What Happens After a Cyber Attack?
Inside a SOC Analyst's World Series: Understanding Cybersecurity Step by Step Part
Software engineering learner documenting my journey across Java, backend development, DSA, and cybersecurity. I write beginner-friendly explanations, practical notes, and lessons learned while building and analyzing real-world systems.
We've talked about how hackers find vulnerabilities. But here's the question nobody asks first -
what happens on the other side?
Imagine this.
It's 2 AM. A hacker just broke into a company's database.
They’ve been inside the network for hours - quietly moving around, reading files, stealing credentials.
Nobody's panicking. Nobody even knows yet.
Except for one person staring at a screen, watching alerts scroll in real time.
That's the SOC Analyst.
First, let me ask you something
In Part 3, we learned how hackers actually find vulnerabilities - scanning ports, fingerprinting services, mapping what's exposed.
But here's something I didn’t think about when I started:
Every move an attacker makes - every port scan, every failed login, every suspicious request - leaves a trace.
The question is - is anyone watching?
That’s exactly what a Security Operations Center (SOC) is built for.
What is a SOC?
Think of a SOC like a control room.
You know those scenes in movies where a team is watching hundreds of screens, tracking signals, communicating in real time? That's not far from reality.
A SOC (Security Operations Center) is a team whose job is to:
They don’t build the walls.
They watch for anyone trying to climb over them.
So what does a SOC Analyst actually do?
Let’s take a simple real-world scenario.
Let's say someone is trying to brute-force a company's login page - trying thousands of password combinations automatically.
Here's what happens step by step:
1. The attack happens
An attacker sends hundreds of login requests per second. The server sees unusual traffic.
2. Logs are generated
Every login attempt is recorded automatically. Think of logs as a diary the server keeps - every event, every timestamp, every IP address.
3. SIEM picks it up
A tool called SIEM (Security Information and Event Management) collects all those logs from across the system and looks for patterns. 500 failed logins from one IP in 60 seconds? That's a pattern worth flagging.
4. An alert fires
The SIEM triggers an alert - like a smoke alarm going off. It doesn't put out the fire, it just tells someone to go check.
5. The SOC Analyst investigates
The analyst looks at the alert. Is this a real attack or a false alarm? Where is the IP from? Has this happened before? What other systems did this IP touch? They piece the story together like a detective.
Wait, what exactly are logs?
This tripped me up when I started. Let me make it simple.
Logs are just records. Automatic records. Every system - your server, your firewall, your application keeps track of :
What happened
When it happened
Where it came from
A log entry might look like this:
One entry looks harmless. Five hundred entries from the same IP in one minute? Now it's telling a very different story.
That's the SOC Analyst's skill : reading the story logs are telling.
And what is SIEM exactly?
Think of SIEM as the central brain of a SOC.
SIEM = Security Information and Event Management
A company might have hundreds of systems - web servers, firewalls, databases, employee laptops. Each one generates logs. A SIEM collects all of those logs in one place and runs rules on them.
It:
Collects logs from different systems
Normalizes them
Applies rules
Triggers alerts
If the rule says:
"If more than 100 failed logins happen from the same IP within 5 minutes → raise alert"
The SIEM will catch it automatically. The analyst gets notified. The investigation begins.
Popular SIEM tools you'll hear about :
Splunk
Microsoft Sentinel
IBM QRadar
We'll go deeper into each of these in upcoming parts.
Why does attacker perspective matter for a SOC Analyst?
This is the part most people miss.
If you don’t understand how attackers think, you won’t know what to look for.
For example : in Part 3, we learned that attackers scan ports to find open services. Now from the SOC side: if you see a flood of connection attempts across many ports from the same IP, you recognize it immediately. That's a port scan. That's reconnaissance.
Pattern going forward in this series:
What changed for me after understanding this
Before I understood SOC, I only thought about cybersecurity from one direction - the attacker's.
After this shift, everything clicked:
I stopped seeing logs as boring text files. They're evidence.
I stopped seeing alerts as noise. They're the system asking for a human decision.
I understood that security isn't just about stopping attacks. It's about knowing when one is happening.
Key Takeaway from this part
Attackers leave traces.
Logs capture those traces.
SIEM reads the logs and raises alerts.
SOC Analysts investigate those alerts and decide what's real and what's not.
👉 That’s the cycle.
And it starts with understanding what the attacker was trying to do in the first place.
What’s Next?
👉 In Part 5, we’ll go deeper into:
How a SOC Analyst actually thinks
SOC tiers and workflow
What separates a good analyst from a great one
This blog is part of my Cybersecurity Learning Journey:
Part 1: What Really Happens When You “Just Open a Website”?
Part 2: Where Networks Become Vulnerable
Part 3 : How Hackers Find Vulnerabilities
Part 4: What Happens After a Cyber Attack?(this blog)
