The use of tacit knowledge has previously been shown to help expedite problem-solving procedures in the setting of medical emergency responses, as individuals can use past experiences in present and future challenges. However, there is a lack of understanding in its application in IT and socio-technical management. This paper examines the thought processes observed in Security Operational Centre (SOC) analysts facing threat events to lay the groundwork for tacit knowledge management in SOCs. Based on Sternberg's fieldwork in tacit knowledge, we conducted semi-structured interviews with ten analysts to explore the key artefacts and individual traits that aid their approach to communication, and to examine the thought processes under hypothetical incident handling scenarios. The results highlight a unanimous pursuit of Root Cause Analysis (RCA) upon the outbreak of an incident and stages of decision-making when escalating to third party support providers. Using Business Process Modelling and Notation (BPMN), we show the procedural elements of tacit knowledge from several scenarios. The results also suggest that simulation environments and physical proximity with analysts and vendors can facilitate the transfer of tacit knowledge more effectively in SOCs.