Tier 1: alert triage, basic analysis, escalation. Tier 2: deeper investigation, incident handling, malware analysis. Tier 3: threat hunting, advanced forensics, detection engineering, threat intelligence.
Most SIEM alerts go to Tier 1. SOAR automation handles the most repetitive Tier 1 tasks. Tier 2/3 analysts write the detection rules that feed Tier 1. Career path: Tier 1 → Tier 2 → Tier 3 → Specialty (forensics, threat intel, red team).