The new-age SOC analyst in 2026: tier 1.5

The role of the tier 1 SOC analyst has always been critical. It’s the function responsible for holding the line day-to-day and responding when incidents happen. It’s also the training ground for analysts, training them in a wide range of basics to prepare them to advance to tier 2. It’s a role that has never been static but with the pace of change noticeably faster than ever before, the role of the tier 1 SOC analyst is evolving once again.

As AI has become more deeply embedded into security operations, the structure of the SOC, particularly at the entry level, is beginning to shift. Organisations are only just starting to grapple with this change and we can expect the shift to only become more pronounced in 2026.

Traditionally, the tier 1 analyst role has acted as the doorman to the SOC. They have manually monitored for alerts and handled initial investigations, building their skills through repetition and exposure. That way of working still exists and, in many cases, still works but it is increasingly under pressure as much of what once defined tier 1 work is now automated or augmented by AI-driven tools.

The rise of automation and AI use in the SOC certainly won’t get rid of the analyst tier 1 role. In fact, I predict it will actually create a new role altogether - the level “1.5” analyst.

The rise of the level 1.5 analyst in 2026

In a modern SOC, analysts are increasingly AI-enabled from day one. Alert evaluation and prioritisation often happen before a human ever looks at a case. As a result, even junior analysts are expected to work alongside AI systems, rather than independently of them.

In 2026, this will fundamentally change what “entry-level” really means. New analysts will still need strong technical foundations, but they will also need analytical thinking and contextual awareness much earlier in their careers. It will no longer be enough to simply follow a playbook. Analysts will need to understand why something has been flagged, not just what to do next.

In effect, the floor has risen. The starting point for a SOC career looks very different now that new tier 1 analysts have access to artificial intelligence from day one — they have the benefit of leaning on AI for tasks that took their counterparts years of experience to master. As a result, this now raises an important question about how analysts build the fundamentals they need to progress.

Learning fundamentals in an automated world

One of the biggest challenges this shift creates is around learning and development. Historically, analysts built expertise by manually working through large volumes of alerts. That repetition helped develop intuition and a deep understanding of organisational processes, escalation procedures, basic playbooks, attacker behaviour and how systems behave under pressure.

There’s a useful parallel here with the film ‘Hidden Figures’. In the film, the mathematicians at NASA learned how to calculate rocket trajectories by hand long before computers automated the process. Even when technology took over, that foundational knowledge remained essential. It allowed them to challenge results, spot errors, and know when not to trust the system.

Of course, over time our confidence in these systems grew —it’s safe to say no one is drawing calculations by hand anymore— and with this confidence came the benefit of speed, efficiency and unlocked capacity for team members. The same principle applies to SOC analysts as automation increases. While all the benefits of using AI for early-stage analysis are clear, analysts still need to understand the theory and mechanics behind those tasks. Without that grounding, progression becomes harder and the risk of over-trusting automation during a time when it needs closer scrutiny increases.

Measuring performance in an AI-enabled SOC

Greater AI enablement also introduces a quieter, but significant, challenge - measurement. Many of the metrics traditionally used to assess SOC performance including tickets closed or investigations completed will become less meaningful when analysts are working with different levels of AI assistance.

One analyst may resolve more cases by using AI effectively, while another investigates fewer incidents manually but develops deeper expertise. Both contributions are valuable, yet they don’t look the same on a dashboard.

In the coming year, organisations will need to rethink how they measure productivity and progression to ensure fairness and accuracy. Performance frameworks will need to evolve to reflect the reality of the 1.5 model such as valuing judgement, contextual understanding, oversight, and effective use of AI, rather than just speed or volume. How success is measured in the SOC will increasingly shape how analysts learn, grow, and contribute.

A more strategic human role

The role of the human SOC analyst will continue to shift upwards. As AI absorbs more repetitive work, analysts will spend more time shaping workflows, embedding AI into operations, evaluating use cases, and strengthening the SOC as a whole.

The SOC of 2026 won’t be one where humans are sidelined. It will be one where analysts who understand both security fundamentals and AI capabilities are better positioned to operate strategically.

The tier 1 role as we knew it may continue to fade, but the opportunity for analysts to have greater impact earlier in their careers —through increased efficiency and improved security— will grow. Organisations that recognise and support that transition over the next year will be far better prepared for the realities of security operations in 2026 and beyond.