What Is SOC Level 1?
SOC Level I represents the foundational tier of security operations maturity — the baseline set of capabilities that transform reactive IT security into a structured, measurable detection and response function. This guide explains exactly what Level I requires, where organisations commonly fall short, and how to progress to Level II.
Defining SOC Level I
A Level I Security Operations Center is characterised by formalised, repeatable processes for detecting and responding to security events. It is the first tier where security monitoring transitions from purely reactive ("we know about incidents after the fact") to proactive structured visibility ("we have defined detection coverage and documented response procedures").
In the RateMySOC scoring model, Level I corresponds to a percentage score of 25–49% (27–53 points out of 108). Organisations at this tier have deployed core tooling — principally a SIEM and endpoint protection — and have documented their incident response process, but have not yet implemented threat hunting, advanced behavioural analytics, or significant automation.
Level I is not a low bar. Many small-to-midsize organisations and a surprising number of enterprises have not fully achieved it. The 2024 Verizon DBIR found that median time-to-detection for breaches involving data exfiltration was still measured in weeks — a clear indicator that consistent Level I monitoring coverage remains elusive for many organisations.
The 7 Core Capabilities of a Level I SOC
These are not aspirational goals — they are the minimum demonstrable capabilities that define Level I maturity. Each must be implemented, documented, and tested to count.
24×7 Security Monitoring
Continuous monitoring of the environment means alerts are triaged around the clock — not just during business hours. This typically requires either a staffed follow-the-sun model, on-call rotations, or an MDR/MSSP arrangement covering overnight hours. A Level I SOC has defined escalation paths for after-hours alerts and documented SLAs for initial triage.
SIEM Deployment & Log Management
A Security Information and Event Management platform (Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, etc.) is the cornerstone of Level I. Critical log sources are ingested: endpoint telemetry, network flows, authentication logs (Active Directory, Azure AD/Entra), cloud platform logs (AWS CloudTrail, GCP Audit Logs), and perimeter controls (firewall, proxy). Log retention meets minimum regulatory requirements — typically 90 days hot and 12 months archived.
Documented Incident Response Plan
A formal IR plan defines roles, responsibilities, communication trees, escalation thresholds, and regulatory notification timelines (e.g. GDPR 72-hour rule, SEC 4-day material disclosure). The plan has been tested — at minimum via a tabletop exercise — within the past 12 months. Playbooks exist for the most common incident types: phishing, ransomware, credential compromise, and data exfiltration.
Alert Triage & Escalation Process
Alerts generated by the SIEM and endpoint tooling are triaged in a defined workflow — typically via a ticketing system (ServiceNow, Jira, TheHive). Severity classifications (P1–P4 or Critical/High/Medium/Low) are defined, and response SLAs are documented and measured. Analysts follow structured runbooks rather than ad-hoc investigation approaches.
Vulnerability Management Programme
Regular authenticated vulnerability scans (Tenable Nessus, Qualys, Rapid7 InsightVM, or equivalent) cover all in-scope assets. Scan frequency is at least monthly for internet-facing systems and quarterly for internal assets. Critical and high vulnerabilities are tracked through to remediation with defined SLA windows. Patch management is coordinated with IT operations.
Endpoint Detection Baseline
Antivirus/antimalware is deployed across all managed endpoints. A Level I SOC may still rely on traditional AV rather than full EDR — but coverage is comprehensive, policies are enforced, and alerts are centralised into the SIEM. EDR deployment (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) is a strong Level I target and prerequisite for Level II.
Security Awareness & Phishing Controls
Email filtering (SEG or native Microsoft 365 Defender / Google Workspace protections) is configured and tuned. Anti-phishing, DMARC/DKIM/SPF, and URL sandboxing reduce inbound threat volume. Security awareness training is conducted at least annually, with phishing simulation used to measure and reduce click rates.
Common Level I Gaps
These are the most frequent capability failures preventing organisations from reaching or sustaining Level I maturity, based on industry assessment data.
Alert Fatigue Without Tuning
High ImpactMany organisations deploy a SIEM and immediately drown in low-fidelity alerts. Without ongoing content tuning — suppressing known-good behaviour, adjusting thresholds, and retiring noisy rules — analysts burn out, miss real threats, and MTTD degrades. Level I requires a tuning cadence of at least quarterly content reviews.
Log Source Coverage Gaps
High ImpactA SIEM with incomplete log ingestion is worse than no SIEM — it creates a false sense of coverage. Common blind spots at Level I: cloud SaaS applications (Salesforce, Workday, ServiceNow), OT/industrial networks, VoIP infrastructure, and development/CI-CD pipelines. Asset inventory drives log source coverage.
Untested Incident Response Plans
Medium ImpactAn IR plan that lives in a SharePoint folder and has never been exercised will fail at the moment of need. Tabletop exercises, even simple 2-hour sessions, identify critical gaps in escalation paths, communication trees, and decision authority before an actual incident forces them to surface.
No Defined Metrics Programme
Medium ImpactWithout measuring Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), it is impossible to demonstrate improvement or identify bottlenecks. Level I SOCs should track at minimum: alert volume by source, false positive rate, MTTD per severity, MTTR per severity, and SLA adherence.
Inadequate Staffing for 24×7 Coverage
High ImpactTrue 24×7 in-house coverage requires at minimum 5–6 FTE analysts to cover three shifts with redundancy. Many organisations claim 24×7 coverage but actually have on-call rotations where a single analyst is monitoring dozens of alerts while asleep. MDR partnerships are often the pragmatic Level I solution.
No Asset Inventory
Medium ImpactYou cannot protect what you cannot see. The absence of a maintained CMDB or network asset inventory means unknown devices generate alerts with no context. Level I requires knowing what's in scope: all managed endpoints, servers, cloud workloads, and network devices — ideally with automatic discovery.
Level I vs Level II: Capability Comparison
Understanding the delta between Level I and Level II helps organisations set a clear roadmap. Level II adds proactive detection, advanced analytics, and adversary simulation on top of the Level I foundation.
| Capability | Level I | Level II |
|---|---|---|
| 24×7 monitoring coverage | Required (staff or MDR) | Required + coverage metrics |
| SIEM platform | Deployed, core log sources | Tuned, threat-intel enriched |
| Log retention | 90 days hot / 12 months archived | Same + structured search at scale |
| Incident response plan | Documented, tabletop tested | Tested via simulation exercises |
| Endpoint protection | AV / basic EDR | Full EDR (CrowdStrike, S1, MDE) |
| Threat intelligence | Feed-based IOC blocking | TIP integration, contextualised TTPs |
| Threat hunting | Not required | Structured programme, MITRE ATT&CK aligned |
| UEBA / behavioural analytics | Not required | UEBA in SIEM or standalone |
| Vulnerability management | Authenticated scans, tracked remediation | Risk-based prioritisation, continuous |
| Red / purple team exercises | Not required | Annual adversary simulation |
| SOAR / automation | Not required | Partial — auto-enrichment, phishing triage |
| Digital forensics capability | Not required | Basic DFIR tools and trained analyst |
| MITRE ATT&CK alignment | Awareness only | Coverage mapping, detection by tactic |
| Metrics & KPI programme | MTTD, MTTR tracked | Full dashboard, trend analysis, SLA reporting |
How to Achieve Level I: A Practical Roadmap
This six-step sequence reflects the logical dependency order for building Level I capabilities. Steps 1 and 3 (assessment and IR plan) can be run in parallel with SIEM deployment.
Conduct a formal gap assessment
Use the RateMySOC assessment to baseline your current score. Map each gap to the Level I capability framework. Prioritise by risk impact: monitoring coverage gaps and untested IR plans are typically highest priority.
Establish or consolidate your SIEM
Select a SIEM platform appropriate for your scale and budget. Connect all Tier 1 log sources (AD/Entra, endpoint AV/EDR, firewall, VPN, email gateway, cloud platform). Implement a log retention policy aligned to regulatory requirements. Begin suppressing obvious false positives.
Define and test your IR plan
Document your incident response lifecycle: preparation, detection, containment, eradication, recovery, lessons learned. Assign roles. Run a tabletop exercise within 30 days. Establish a ticketing workflow for incident tracking. Document playbooks for your top 5 threat scenarios.
Close the 24×7 coverage gap
Determine whether in-house shift coverage, on-call rotations, or MDR is appropriate. If using MDR, establish clear escalation SLAs and integration with your internal IR process. Ensure after-hours escalation paths are tested.
Implement vulnerability management
Deploy authenticated scanning across all in-scope assets. Define remediation SLAs by severity (Critical: 24–72 hours, High: 7–14 days, Medium: 30 days). Track remediation completion. Report patch compliance to leadership monthly.
Measure and report
Establish a monthly metrics report covering MTTD, MTTR, alert volume, false positive rate, and SLA adherence. Present to leadership. Use metrics to justify tooling or staffing investment. This visibility is required for Level II progression.
Regulatory Minimum for Level I
NIS2 (EU)
Article 21 requires "detection, analysis and mitigation" capabilities with 24-hour early warning and 72-hour incident notification to authorities. Level I is the practical minimum for compliance. Organisations in scope include essential and important entities across 18 sectors.
DORA (Financial)
The Digital Operational Resilience Act mandates ICT incident detection, classification, and reporting for EU financial entities. DORA's incident management requirements map directly to Level I SOC capabilities — centralised logging, defined IR procedures, and regulatory notification timelines.
SEC Cyber Rules (US)
Public companies must disclose material cybersecurity incidents within 4 business days and describe their cybersecurity risk management processes annually. Level I SOC capabilities — particularly the IR plan and incident classification — are foundational to meeting these disclosure obligations.
Frequently Asked Questions
- Is SOC Level I a formal industry standard or certification?
- Not a certification — it is a capability maturity designation. Frameworks like CMMI, the SOC-CMM, and proprietary models from Gartner and MITRE all describe similar foundational capability tiers. RateMySOC maps to a common understanding of what "basic" vs "advanced" vs "expert" SOC operations looks like, synthesised from these frameworks and real-world practice.
- Can a small organisation with 3 security staff reach Level I?
- Yes. Level I is not about headcount — it is about capability coverage. A 3-person security team that has deployed a SIEM, maintains documented IR procedures, conducts quarterly vulnerability scans, and uses an MDR provider for 24×7 coverage can legitimately reach Level I. The key is that the capabilities are real, documented, and tested — not aspirational.
- Does Level I require a dedicated SOC facility?
- No. A physical SOC floor with video walls is not a requirement at any maturity level. What matters is whether monitoring, triage, and response activities happen consistently and with defined processes — whether analysts work from desks, a shared office, or remotely.
- How long does it typically take to move from no SOC to Level I?
- With dedicated effort and appropriate tooling investment, organisations typically achieve Level I maturity within 6–18 months. The main variables are: SIEM procurement and deployment time, log source onboarding complexity, IR plan development, and whether 24×7 coverage is achieved via MDR (faster) or in-house hiring (slower).
- What is the most common reason organisations fail to reach Level I?
- Alert fatigue is the single most common failure mode. Organisations deploy a SIEM, connect log sources, and are immediately overwhelmed with thousands of alerts per day — most low-fidelity. Without a tuning programme, analysts triage reactively and miss critical signals. Level I requires a repeatable process for content management: creating, reviewing, suppressing, and retiring detection rules.
- Does my MDR provider count toward my SOC maturity score?
- Only if you have contractually defined SLAs, active escalation integration, and can verify detection coverage. MDR as a checkbox — where alerts are silently resolved without your team's involvement — does not build organisational maturity. The best MDR arrangements are co-managed: the provider monitors and escalates, and your internal team retains IR ownership and knowledge.
Where does your SOC sit on the maturity scale?
The RateMySOC assessment benchmarks your current capabilities against Level I, II, and III criteria across 27 questions. Free, client-side, results in under 15 minutes.
Take the Free SOC Assessment →