In the SOC's three-tier model, who is Tier 3?

• A. Tier 2: Incident Responder
• B. Tier 3: Threat Hunter
• C. Tier 1: Triage Specialist
• D. Tier 3: Incident Manager

Answer: (B)

In the SOC three-tier model, the top tier is focused on proactive, in-depth threat discovery and complex investigations. Tier 1 handles the initial monitoring and alert triage, passing more complex cases to Tier 2, who conduct incident analysis, containment, and remediation. Tier 3 goes further by performing threat hunting—formulating hypotheses about attacker techniques, actively searching the environment for stealthy activity, analyzing intelligence, and developing detections to catch sophisticated threats. That makes Threat Hunter the best fit for Tier 3. An incident manager focuses on coordinating responses across teams rather than doing the hands-on hunting, and Tier 1’s role is frontline triage while Tier 2 handles deeper investigations and containment.