Security operations is not a single job. It is a spectrum of people across web administration, network operations, product security, and SOC teams, all working with the same data but asking completely different questions.
I think about four archetypes. Every person doing security work fits into one or more of them.
The Operator is the first human in the loop. When something gets through the automatic defenses and requires a decision, this is the person who makes it. Web admins, NOC engineers, SOC analysts. The workflow is always the same: an alert fires, they triage it in real time, and they decide to close it, escalate it, or tune it.
This is the P0 archetype. Highest volume, broadest population, most direct dependency on the platform. Alert fatigue is their occupational disease. Speed and confidence of triage is their primary metric.
The Investigator takes over when something is confirmed. Their job is reconstruction: the full timeline, the blast radius, the chain of events from first signal to last action. Where the Operator asks “is this real?”, the Investigator asks “what actually happened, and how far did it reach?” Completeness matters more than speed. They need every signal sequenced without gaps.
The Builder makes the platform sharper for everyone else. Detection engineers and power analysts who write the rules, author the queries, and improve the detection logic that determines whether the Operator’s queue is sharp or noisy. They are not the most visible people in a security operation, but they have the highest leverage. A detection they improve compounds across every analyst who uses it.
The Accountable needs to see the state of security without reading logs. Security managers who need an operational picture. CISOs who need organizational posture. Customers of a managed service who need to know what is being done on their behalf. What unites them is accountability without direct operational involvement.
Most security platforms are built for one archetype and bolted onto the others. The result is a tool that works well for one workflow and awkwardly for the rest, with different UI paradigms, different data models, entry points that do not connect.
The better model: build around use cases, not roles. Triage, investigation, detection authoring, and posture visibility are the underlying jobs. The archetypes are different entry points into the same underlying system. If an operator has to learn a new product to do what their job requires, the product has failed.
Build order matters too. The Operator is P0. Serve that workflow first, completely. The Investigator and Builder are P1. The Accountable is P2, because their view is derivative of the work the first three do. Get the sequence wrong and you end up with a great CISO dashboard sitting on top of a broken analyst workflow.