A Tier 1 SOC analyst acknowledges and categorizes alerts. A Tier 3 SOC analyst hunts for threats that haven't triggered any alerts yet. The certifications that make sense at each tier are different enough that a senior analyst's GCIA certification would be overkill for someone who just started their first security operations role — and a BTL1 certification would be insufficient evidence of skill for someone applying to a senior threat hunter position. Here's the map.
The SOC tier structure and what each level does
Before mapping certifications, it helps to be precise about what each tier actually does:
| SOC Tier | Role Description | Primary Activities |
|---|---|---|
| Tier 1 | Alert analyst / SOC analyst | Triage alerts, initial analysis, close false positives, escalate true positives |
| Tier 2 | Security analyst / incident responder | Deep-dive analysis, incident containment, correlation across multiple alerts |
| Tier 3 | Senior analyst / threat hunter | Proactive threat hunting, custom detection rule development, malware analysis |
| Leadership | SOC manager / CISO | Program management, metrics, reporting, staffing, tool procurement |
The certification path should track this progression — each level of certification should demonstrate the skills required for the corresponding tier.
Salary ranges by tier (US, 2024)
| SOC Tier | Typical Certification Profile | Salary Range |
|---|---|---|
| Tier 1 | Security+, BTL1 | $50,000 - $65,000 |
| Tier 2 | CySA+, SC-200, Splunk Power User | $70,000 - $90,000 |
| Tier 3 / Threat Hunter | GCIA, GCIH, OSCP | $95,000 - $130,000 |
| SOC Manager | CISM, GCIH + management exp. | $115,000 - $145,000 |
These ranges reflect US market averages and vary significantly by geography, industry, and employer size. Government contractor SOC roles with security clearances typically add $15,000-$30,000 to these ranges.
Tier 1: BTL1 and CompTIA Security+
Blue Team Labs Online BTL1
The BTL1 (Blue Team Level 1) from Security Blue Team is the most job-relevant entry-level SOC certification available as of 2024. It costs $499 for the course and exam combined.
BTL1 covers:
- Phishing analysis (analyzing malicious emails, extracting indicators, writing reports)
- Threat intelligence consumption
- Digital forensics (log analysis, disk analysis, memory forensics)
- SIEM (Splunk) basics
- Incident response fundamentals
The BTL1 exam is a 24-hour practical assessment where you investigate a simulated security incident and answer questions about what you find. There are no multiple choice questions — you must actually do the analysis. A Tier 1 SOC analyst role interview that includes a technical screening will test exactly the skills BTL1 demonstrates: can you analyze a phishing email, identify IOCs from a SIEM, and write an investigation summary?
CompTIA Security+
Security+ is foundational and widely recognized. It satisfies DoD 8570 IAT Level II requirements, which means it's required for many government-adjacent SOC roles. It doesn't prove hands-on SOC skills but demonstrates baseline security knowledge and is often listed as a minimum requirement in Tier 1 SOC job postings.
The combination of Security+ and BTL1 is a strong Tier 1 SOC application package.
CySA+ vs BTL1 for Tier 1
| Factor | BTL1 | CySA+ |
|---|---|---|
| Cost | $499 | $392 |
| Format | 24-hour practical | Multiple choice + performance-based |
| Hands-on evidence | Yes — actual investigations | Partial — scenario questions |
| DoD 8570 compliance | No | Yes (CSSP Analyst) |
| Best for | Private sector SOC roles | Government-adjacent roles |
| Employer recognition | Growing rapidly | Established |
For candidates targeting purely private sector SOC roles, BTL1 demonstrates more relevant capability. For candidates targeting government or defense contractor SOC roles, CySA+ satisfies a compliance checkbox that BTL1 does not.
Tier 2: CompTIA CySA+ and Microsoft SC-200
CompTIA CySA+ (CS0-003)
CySA+ is specifically designed for the security analyst role and is the natural progression after Security+ for SOC analysts. It costs $392 and tests:
- Threat and vulnerability management
- Software and systems security analysis
- Security operations and monitoring
- Incident response
- Compliance and assessment
CySA+ satisfies DoD 8570 CSSP Analyst requirements, making it valuable for analysts working in government-adjacent environments. The exam includes performance-based questions that require analytical thinking rather than just memorization.
Microsoft SC-200: Microsoft Security Operations Analyst
For SOC analysts working in Microsoft environments (which describes most enterprise SOC environments in 2024), SC-200 is increasingly important. It covers:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Sentinel (SIEM + SOAR)
- Microsoft Defender for Cloud
The SC-200 exam costs $165 and tests practical knowledge of the Microsoft security stack. Organizations that have migrated to Microsoft Sentinel specifically benefit from analysts with SC-200 because it maps directly to tools they use daily.
GCIH vs CySA+ for mid-level analysts: CySA+ is the more accessible path — it costs $392, has no associated course requirement, and can be studied for independently. GCIH requires the associated SANS course (SEC504) for most candidates, running $7,000-$8,000. The practical tradeoff: CySA+ is sufficient for most Tier 2 SOC analyst roles. GCIH is the credential that separates Tier 2 from Tier 3 and signals readiness for senior analyst and threat hunter responsibilities.
Tier 2-3 Transition: Splunk certifications
Splunk is the dominant SIEM platform in enterprise and government SOC environments. Splunk's certification program is role-based:
Splunk Core Certified User ($130): Basic search, transforming commands, creating dashboards. This is the entry point for SOC analysts who use Splunk. The exam covers
stats,chart,timechart,eval, and basicsearchcommands.Splunk Core Certified Power User ($130): Advanced searches, statistical commands, creating lookups and workflow actions. Tier 2 analysts should target this level. It tests
transaction,lookup,inputlookup, and complexevalexpressions.Splunk Enterprise Certified Admin ($200): Installation, configuration, and administration. For analysts who also manage the SIEM platform.
Splunk SOAR Certified ($130): For analysts working with Splunk's Security Orchestration, Automation and Response platform. Tests playbook creation, case management, and automation logic.
Splunk BOTS (Boss of the SOC): A free annual competition that tests practical Splunk analysis skills against realistic attack data. Not a certification but widely respected as a skills demonstration — BOTS scores and participation are mentioned in resumes and interview discussions.
"In interviews for senior SOC analyst roles, I ask candidates to walk me through a Splunk query they wrote to detect lateral movement in their current environment. Candidates with real SIEM experience answer confidently. Candidates who studied for the certification without hands-on practice are visibly uncomfortable." — Rachel Tobac, security awareness trainer and social engineering expert
Tier 3: GCIA, GCIH, and GCFE
The GIAC certifications (from SANS Institute) are the gold standard for senior SOC analyst roles. Most cost $949 for the exam after completing the associated SANS course ($7,000-$8,000 for in-person or OnDemand versions) — but GIAC also offers the WorkStudy program, where students take a course in exchange for a significantly reduced rate in exchange for teaching assistance. The investment is substantial, but GIAC certifications in job postings for Tier 3 roles are often listed as "required" rather than "preferred."
GCIA: GIAC Certified Intrusion Analyst
GCIA focuses on network intrusion analysis, traffic analysis, and anomaly detection. It's the certification most directly aligned with threat hunting and senior analyst work. Content includes:
- Network forensics and packet analysis (Wireshark, tcpdump)
- Intrusion detection system rule writing
- Network traffic analysis and baseline deviation detection
- Application layer protocol analysis
The GCIA exam is 3 hours, 106 questions, and requires 67% to pass. The associated SANS course is SEC503 (Intrusion Detection In-Depth).
GCIH: GIAC Certified Incident Handler
GCIH covers the incident response lifecycle at depth — detection, containment, eradication, and recovery. It includes hands-on coverage of tools like Volatility for memory forensics, network analysis, and malware behavior analysis. The associated course is SEC504 (Hacker Techniques, Exploits & Incident Handling).
GCIH is appropriate for Tier 2-3 transition candidates who want to build both the offensive understanding (how attacks work) and defensive skills (how to respond to them) in a single certification effort.
GCFE: GIAC Certified Forensic Examiner
For analysts who specialize in digital forensics and eDiscovery, GCFE covers Windows forensics, browser artifact analysis, email investigation, and chain of custody procedures. The associated course is FOR500 (Windows Forensic Analysis).
Recommended certification path by background
For candidates with no IT background:
- CompTIA A+ (optional, helps with helpdesk to SOC transition)
- Security+
- BTL1
- CySA+
- Splunk Core Certified Power User
- GCIA or GCIH (3-5 years into career)
For candidates with network engineering background:
- Security+
- SC-200 (if Microsoft environment) or Splunk certifications
- CySA+
- GCIA (network analysis aligns with network engineering background)
For candidates with development background:
- Security+
- PNPT or eJPT (understand attacker perspective)
- CySA+
- GCFE or GCIH
Real career examples
Derek started as a Tier 1 analyst with Security+ at $58,000. After obtaining CySA+ and Splunk Core Certified Power User, he moved to a Tier 2 role at $82,000. After completing GCIA (self-funded through SANS OnDemand), he moved to a threat hunter role at $108,000 — an 86% salary increase from his starting point over four years. Sandra entered the SOC directly from a network engineering background and focused on Splunk and SC-200 certifications. Her network knowledge accelerated her to Tier 2 within 18 months, and she now earns $91,000 with three years of SOC experience.
The self-funded vs employer-funded path
GIAC certifications are a significant financial commitment for self-funded candidates. The SANS SEC503 course plus GCIA exam costs approximately $8,000-$9,000. For early-career analysts, this is the primary barrier.
Self-funding options:
- SANS OnDemand (video format) eliminates travel expenses while keeping the same course content
- GIAC exam-only path: GIAC allows purchasing the exam without the associated SANS course for $949, with two practice exams included. Candidates who use free resources (SANS whitepapers, Wireshark documentation, community study groups) to cover the course content can attempt the exam-only path at 85-90% lower cost, though pass rates are lower
- Some employers offer SANS training as a benefit for analysts who commit to staying for 12-18 months post-training
Employer-funded path: If your organization has a security training budget, the SANS courses are the most impactful use of that budget for SOC analysts. A well-phrased business case ties the training to a specific detection capability gap — "GCIA certification from SEC503 would give our team the packet analysis skills to detect the lateral movement patterns we currently miss" — rather than framing it as personal career advancement.
The combination of Security+ (employer often pays) + BTL1 ($499) + CySA+ ($392) + Splunk Core Certified Power User ($130) gives a strong Tier 1-2 credential profile for approximately $1,000-1,200 total out-of-pocket, excluding study materials. This path is entirely self-fundable on an analyst's salary and positions a candidate competitively for Tier 2 roles at $70,000-$90,000 before requiring the GIAC-level investment.
See also: Cloud security certifications: CCSP, AWS Security, and Azure Security compared, CompTIA Security+ as a CISSP stepping stone: the logical path
References
- Security Blue Team. (2024). BTL1 Blue Team Level 1 Certification. https://securityblue.team/why-btl1/
- CompTIA. (2023). CySA+ CS0-003 Exam Objectives. https://www.comptia.org/certifications/cybersecurity-analyst
- GIAC. (2024). GCIA Certification. https://www.giac.org/certifications/certified-intrusion-analyst-gcia/
- GIAC. (2024). GCIH Certification. https://www.giac.org/certifications/certified-incident-handler-gcih/
- Microsoft. (2024). SC-200 Exam: Microsoft Security Operations Analyst. https://learn.microsoft.com/en-us/certifications/exams/sc-200/
- Splunk. (2024). Splunk Certification Program. https://www.splunk.com/en_us/training/certification-track/splunk-core-certified-user.html
Frequently Asked Questions
What certifications do Tier 1 SOC analysts need?
CompTIA Security+ is the most commonly required entry-level certification for Tier 1 SOC roles and satisfies DoD 8570 IAT Level II. The BTL1 (Blue Team Level 1) from Security Blue Team adds practical skills validation with a 24-hour hands-on exam covering phishing analysis, Splunk basics, and digital forensics — making the Security+ and BTL1 combination a strong entry package.
What is the BTL1 certification and is it worth getting?
BTL1 (Blue Team Level 1) is a $499 certification from Security Blue Team that uses a 24-hour practical exam to test SOC analysis skills including phishing investigation, SIEM usage, threat intelligence, and digital forensics. It's considered one of the most job-relevant entry-level SOC certifications because it tests hands-on skills rather than just knowledge.
Do GIAC certifications require SANS courses?
GIAC exams do not technically require the associated SANS course — you can register for GIAC exams directly. However, SANS courses provide the most comprehensive preparation for GIAC exams, and most successful GCIA and GCIH candidates either took the SANS course or used SANS course materials obtained through work or community resources.
How much do senior SOC analysts earn with GCIA or GCIH?
Senior SOC analysts and threat hunters holding GCIA or GCIH certifications earn \(95,000-\)130,000 in the United States as of 2024. Government contractor SOC roles with security clearances add \(15,000-\)30,000 to these ranges. The GIAC credential premium reflects both the exam difficulty and the comprehensive SANS training required to pass.
Is Splunk certification valuable for SOC analysts?
Splunk certifications are highly practical because Splunk is the dominant SIEM platform in enterprise SOC environments. Splunk Core Certified Power User ($130) demonstrates competency in advanced searching and correlation that Tier 2 analysts use daily. Paired with CySA+ or SC-200, Splunk certification provides both vendor-neutral and vendor-specific evidence of SOC capability.