A Design-Oriented Onboarding Framework for Tier 1 SOC Analysts
摘要
Security Operations Centers (SOCs) rely heavily on Tier 1 analysts to perform the initial triage and classification of security alerts. Despite the critical nature of this role, newly appointed Tier 1 analysts are frequently onboarded without a structured training approach tailored to the operational realities of modern SOC environments. This paper addresses this gap by presenting the design of a structured, design-oriented onboarding framework for Tier 1 SOC analysts. The study draws on a comprehensive review of SOC operations, cybersecurity frameworks, and pedagogical principles relevant to technical training in high-pressure environments. Guided by an instructional design approach inspired by the ADDIE model, the developed framework comprises three interrelated artefacts: a SOC Tier 1 analyst onboarding handbook, a structured five-day onboarding workshop schedule, and a practical examination environment implemented within a Security Orchestration, Automation, and Response (SOAR) platform, aligned with real-world alert triage activities. The MITRE ATT&CK framework is incorporated as a central theoretical foundation to support consistent threat analysis and decision-making. The paper discusses the structure and intended use of the developed framework within a SOC onboarding context, outlining how the integrated artefacts are designed and developed to support early-stage analyst preparation. The paper contributes a design-oriented onboarding framework intended to support more consistent and role-specific training for Tier 1 SOC analysts, while identifying opportunities for future empirical validation.