50 SOC Analyst Jokes
Day one in the SOC: "Where's the runbook?" Day two in the SOC: "Oh."
The alert queue does not empty. It redistributes.
"Did you map it to ATT&CK?" Yes. T1078. Everything is T1078.
I closed the same alert 84 times this week. It has my employee ID on it now.
"Tier 1 should escalate when in doubt." Tier 1 is always in doubt.
Shift handoff: "Anything I should know?" "No." There is always something.
The SOC has a maturity model. We are between levels. Between levels is where we live.
I joined the SOC. I was told it was 80% process, 20% analysis. It is 100% queue.
"Why didn't you escalate this?" I escalated the last one. It came back marked "please triage further."
Alert volume vs analyst capacity: this is not a chart, this is a confession.
"We tuned the SIEM." We lowered the threshold on the rule that already produced 90% of the noise.
An analyst's keyboard shortcut for "close as benign" is muscle memory by week three.
The MITRE ATT&CK matrix is beautiful. My ticket queue is not.
"What's the SOC's biggest blind spot?" "The thing we have not been breached by yet."
Tier 1 is where careers begin. Tier 1 is also where careers go to be slowly converted into ticket count metrics.
"The SOAR playbook will handle it." The SOAR playbook handled it by paging me.
I have written the same justification 600 times: "Activity consistent with legitimate user behavior. Closing as benign."
"Why did the analyst leave?" The rotation was 7-on 1-off and the off day was a holiday.
The threat intel team built a beautiful platform. The SOC uses three feeds from it. The rest is for the slide deck.
"MTTR was 4 minutes." The R was responding-to-the-ticket. The actual response was 11 hours.
I do not have impostor syndrome. I have alert fatigue that looks like impostor syndrome.
"Why didn't the SIEM catch it?" It did. The rule fired into the queue marked low. Low is where alerts go to retire.
The SOC dashboard has 18 widgets. Four of them work. The rest are from a vendor evaluation in 2020.
"We don't have alert fatigue." The analyst who said this hasn't logged in for three days.
I joined a SOC bridge. The SOC bridge was already escalated. The SOC bridge had been escalated for 36 hours. Nobody remembered why.
"What's the difference between Tier 2 and Tier 3?" "Tier 3 ignores Slack faster."
The vendor sold us automation. The automation generated alerts about itself.
Threat hunting is what we do when the queue is under 2,000. The queue has never been under 2,000.
"Document your findings." The documentation tool is a wiki, a ticket field, a Slack channel, an email, and a Word doc on a shared drive.
I love a good severity matrix. The severity matrix says: low if business hours, high if not. Real severity is unknown.
"This vendor's EDR has 99.9% detection." The 0.1% it misses is everything that has ever happened.
The SOC's institutional knowledge is held by one person. That person was hired in 2018. That person is leaving Friday.
"Why didn't you ask in the channel?" I did. The channel said "hmm, that's weird," and then nothing for six hours.
Detection engineering writes the rule. The SOC closes the rule's output. The SOC and detection engineering have not spoken since.
"Did you check VirusTotal?" VirusTotal said 0/72 and also "this file is signed by Microsoft."
An analyst's main tool is not the SIEM. It is Ctrl-F in a 40 MB log file.
"What does the SOC do?" "We watch." "What do you watch?" "Whatever the rules tell us to."
I asked about career growth. The answer was "Tier 2 in 18 months." Tier 2 is the same job at 1.4x the noise.
"Why is the queue so long?" Because closing alerts is the only metric, and the only sustainable strategy is closing them in batches without reading them too closely.
The threat actor stayed in the network for 9 months. The SOC has 9 months of alerts mentioning the threat actor. The SOC also has 9 months of alerts that are louder.
An analyst's job security comes from being the only one who remembers what last quarter's rule change actually did.
"Have you tried adjusting the suppression list?" The suppression list is 11,000 entries long. It is also load-bearing.
The CEO asked how the SOC was doing. I showed him a queue. He said "good, looks active."
We don't have a 24/7 SOC. We have an 8/5 SOC with very brave on-call rotations.
"What's the difference between a SOC and a NOC?" The NOC fixes things. The SOC writes about them.
I closed an alert as benign. The IR team reopened it as the start of an incident. My KPI went up. Theirs went down. Neither of us is right.
"This will only take a minute." The minute was an unknown binary executing under a service account at 3:47 a.m.
The SOC was procured to demonstrate maturity. The maturity is the SOC. Nobody is sure what the SOC has matured into.
Vendor pitch: "Reduce alert volume by 70%." Three months later: alert volume up 40%, with a new category called "insights."
The job is mostly looking at the same thing 200 times until the one time it isn't the same, and being awake when it isn't.
Why the SOC joke writes itself
The SOC is a room (or, increasingly, a Slack workspace) where the central activity is not stopping attacks but classifying them. Most of the work is sorting noise from signal, and the noise wins by volume every single day. The joke writes itself because the role contains a built-in contradiction: the only measurable output is closing tickets, but the only valuable output is the rare ticket you do not close. Every analyst has lived the moment where those two pressures point in opposite directions, and the company evaluates them on the first one.
What makes SOC humor distinct from the broader security genre is the shift work. Pentesters and detection engineers can take a long weekend. The SOC is on a rotation. The queue at 3 a.m. on a Sunday is the same queue as at 11 a.m. on a Tuesday, and the analyst at the keyboard is the same human metabolism on five hours of sleep. So the comedy is small, granular, and physical. It is the keyboard shortcut for closing benign, the suppression list nobody dares prune, the false positive everyone in the SOC has personally closed and given a name to.
The deeper note is that the SOC is one of the few places in the company where the right answer and the rewarded answer come apart most days. Closing the queue gets you praised. Reading every alert gets you behind. The mature analyst learns to do enough of both to keep the job, and to make jokes about the gap with the other people on shift. The humor is the union card. It is also, quietly, the retention strategy that the org chart does not name.
See also
- 55 Cybersecurity Analyst Jokes for People Reading the Logs at 2am: the broader analyst genre, with the same SIEM and a wider remit.
- 60 Hacker Jokes for People Who Have Actually Read the CVE: the people on the other end of the alerts.
- 50 Sysadmin Jokes That Hit Too Close to Home: the on-call siblings on the infrastructure side.
- 70 Slack Jokes Every Channel Member Recognizes: the #soc-ops channel where the shift handoff happens.
- 60 Zoom Meeting Jokes Everyone on Mute Knows: the bridge the SOC gets pulled into.
- 55 Email Chain Jokes for People Stuck on the Thread: the post-incident thread with 31 reply-alls.
- 60 Executive Leadership Jokes for People Who Have Sat Through the Keynote: the leadership team asking why the queue is so long.
Sources
Authoritative references this article was fact-checked against.
- MITRE ATT&CK Framework, MITRE Corporationattack.mitre.org
- SANS SOC Survey and White Papers, SANS Institutesans.org