L2/L2.5 Security Operations Center

Position Overview We are seeking a skilled and detail-oriented L2/L2.5 Security Operations Center (SOC) Analyst to join our Security Operations team. This role sits at the critical intersection of threat detection, incident investigation, and escalation management. The successful candidate will be responsible for identifying, investigating, and responding to security threats while mentoring L1 analysts and collaborating with senior security teams.Position Type: Full-time Location: [On-site / Hybrid / Remote] Experience Level: 8 years in cybersecurity/SOC operations.Key ResponsibilitiesTier 2 Incident Analysis & Investigation (45%)Alert Triage & Investigation:· Analyze and investigate alerts/incidents escalated from L1 analysts · Determine incident severity, scope, and impact on business operations · Conduct root cause analysis for security events and anomalies · Perform deep-dive forensic analysis on suspicious activities · Create detailed incident investigation reports with findings and recommendationsThreat Assessment: · Classify and categorize threats (malware, ransomware, APT, credential theft, data exfiltration, etc.) · Evaluate threat credibility and validate true positives vs. false positives · Assess threat actor capabilities, tactics, techniques, and procedures (TTPs) · Determine data exposure and potential impact on organizationIncident Containment & Response: · Execute immediate containment measures to prevent threat propagation · Isolate affected systems from network when necessary · Coordinate with IT Operations for system remediation and recovery · Recommend and implement mitigation strategies · Participate in incident response playbook executionSIEM & Security Tool Management (25%) SIEM Platform Operations:· Monitor and manage SIEM (Security Information and Event Management) platform · Create, modify, and optimize detection rules and correlation searches · Develop custom dashboards and reports for security monitoring · Tune alert thresholds to reduce false positives while maintaining detection sensitivity · Maintain SIEM data integrity and log ingestion from all security sourcesSecurity Tool Administration:· Manage and maintain EDR (Endpoint Detection & Response) solutions · Monitor firewall logs, IDS/IPS alerts, and network anomalies · Review and escalate VPN access anomalies and unusual traffic patterns · Manage DLP (Data Loss Prevention) incidents and policy violations · Monitor and respond to vulnerability scanner findings and exploit attemptsLog Analysis & Threat Hunting:· Perform manual log analysis to identify suspicious patterns and anomalies · Conduct proactive threat hunting campaigns based on threat intelligence · Search for indicators of compromise (IOCs) across infrastructure · Analyze logs from Windows/Linux systems, applications, and network devices · Create hunt packages and queries for recurring threat patternsEscalation & Ticket Management (15%)Alert Routing & Escalation:· Escalate incidents to L3 analysts and specialized teams (incident response, forensics, threat intelligence) · Determine appropriate escalation path based on incident severity and type · Provide clear handoff documentation to specialized teams · Monitor ticket status through resolution · Perform quality assurance on closed ticketsTicket Management:· Document all investigations in ticketing system with comprehensive notes · Maintain incident timeline and evidence chain of custody · Update incident status and metrics tracking · Meet SLA requirements for investigation and escalation (typically 4-8 hours for critical incidents) · Generate metrics reports for team and management reviewL1 Analyst Support & Mentoring (10%)Knowledge Transfer: · Mentor L1 analysts on investigation techniques and procedures · Review L1 investigations and provide feedback for improvement · Create runbooks and playbooks for common incident types · Conduct training sessions on new threats, tools, and procedures · Share threat intelligence and best practices with SOC teamQuality Assurance:· Review L1 alert dispositions and investigation quality · Identify gaps in L1 knowledge and provide targeted training · Validate that proper procedures are followed · Suggest process improvements based on L1 experiencesTechnical CompetenciesRequired Skills (Must Have)Security Operations:· 3-5 years experience in SOC, threat detection, or incident response · Proficiency with SIEM platforms (Splunk, ArcSight, QRadar, or similar) · Hands-on experience with EDR solutions (CrowdStrike, Microsoft Defender, SentinelOne) · Strong understanding of security frameworks (MITRE ATT&CK, NIST Cybersecurity Framework) · Knowledge of incident response processes and procedures · Experience with security monitoring tools and techniquesTechnical Knowledge:· Strong understanding of networking (TCP/IP, DNS, HTTP/HTTPS, VPN, firewalls) · Windows and Linux system administration fundamentals · Knowledge of common attack vectors and threat landscape · Ability to read and interpret logs (Windows Event Logs, Syslog, firewall logs, web logs) · Understanding of malware analysis concepts (static vs. dynamic analysis) · Basic scripting knowledge (Python, Bash, or PowerShell) for automation tasksAnalytical Skills: · Excellent analytical and problem-solving abilities · Strong attention to detail and accuracy · Ability to work through complex investigations methodically · Data-driven decision making · Pattern recognition and anomaly detection capabilitiesCommunication & Documentation: · Excellent written communication for incident reports and escalations · Ability to clearly explain technical findings to non-technical stakeholders · Strong documentation and note-taking practices · Clear verbal communication with team members and other departmentsDesired Skills (Nice to Have)· Threat Intelligence: Experience consuming and applying threat intelligence · Advanced Forensics: Digital forensics or malware analysis experience · Automation: Experience with Python, Ansible, or similar for playbook automation · Cloud Security: Experience with AWS, Azure, or GCP security monitoring · Certifications: GIAC Security Essentials (GSEC), CEH, Security+, CISSP, or similar · Incident Response: Prior incident response team experience · Vulnerability Management: Experience with vulnerability assessment and remediation · Compliance: Knowledge of compliance frameworks (PCI-DSS, HIPAA, SOC 2, ISO 27001