L2/L2.5 Security Operations Center (SOC) Analyst

Position Overview

We are seeking a skilled and detail-oriented L2/L2.5 Security Operations Center (SOC) Analyst to join our Security Operations team. This role sits at the critical intersection of threat detection, incident investigation, and escalation management. The successful candidate will be responsible for identifying, investigating, and responding to security threats while mentoring L1 analysts and collaborating with senior security teams.

Position Type: Full-time

Location: [On-site / Hybrid / Remote]

Experience Level: 8 years in cybersecurity/SOC operations.

Key Responsibilities

Tier 2 Incident Analysis & Investigation (45%)

Alert Triage & Investigation:

Analyze and investigate alerts/incidents escalated from L1 analysts

Determine incident severity, scope, and impact on business operations

Conduct root cause analysis for security events and anomalies

Perform deep-dive forensic analysis on suspicious activities

Create detailed incident investigation reports with findings and recommendations

Threat Assessment:

Classify and categorize threats (malware, ransomware, APT, credential theft, data exfiltration, etc.)

Evaluate threat credibility and validate true positives vs. false positives

Assess threat actor capabilities, tactics, techniques, and procedures (TTPs)

Determine data exposure and potential impact on organization

Incident Containment & Response:

Execute immediate containment measures to prevent threat propagation

Isolate affected systems from network when necessary

Coordinate with IT Operations for system remediation and recovery

Recommend and implement mitigation strategies

Participate in incident response playbook execution

SIEM & Security Tool Management (25%)

SIEM Platform Operations:

Monitor and manage SIEM (Security Information and Event Management) platform

Create, modify, and optimize detection rules and correlation searches

Develop custom dashboards and reports for security monitoring

Tune alert thresholds to reduce false positives while maintaining detection sensitivity

Maintain SIEM data integrity and log ingestion from all security sources

Security Tool Administration:

Manage and maintain EDR (Endpoint Detection & Response) solutions

Monitor firewall logs, IDS/IPS alerts, and network anomalies

Review and escalate VPN access anomalies and unusual traffic patterns

Manage DLP (Data Loss Prevention) incidents and policy violations

Monitor and respond to vulnerability scanner findings and exploit attempts

Log Analysis & Threat Hunting:

Perform manual log analysis to identify suspicious patterns and anomalies

Conduct proactive threat hunting campaigns based on threat intelligence

Search for indicators of compromise (IOCs) across infrastructure

Analyze logs from Windows/Linux systems, applications, and network devices

Create hunt packages and queries for recurring threat patterns

Escalation & Ticket Management (15%)

Alert Routing & Escalation:

Escalate incidents to L3 analysts and specialized teams (incident response, forensics, threat intelligence)

Determine appropriate escalation path based on incident severity and type

Provide clear handoff documentation to specialized teams

Monitor ticket status through resolution

Perform quality assurance on closed tickets

Ticket Management:

Document all investigations in ticketing system with comprehensive notes

Maintain incident timeline and evidence chain of custody

Update incident status and metrics tracking

Meet SLA requirements for investigation and escalation (typically 4-8 hours for critical incidents)

Generate metrics reports for team and management review

L1 Analyst Support & Mentoring (10%)

Knowledge Transfer:

Mentor L1 analysts on investigation techniques and procedures

Review L1 investigations and provide feedback for improvement

Create runbooks and playbooks for common incident types

Conduct training sessions on new threats, tools, and procedures

Share threat intelligence and best practices with SOC team

Quality Assurance:

Review L1 alert dispositions and investigation quality

Identify gaps in L1 knowledge and provide targeted training

Validate that proper procedures are followed

Suggest process improvements based on L1 experiences

Technical Competencies

Required Skills (Must Have)

Security Operations:

3-5 years experience in SOC, threat detection, or incident response

Proficiency with SIEM platforms (Splunk, ArcSight, QRadar, or similar)

Hands-on experience with EDR solutions (CrowdStrike, Microsoft Defender, SentinelOne)

Strong understanding of security frameworks (MITRE ATT&CK, NIST Cybersecurity Framework)

Knowledge of incident response processes and procedures

Experience with security monitoring tools and techniques

Technical Knowledge:

Strong understanding of networking (TCP/IP, DNS, HTTP/HTTPS, VPN, firewalls)

Windows and Linux system administration fundamentals

Knowledge of common attack vectors and threat landscape

Ability to read and interpret logs (Windows Event Logs, Syslog, firewall logs, web logs)

Understanding of malware analysis concepts (static vs. dynamic analysis)

Basic scripting knowledge (Python, Bash, or PowerShell) for automation tasks

Analytical Skills:

Excellent analytical and problem-solving abilities

Strong attention to detail and accuracy

Ability to work through complex investigations methodically

Data-driven decision making

Pattern recognition and anomaly detection capabilities

Communication & Documentation:

Excellent written communication for incident reports and escalations

Ability to clearly explain technical findings to non-technical stakeholders

Strong documentation and note-taking practices

Clear verbal communication with team members and other departments

Desired Skills (Nice to Have)

Threat Intelligence: Experience consuming and applying threat intelligence

Advanced Forensics: Digital forensics or malware analysis experience

Automation: Experience with Python, Ansible, or similar for playbook automation

Cloud Security: Experience with AWS, Azure, or GCP security monitoring

Certifications: GIAC Security Essentials (GSEC), CEH, Security+, CISSP, or similar

Incident Response: Prior incident response team experience

Vulnerability Management: Experience with vulnerability assessment and remediation

Compliance: Knowledge of compliance frameworks (PCI-DSS, HIPAA, SOC 2, ISO 27001