 25 keywords that matter

SOC Analyst ATS keywords ranked by importance, 2026

The frequency bars below come off a sample of roughly 240 US SOC Analyst reqs I worked through on LinkedIn, Indeed, and MSSP career pages over Q1 2026. The tier column tells you how heavily an initial-pass screen treats each term as a yes-or-no signal.

Keyword
Tier
Typical JD context
JD frequency
Splunk (SPL)
Must
“Triage alerts and author saved searches in SPL”
MITRE ATT&CK
Must
“Map alerts and hunts to ATT&CK techniques”
Microsoft Sentinel (KQL)
Must
“Write KQL hunts and tune analytic rules”
CrowdStrike Falcon
Must
“Run RTR, IOA hunts, and host isolation”
Incident Response
Must
“Lead first-stage IR per NIST 800-61”
CompTIA Security+
Must
“Security+ certification (or equivalent)”
Alert Triage
Must
“Triage SOC alerts and escalate to T2”
Phishing Analysis
Strong
“Run reported-phish queue, header analysis”
Defender for Endpoint
Strong
KQL hunting on endpoint telemetry
Threat Hunting
Strong
Hypothesis-driven hunts across SIEM data
SentinelOne
Strong
EDR triage and remote-script playbooks
Proofpoint / O365
Strong
Phishing-triage and email-security pipeline
MISP / Recorded Future
Strong
IOC enrichment and intel pivots
Wireshark / Zeek
Strong
Packet capture and protocol analysis
CySA+ / GCIH
Strong
Mid-tier analyst credential filter
NIST 800-61
Strong
IR phase model for runbook authorship
CloudTrail / GuardDuty
Strong
AWS-side alert triage and pivot context
Sigma Rules
Bonus
Read Sigma; minor tuning at analyst tier
Volatility / KAPE
Bonus
Memory and live-response triage
SOAR (consumer)
Bonus
Run Tines / XSOAR / Splunk SOAR playbooks
Python
Bonus
Triage scripts, REST API enrichment
PowerShell
Bonus
Windows endpoint triage and AD pivots
BTL1
Bonus
Security Blue Team hands-on credential
GCFA
Bonus
DFIR-tier credential at T3 and SOC Lead
PCI-DSS 12.10
Bonus
Regulatory IR-support clause

I review your technical skills for free

Send the PDF over. I will flag which SIEM, EDR, intel, and IR names are missing, which SOC bullets aren't carrying an alerts-per-shift figure or an MTTR delta, and where your Skills block is leaking parser weight.

Free, within 12 hours, by a former Google recruiter.

Get a Free Resume Review today

I review personally all resumes within 12 hrs

PDF, DOC, or DOCX · under 5MB

Want to read more first? See how the resume review works →

Qualifications by seniority

What T1, T2, T3, and SOC Lead analysts are expected to list

The platforms read similar from L1 through L4. The real lift between levels is the scale around them: alerts triaged per shift, incidents led by SEV tier, threat-hunt cycles owned, playbook authorship counts, SOC headcount you coordinated, and the number of T1 analysts you mentored through their first quarter on the floor.

  1. L1 · T1

    Tier 1 SOC Analyst

    0 to 2 years. Works 30 to 80 alerts per shift on Splunk or Sentinel, escalates 5 to 15 of those to T2 each shift, picks up MITRE ATT&CK and CrowdStrike Falcon basics, runs scripted phishing-triage closures on Proofpoint or Defender for O365, and holds CompTIA Security+ or is sitting the exam inside the next quarter.

    30 to 80 alerts / shift 5 to 15 escalations / shift Splunk SPL (basic) Sentinel KQL (basic) CrowdStrike Falcon (consumer) Phishing-triage closures ATT&CK basics CompTIA Security+
  2. L2 · T2

    Tier 2 SOC Analyst

    2 to 5 years. Handles T1 escalations across 1 or 2 product areas (40 to 90 deep-dive cases per quarter), leads the first-stage IR call on 4 to 12 SEV1 and SEV2 incidents per year, runs weekly threat hunts mapped to ATT&CK Navigator gaps, authors 12 to 25 playbook updates against the runbook library, and pairs with one T1 analyst through their ramp.

    40 to 90 deep-dives / quarter 4 to 12 IR cases (SEV1/2) Weekly threat hunts 12 to 25 playbook updates Saved-search tuning Splunk SOAR (consumer) T1 mentorship CySA+ or GCIH
  3. L3 · T3

    Senior / Tier 3 SOC Analyst

    5 to 8 years. Cross-team IR lead on 6 to 15 major incidents per year, drives a 30 to 60 percent MTTR reduction across the queue, authors RFCs for detection tuning and SOAR playbook consumption, mentors 2 to 4 analysts on the floor, runs the threat-hunt program against ATT&CK coverage gaps, and partners with Detection Engineering on rule lifecycle reviews.

    6 to 15 major IRs / year 30 to 60% MTTR reduction Detection-tuning RFCs SOAR playbook consumption Threat-hunt program lead Mentor 2 to 4 analysts GCIH / GCIA DFIR fundamentals
  4. L4 · SOC LEAD

    SOC Lead / Principal Analyst

    8+ years. Cross-shift SOC ownership over a team of 8 to 14 across follow-the-sun, exec-board IR briefings, regulatory IR liaison work (FBI on major events, DFIR retainer coordination), multi-year SIEM migration and tuning program ownership, and 3 to 5 major-breach lead investigations across the career arc.

    SOC team of 8 to 14 Follow-the-sun rotation Exec-board IR briefings FBI / DFIR retainer liaison SIEM migration program 3 to 5 major-breach leads GCFA Hiring & bar-setting

Placement & format

How to list these skills on your resume

A single Technical Skills block, sliced into 7 to 9 row labels, lives right under the Profile Summary on page one. Each platform on those rows then resurfaces inside a bullet that proves you triaged on it, led IR through it, or tuned the saved searches feeding it.

01

Placement

Set it right under the Profile Summary, before Work Experience. A SOC hiring lead reads top-down on the first pass, and a slice of the parsers favoured by security-ops pipelines (Greenhouse, Lever) score a security-platform token harder when it sits inside the upper third of page one rather than further down the file.

02

Format

Slice it into 7 to 9 row labels rather than a comma blob. Pull the labels off your actual operational surface (SIEM & Log Platforms, EDR & Endpoint, Email Security, Threat Intel, Detection Tuning, IR & Forensics, Frameworks & Compliance, Scripting, Certifications). Each row stays on one line and runs 4 to 8 names long.

03

How many to include

Hold the page to 28 to 44 specific SIEM platforms, EDR consoles, email-security gateways, threat-intel feeds, case-management products, sandboxes, forensic tools, and scripting languages. Below 22 the file reads thin for a 2026 SOC chair; past 48 the row reads like a SANS-cert flashcard wall. Carry only platforms you can defend on a triage call.

04

Weaving into bullets

Whenever a bullet describes a SOC win, pair the named platform with the alerts-per-shift count, the MTTR delta, the FP-reduction percentage, or the incidents-led figure that came out of it. The shape that holds up under both a SOC manager's read and a parser pass looks like this:

Weak

Worked in a SOC monitoring alerts and supporting incident response across endpoint and network telemetry.

Strong

Ran the T2 queue on a 9-person SOC, triaged 70 to 110 Splunk ES alerts per shift, cut SEV2 MTTR from 47 minutes to 11 minutes across two quarters via saved-search tuning and runbook automation, and held T1-to-T2 escalation at 12 percent of queue volume.

The two lines cover the same chair, but the strong version carries six operational signals (tier, headcount, platform, alert volume, MTTR delta, escalation rate) and reads as queue ownership rather than a vague monitoring verb.

Quality checks

  • Match the exact wording from the JD on every chip. If the posting prints “MITRE ATT&CK” with the ampersand, carry the ampersand; if it spells out “CrowdStrike Falcon” in full, skip the “CrowdStrike” shorthand; write “Splunk Enterprise Security” at least once on the row so the parser catches both token variants.
  • Skip the proficiency labels (“Expert Splunk”, “Advanced CrowdStrike”). A SOC manager has no way to validate them in a screen, and the row real estate is better spent on a fourth or fifth platform name.
  • Order rows by operational surface (SIEM, EDR, Email Security, Intel, Detection Tuning, IR & Forensics, Frameworks, Scripting, Certifications), never alphabetically. A SOC hiring panel reads the row label first and only digs into the products when the label matches the chair they are filling.
  • Every product on the Skills row needs to resurface inside a bullet attached to an alerts-per-shift count, an MTTR delta, an incident-count, an FP-reduction percentage, or a threat-hunt cycle. The chip names the platform; the queue scope, the SEV tier, and the metric delta are what prove you operated it.

Skills in action

Five real bullets, with the SOC Analyst skills wired in

Each bullet below does three jobs at once: it names the platform, it pins the queue scope or incident count, and it carries an outcome. The chips underneath flag what a SOC manager (and the parser) catches on a quick scan.

01

Owned security monitoring and alert triage across the global edge and corporate environment supporting 3,200+ employees, working 18,000+ alerts per week through Splunk Enterprise Security and Microsoft Sentinel, with on-call escalation discipline and saved-search tuning across the T2 queue.

Splunk ESMicrosoft SentinelAlert triageOn-call escalation
02

Ran endpoint detection and response on CrowdStrike Falcon and SentinelOne across 4,500+ endpoints, executed one-click host isolation playbooks, process-tree investigation, and IOC sweep automation, and pulled attacker dwell time from 14 hours down to 38 minutes across the past three quarters.

CrowdStrike FalconSentinelOneHost isolationDwell time
03

Tuned 120+ saved searches and Sentinel analytic rules mapped to MITRE ATT&CK Initial Access and Lateral Movement, cut the false-positive rate from 71 percent to 18 percent, and lifted ATT&CK coverage from 41 percent to 78 percent across the SIEM detection surface.

Saved-search tuningSentinel KQLMITRE ATT&CKFP reduction
04

Worked the phishing-triage queue on Proofpoint TRAP for 8,000+ user-reported emails per year, ran header analysis, URL detonation in Proofpoint TAP, and attachment sandbox triage, and dropped the phish click-through rate from 4.1 percent to 0.6 percent across the user base.

Proofpoint TRAPURL detonationHeader analysisPhish CTR
05

Led first-stage IR on 60+ SEV1 and SEV2 incidents per NIST 800-61, drove endpoint isolation, Okta and AD account disablement, and proxy-side IP and domain blocks, and compressed mean time to respond from 2.8 hours to 34 minutes inside the first year on the chair.

NIST 800-61Account disablementProxy IP blocksMTTR

Pitfalls

Six common mistakes on SOC Analyst resumes

The same six patterns show up across SOC Analyst file reviews week after week. Each one shrinks back inside a single editing pass once you can spot the shape on your own page.

Reading like a generic IT support file with a SIEM mention

Bullets that lead with helpdesk ticket counts, AD user provisioning, and firewall rule changes (with a Splunk mention bolted on) miss the queue-operator signal a SOC manager is reading the page for. The file lands in the IT pile and rarely climbs back out.

Fix: Lead with the alerts-per-shift figure, the SIEM you triaged in, the EDR you ran live-response on, the incidents you led, the MTTR delta, and the threat-hunt cycles you owned. Move the IT-support bullets to the bottom or trim them entirely.

No alerts-per-shift, no MTTR, no incident count

“Performed security monitoring” or “triaged alerts” with no queue volume, no MTTR figure, and no SEV-tier reference reads as unverifiable. SOC managers know those lines are the easiest to invent when no number anchors them to a real shift.

Fix: Pin the alerts-per-shift volume (70 to 110 Splunk alerts per shift), name the SIEM (Splunk ES or Microsoft Sentinel), call the MTTR delta (SEV2 MTTR from 47 minutes to 11), quote the incident count by tier (lead on 14 SEV1 and SEV2 events), and carry the FP-reduction percentage.

A 20-vendor skills row with no triage bullet behind it

Stacking Splunk, Sentinel, QRadar, Chronicle, Elastic, Falcon, SentinelOne, Defender, Carbon Black, Trellix, Cortex XDR, MISP, Anomali, Recorded Future, Proofpoint, Cofense, KnowBe4, Tines, XSOAR, and Splunk SOAR onto a single comma row reads as a vendor flashcard pile. A SOC manager skims it and moves on.

Fix: Trim each row to products that anchor at least one queue bullet on the page. Two SIEM platforms named with real query-language depth (Splunk SPL plus Sentinel KQL) beat seven shallow chips, especially when one of them carries an alert volume and an MTTR delta.

Frameworks named with no operational pattern

Listing MITRE ATT&CK, NIST 800-61, NIST CSF, ISO 27001, and PCI-DSS in a row with no mention of a real hunt, an IR phase you owned, or an audit-support window reads as box-ticking. SOC managers screen for the practice inside the framework, not the framework name sitting on its own.

Fix: Pair each named framework with the operational pattern (ATT&CK Navigator coverage gaps you ran hunts against, NIST 800-61 phases you led the bridge through, PCI-DSS 12.10 IR-support window you held for the auditor) and the count or delta that quantifies it.

EDR depth treated as a single chip

From T2 upward, a SOC file with a single “CrowdStrike” chip and no RTR session, no IOA hunt, no scheduled-hunt practice, and no dwell-time metric reads as half-trained for 2026 endpoint work. Senior chairs want to see the EDR interaction pattern on the page.

Fix: Carry an EDR row with Falcon (RTR, IOA, scheduled hunts, Falcon Forensics), SentinelOne, and Defender for Endpoint KQL hunting named, then back it with one bullet that pins host-count, dwell-time delta, and the live-response action you ran during the last major event.

Soft-skills row left at the corporate-buzzword level

“Strong communicator,” “security mindset,” and “team-oriented” in a Soft Skills row do nothing on a SOC file in 2026. A SOC hiring panel has already read the same three phrases on 70 percent of the resumes that morning before yours arrived.

Fix: Replace the buzzwords with the operational evidence that proves the trait: the SEV1 bridge you held first responder on, the shift-handoff template you authored for the follow-the-sun rotation, the breach-notification call you translated for Legal, the T1 analyst you paired through their ramp, the two-question escalation gate that held T1-to-T2 traffic at 12 percent of queue volume.

Not sure if your Skills section is filtering you out?

Send the resume over. I will flag which SIEM, EDR, intel, and IR names are missing, which entries are padding, and which bullets aren't pulling their alerts-per-shift weight or MTTR delta.

Free, line-by-line feedback within 12 hours, by a former Google recruiter.

Get a Free Resume Review today

I review personally all resumes within 12 hrs

PDF, DOC, or DOCX · under 5MB

Want to read more first? See how the resume review works →

Frequently asked

SOC Analyst Skills & Keywords, Answered

Aim for somewhere between 28 and 44 named products and frameworks: the SIEM you live in, the EDR you isolate hosts on, the email-security stack that feeds your phishing queue, the threat-intel platforms you pivot through, the case-management system you close tickets in, the forensics utilities you run during a containment, and the scripting languages you automate triage with, all stitched under 7 to 9 row labels. Drop below 22 and the file looks like an early L1 chair pretending to a T2 ladder; push past 48 and the page reads like a SANS cert vendor wall. Each chip has to pair with a story you can defend in a screen: the Splunk saved search you tuned that killed a 40 percent FP rate, the CrowdStrike RTR session that contained an intrusion at 2am, the phish takedown you ran with Proofpoint TRAP. The row carries the inventory; alerts-per-shift, MTTR, incidents led, escalation rate, and FP reduction are what prove you actually worked the queue.

Drop it right under the Profile Summary, before Work Experience. SOC hiring leads spot-check applicants in the seconds between two queue alerts, and the parsers sitting in front of security-ops req pipelines (Greenhouse, Lever, Ashby, Workday) tag a Splunk, Sentinel, or CrowdStrike token with more confidence when it sits inside a labeled Skills block near the top of page one. Push it onto page two and your SIEM-plus-EDR-plus-IR story leaks out into the job paragraphs and loses parser weight. Keep the page to 7 to 9 grouped rows so a SOC lead can read your operational surface in a single sweep before opening the first incident bullet.

Copy the req into a scratch doc and underline every named SIEM, EDR, email-security gateway, threat-intel feed, case-management product, sandbox, forensic utility, scripting language, and certification body. Highlight the ones that surface twice or more in the posting. Set that list next to your current Skills rows and check for missing chips. When a product recurs in the JD but is absent from your file, fold it onto the matching row only when you can defend it on a triage call, then make sure at least one bullet pins the same product to an alerts-per-shift figure, an MTTR delta, an incident-count, or an FP-reduction percentage. Once the rows look right, run the resume through an ATS Checker as the final pass so the labels and structured fields still parse cleanly without a token getting swallowed by the layout.

A SOC Analyst page is pitched at the operator who runs the queue: Splunk or Sentinel alert triage by tier, CrowdStrike or SentinelOne live-response sessions, phishing-triage cycles through Proofpoint or Defender for O365, threat-hunt notebooks running ATT&CK-aligned hypotheses, IR playbook execution on SEV1 and SEV2 incidents, IOC sweeps off MISP or Recorded Future feeds, and shift-handoff notes that hold up under a postmortem read. A Security Engineer page is pitched at the builder of the platform underneath: AppSec scanner rollouts, CSPM coverage across cloud accounts, IAM-at-scale policy design, detection-as-code authorship in Sigma and KQL, secrets-vault migrations, WAF rule sets, and Python automation gluing controls together. If your day is working the alert queue, leading the early IR call, and tuning saved searches the engineering side wrote, the file belongs in the SOC pile. If your day is rolling Snyk across product teams or standing up Wiz across 40 AWS accounts, the file belongs in the Security Engineer pile. Splitting the difference dilutes the operational evidence a SOC hiring lead reads the page for.

Lead with whichever one carries the deeper story for the chair you are aiming at. Read the top 5 reqs in your inbox: if four out of five say Splunk Enterprise Security, push Splunk to the front of the Detection & SIEM row and pin a bullet to a saved-search-tuning win, a notable-event chain, or an ES correlation-search authorship line. If the postings are Microsoft Sentinel and Defender heavy, KQL goes first and the bullet anchors a hunting notebook, a workbook you authored, or a Logic App playbook you handed off to a junior. Trying to weight them as equals on the row reads like a fence-sit, and the JD-side parser scores a single front-loaded platform name harder than a tied pair. Carry the second platform inside the row but let the first one own the lead chip and the matched bullet.

CompTIA Security+ is the entry filter HR routes a T1 file through before a SOC lead ever sees it; treat it as table stakes by month six on the job. CySA+ pairs naturally with a T1-to-T2 promotion case and reads well alongside a shift of triage experience. GCIA (Intrusion Analyst) carries weight on packet-heavy and network-detection chairs and pairs cleanly with Zeek, Suricata, and Wireshark mentions. GCIH (Incident Handler) is the credential most US SOC leads check for at T2 and above, because it maps onto NIST 800-61 IR work on the resume. GCFA shifts the file toward DFIR-tier postings and works well when a Volatility or KAPE bullet is on the page. BTL1 from Security Blue Team has gained ground at L1 and L2 because it is hands-on and budget-friendly, and a growing share of T2 reqs list it as acceptable. List the credentials on a single Certifications row near Education, name the issuing body next to each (CompTIA, SANS, Security Blue Team), and skip any in-progress lines unless the sit date is locked in.

Six number families hold the weight on a 2026 SOC Analyst page. Alerts triaged per shift with the platform named (worked 70 to 110 Splunk alerts per shift across a 9-person SOC). Mean time to respond on incidents inside an SLA window (cut SEV2 MTTR from 47 minutes to 11 minutes across the past 2 quarters via runbook automation). Escalation rate to the tier above (held T1-to-T2 escalation at 12 percent of queue volume, lifting from a baseline of 28 percent through saved-search tuning). Incidents led by tier (lead investigator on 14 SEV1 and SEV2 events over the year, owning the IR bridge through containment). Threat-hunt cycles run (authored 22 hypothesis-driven hunts mapped to ATT&CK Initial Access and Lateral Movement, surfacing 6 confirmed persistence findings). False-positive reduction on a tuned detection family (dropped FP rate from 71 percent to 18 percent across 38 saved searches). Bare numbers without a platform, a framework, or a queue context land as filler in 2026; a credible bullet wires one or two of those figures to a named SIEM or EDR and a real outcome.

Next steps

From skill list to finished SOC Analyst resume

The Skills rows on their own carry the inventory; what turns the page into a credible SOC file is the scaffolding around them. Once the chip names and row labels are settled, four next moves push the rest of the page through a real SOC hiring read.

Interactive template

SOC Analyst resume template

Free, editable, ATS-friendly. Choose your SIEM, EDR, email-security, and intel stack from the side rail and the page rewires the Skills rows, bullets, and queue figures live as you type. Export the finished version as a PDF once the layout reads the way you want it.

Open the template →

Coming soon

How to write a SOC Analyst resume

Long-form companion piece on the SOC Analyst resume build: how to write the profile summary in your own voice, the four moving parts of a SOC bullet (platform, queue scope, technique or framework, outcome), the reading order a SOC lead scans down the page in, and the panel questions that land in the seconds after the Skills row. In drafting now.

Coming soon

Verify it

ATS Checker

Drop the draft into the tool and see which SIEM, EDR, intel, and IR keywords the engine catches, which fall through the cracks, and where the page layout confuses the parse. Runs in the browser, no upload, free.

Run the check →

Get a second opinion

Free resume review

A former Google recruiter walks every page of the file inside 12 hours and sends back line-by-line notes on the SIEM-plus-EDR rows, the alerts-per-shift bullets, and how the overall file lines up against the SOC tier you are targeting next.

Submit for review →

Browse all skill pages

Resume skills, by tech role.

Each guide on the library uses the same shell, the same ATS scoring rigor, and the same recruiter-side read. What shifts between pages is the platform stack, the tier ladder, and the screening signals each job title actually clears.

Software Engineering 8 live
Front-End Developer React Developer Back-End Engineer Full-Stack Developer Software Architect Mobile Engineer Web Developer
Hardware & Firmware 1 live, 5 soon
Embedded SWE Systems Engineer Hardware Engineer Electrical Engineer FPGA Engineer ASIC Engineer
Data, ML & AI 5 live, 2 soon
Data Analyst Data Engineer Data Scientist ML Engineer AI Engineer MLOps Engineer BI Developer
Cloud, DevOps & SRE 4 live, 2 soon
DevOps Engineer Cloud Engineer SRE Infrastructure Engineer Platform Engineer DevSecOps Engineer
IT & Networking 3 live, 3 soon
SysAdmin Network Engineer Network Admin IT Support Database Admin IT Manager
CyberSecurity 4 live, 3 soon
Security Engineer SOC Analyst Penetration Tester GRC Analyst
Testing & QA 4 live
QA Engineer SDET Performance Engineer QA Manager
Product Coming soon
Product Manager Product Owner Technical Product Manager
Projects & Programs Coming soon
Business Analyst Program Manager Project Manager
Engineering Leadership Coming soon
Tech Lead Staff Engineer Engineering Manager Director of Engineering CTO
Game Development Coming soon
Game Developer Engine Programmer Graphics Engineer Technical Artist
Solutions & Sales Engineering Coming soon
Sales Engineer Solutions Architect
Design Coming soon
UX/UI Designer

The tier labels and frequency bars above come off a sample of roughly 240 US SOC Analyst postings I read through on LinkedIn, Indeed, and MSSP career pages over Q1 2026. The weight on any single platform shifts between quarters; run a fresh tally against the reqs sitting in your application queue this week before locking in any one SIEM or EDR as the load-bearing chip on the row.