SOC Analyst Resume Examples (United States, 2026)

You googled SOC Analyst resume examples because you’re not “researching.” You’re writing. Probably with a job post open in another tab and a deadline breathing down your neck.

Good. Here are three complete SOC Analyst resumes for the United States you can copy, paste, and adapt in 10 minutes. Pick the one closest to your level (mid, junior, senior), swap in your tools and numbers, and ship it.

One promise: these aren’t fluffy “security professional” templates. They read like a real SOC Analyst who has actually lived in a SIEM all day.

Resume Sample #1 (Hero) — Mid-Level SOC Analyst (L2-leaning)

Breakdown: why this mid-level SOC Analyst resume works

You’re not trying to “sound cybersecurity.” You’re trying to make a SOC manager think: this person will lower my backlog and won’t panic at 2 a.m. This sample does that by being specific about (1) the environment, (2) the tools, and (3) the outcomes.

Professional Summary breakdown

The summary hits three signals fast: your SOC level, your core stack (SIEM + EDR + cloud identity), and proof you improved the operation (false positives down 28%). That’s what US hiring teams scan for in the first 8 seconds.

Weak version:

SOC Analyst with experience in cybersecurity. Skilled in monitoring and incident response. Looking for a challenging role to grow.

Strong version:

SOC Analyst with 4+ years in 24/7 Security Operations Center Analyst environments, specializing in Splunk detection tuning, endpoint triage (CrowdStrike), and incident response under NIST 800-61. Reduced false positives by 28% by rewriting correlation searches and improving alert enrichment. Targeting an L2 SOC Analyst role focused on threat hunting and detection engineering.

The strong version names the actual work (detection tuning, endpoint triage), the actual tools (Splunk, CrowdStrike), and a measurable win (28%). It also tells them what role you want—without sounding like an “objective statement.”

Experience section breakdown

Notice the bullets don’t describe duties. They describe outcomes tied to SOC reality: false positives, time-to-contain, isolations, queue throughput, SLA adherence. Also, each bullet has a “because I used X” backbone—Splunk ES, Defender, Azure AD logs, CrowdStrike RTR.

Weak version:

Monitored SIEM alerts and escalated incidents to senior analysts.

Strong version:

Tuned Splunk ES correlation searches and risk-based alerting to cut high-volume false positives by 28% and improve analyst queue throughput from 45 to 62 alerts/day.

The difference is brutal: the strong bullet proves you can improve detection quality (a very L2 SOC Analyst signal), not just click “escalate.”

Skills section breakdown

This skills line is built for ATS and for the human reviewer who wants to see your stack in one breath. In the US market, job posts commonly filter for SIEM (Splunk/Sentinel), EDR (CrowdStrike/Defender), cloud identity logs (Azure AD/Okta), and a framework anchor (MITRE ATT&CK, NIST).

Also important: you’ll see L1 SOC Analyst and L2 SOC Analyst included. Those “stack narrowing” terms help when the job title is level-specific—even if the company calls it “Cybersecurity Analyst” or “Security Analyst.”

Resume Sample #2 — Entry-Level / Junior SOC Analyst (L1)

How this junior SOC Analyst resume differs (and why it still wins)

At L1, you’re not expected to “design detections” from scratch. You are expected to be fast, consistent, and coachable. That’s why this resume leans on:

• clear volume + SLA metrics (35–55 incidents/day, 96% within 15 minutes)
• concrete tooling (Sentinel + KQL + Defender)
• process improvements that are realistic for junior scope (runbooks, enrichment checklist)

If you’re coming from help desk or IT support, this is the bridge: show security-adjacent wins (MFA rollout, Intune hardening) that hiring managers recognize immediately.

Resume Sample #3 — Senior SOC Analyst / SOC Lead (Detection + Response)

What makes a senior SOC Analyst resume different

Senior resumes don’t win by listing more tools. They win by showing scope and leverage: you improved the system, not just worked tickets. That’s why you see leadership (6-analyst rotation), automation (SOAR + Python), and business-impact containment ($180K prevented).

If you’re aiming for senior, your bullets should read like you’re building a safer machine—not like you’re trapped inside it.

How to write each SOC Analyst resume section (step-by-step)

You can absolutely write this in one sitting. The trick is to stop trying to be “impressive” and start being verifiable. A SOC resume is basically a chain of evidence: logs → tools → decisions → outcomes.

a) Professional Summary

Use this formula and don’t overthink it:

[X years] + [SOC specialization] + [measurable win] + [target role].

Specialization can be: Splunk tuning, Sentinel/KQL triage, EDR investigations, phishing/BEC response, cloud identity monitoring, SOAR automation. Pick the one that matches the job post.

Here’s what you’re avoiding: a vague objective, a paragraph-long life story, or a summary that could belong to a network admin.

Weak version:

Cybersecurity professional with strong analytical skills and a passion for security. Seeking a position where I can contribute to a team.

Strong version:

SOC Analyst with 3+ years triaging Splunk ES and CrowdStrike Falcon alerts, specializing in phishing-to-credential theft investigations and MITRE ATT&CK mapping. Cut false positives by 20% by tuning correlation searches and improving alert enrichment. Seeking an L2 SOC Analyst role in a 24/7 Security Operations Center Analyst team.

The strong version tells them what you do all day, what you improved, and where you’re going next.

b) Experience section

Reverse chronological. 2–4 bullets per role. And every bullet needs a spine: action verb + tool/context + measurable result.

If you can’t quantify, you’re not stuck. Use operational metrics SOC teams actually care about: alert volume/day, SLA %, MTTA/MTTR, false positive reduction, containment time, number of incidents handled, number of runbooks created, number of detections shipped.

Weak version:

Investigated security alerts and responded to incidents.

Strong version:

Investigated 40–70 daily Sentinel incidents using KQL and entity timelines, maintaining 95% compliance with a 15-minute initial response SLA.

Same job. One is fog. One is evidence.

These action verbs work especially well for SOC Analyst roles because they imply judgment under pressure (not just “worked on”):

• Triaged
• Investigated
• Contained
• Isolated
• Correlated
• Tuned
• Enriched
• Escalated
• Automated
• Validated
• Mapped (to MITRE ATT&CK)
• Orchestrated (SOAR)
• Led (incident command)

c) Skills section

Think of your skills section as an ATS-friendly “stack snapshot.” In the US, many companies screen for specific SIEM/EDR platforms and cloud log sources. So don’t hide them inside bullets only—put them in Skills too.

Pull skills from 3–5 job posts, then keep the overlap. If a post says “Microsoft Sentinel, KQL, Defender,” and yours says “SIEM tools,” you’re making the ATS guess. It won’t.

Here’s a US-market keyword set you can mix and match (don’t paste all of it—choose what you truly used):

Hard Skills / Technical Skills

• Alert triage, incident response, threat hunting, detection tuning, log analysis
• Windows Event Logs, Sysmon, PowerShell artifacts, process tree analysis
• Network traffic analysis, DNS/HTTP investigation, email header analysis
• MITRE ATT&CK mapping, kill chain analysis

Tools / Software

• Splunk ES, Microsoft Sentinel, QRadar
• CrowdStrike Falcon, Microsoft Defender for Endpoint, Cortex XDR
• Defender for Office 365, Proofpoint, Mimecast
• Wireshark, Zeek, VirusTotal, URLScan
• ServiceNow, Jira, Confluence
• SOAR: Cortex XSOAR, Splunk SOAR

Certifications / Standards

• CompTIA Security+, CySA+
• GIAC (GSEC, GCIA, GCIH) (if you have them)
• NIST 800-61, NIST CSF, ISO 27001 (awareness is useful)

And yes—if you’re applying to level-specific roles, include L1 SOC Analyst or L2 SOC Analyst in Skills when it matches your target. That’s not “keyword stuffing.” That’s matching how the job is labeled.

d) Education and Certifications

For SOC roles in the United States, education is usually a checkbox; your tooling and outcomes do the heavy lifting. List your degree (or relevant associate’s), keep it clean, and don’t waste space on unrelated coursework.

Certs can matter a lot—especially for entry-level. If you have Security+ or CySA+, put it near the top (either in Education or a separate Certifications line). If you’re currently studying, say so honestly: “Security+ (in progress), expected 2026.” That reads as momentum.

If you did a bootcamp or lab program, include it only if you can connect it to real SOC tasks (KQL queries written, detections built, incident labs completed). Otherwise it becomes noise.

Common SOC Analyst resume mistakes (and how to fix them)

The first mistake is writing a summary that could fit any “Security Analyst.” If your summary doesn’t mention a SIEM (Splunk/Sentinel) and an investigation surface (EDR, email, identity), it won’t feel like a SOC resume. Fix it by naming your daily tools and one metric you moved.

The second mistake is dumping a task list in Experience: “monitored alerts, escalated, documented.” That’s what everyone writes—and it tells the hiring manager nothing about your judgment. Fix it by attaching numbers (alerts/day, SLA %, MTTR) and the exact systems you used (CrowdStrike RTR, Azure AD logs, Defender).

Third: a skills section full of vague categories like “Networking, Security, Windows.” That’s not ATS-friendly and it doesn’t help a SOC lead staff a shift. Fix it by listing the platforms they filter for: Splunk ES, Microsoft Sentinel, CrowdStrike Falcon, Defender for Endpoint, ServiceNow, Wireshark.

Finally: ignoring level signals. If you’re applying to L1 SOC Analyst roles, show speed and consistency. If you’re applying to L2 SOC Analyst roles, show tuning, hunting, and complex investigations.