Security Operations Center Analyst L2

The Security Operations Center (SOC) Analyst L2 is a critical member of the Information Security team responsible for monitoring, detecting, analyzing, and responding to cybersecurity threats across the organization's environment. This role serves as the frontline defense against adversarial activity, operating within a 24×7 detection-first SOC model.

The primary responsibility of this position is the security alert workflow — the continuous triage, investigation, and disposition of security alerts and events generated across our security tooling ecosystem. Beyond queue operations, this role offers structured growth into threat hunting, detection engineering, incident response, vulnerability management, insider risk management and cross-functional InfoSec support.

ESSENTIAL DUTIES AND RESPONSIBILITIES:

DETECTION & MONITORING (PRIMARY FOCUS)

• Monitor detection queues and prioritize alerts based on risk, impact, and context, ensuring SLA compliance across the shift
• Perform in-depth analysis and correlation of alerts across SIEM, EDR, email, cloud, network, and identity security tools to validate incidents
• Investigate suspicious or malicious activity end-to-end across endpoints, identities, network, and cloud environments
• Accurately classify, scope, and disposition incidents, producing evidence-based documentation suitable for audits and metrics
• Own incident records in the case management platform through investigation, containment coordination, and closure
• Escalate confirmed or high-impact incidents to L3 or Incident Response leads
• Ensure high-quality shift handoffs, including investigative context, hypotheses, and pending actions
• Contribute to SOC documentation by updating playbooks, SOPs, runbooks, and training materials based on observed gaps or lessons learned
• Provide guidance and mentoring to L1 analysts during investigations and triage

INCIDENT RESPONSE (AS NEEDED)

• Support incident response efforts during active security events, including evidence gathering, containment actions, and timeline construction
• Assist in the preparation of incident summaries, post-incident reports, and lessons-learned documentation
• Execute containment and remediation actions under the guidance of IR leads (e.g., endpoint isolation, account disablement)
• Participate in tabletop exercises and IR simulations to develop and validate response readiness

THREAT HUNTING (STRUCTURED OPPORTUNITIES)

• Participate in threat hunting missions derived from threat intelligence reporting, new TTPs, or internal hypotheses
• Query SIEM, EDR, and log sources proactively to identify undetected malicious activity or policy gaps
• Document hunting findings and translate confirmed gaps into detection use cases or tuning recommendations
• Leverage frameworks such as MITRE ATT&CK to structure hunting hypotheses and report on coverage gaps

DETECTION ENGINEERING (COLLABORATIVE SUPPORT)

• Contribute to the development, testing, and refinement of detection rules and correlation logic in the SIEM
• Analyze emerging threats and map indicators and behaviors to proposed detection logic
• Validate new detections in a test environment and provide real-world feedback from queue experience
• Assist with SIEM content library management including periodic rule review and retirement of stale logic

VULNERABILITY MANAGEMENT (SUPPORTING ROLE)

• Review vulnerability scan results and assist in triaging findings based on severity, exploitability, and asset criticality
• Support the coordination of remediation activities with IT asset owners, tracking tickets through to closure
• Cross-reference active vulnerabilities with threat intelligence to identify weaponized CVEs that require prioritization
• Assist in producing vulnerability reporting for team leads and stakeholders on a periodic basis

INSIDER RISK MANAGEMENT (SUPPORTING ROLE)

• Support the review and triage of alerts generated by User and Entity Behavior Analytics (UEBA) platforms, Data Loss Prevention (DLP) tools, and insider threat-specific monitoring solutions
• Correlate insider risk indicators across identity, endpoint, email, and cloud data sources to build a complete picture of potential policy violations or malicious intent
• Assist in the investigation of data exfiltration attempts, unauthorized access to sensitive systems, and anomalous after-hours or off-network activity
• Maintain strict confidentiality and chain-of-custody standards when handling insider risk cases, ensuring investigations are properly documented and legally defensible
• Contribute to the ongoing refinement of the Insider Threat Program by surfacing patterns, gaps, and lessons learned from completed investigations

CROSS-FUNCTIONAL INFOSEC SUPPORT (AD HOC/STRUCTURED)

• Serve as an available resource to other InfoSec teams, lending hands-on support for security-related tasks, reviews, and initiatives on an as-needed basis
• Assist with security awareness initiatives, phishing simulations, and education campaigns
• Support access reviews, security tool deployments, and policy compliance assessments as directed