Responsibilities
- Monitor and triage security alerts from EDR/XDR, SIEM, and related security tooling; prioritize incidents based on risk and business impact.
- Investigate endpoint threats (malware, ransomware, credential theft, persistence, lateral movement) using Microsoft Defender for Endpoint (MDE), CrowdStrike EDR, SentinelOne EDR, and Stellar Cyber XDR.
- Perform incident response activities: evidence collection, scoping, containment, eradication, recovery, and post-incident reporting.
- Conduct endpoint and host-based analysis (process trees, command-line execution, registry changes, scheduled tasks, persistence mechanisms, network connections).
- Correlate telemetry across endpoint, identity, network, and cloud sources to confirm malicious activity and reduce false positives.
- Execute response actions (e.g., isolate host, kill/quarantine process, block indicators, remove persistence, enforce policy changes) in accordance with playbooks and approvals.
- Develop and maintain detection and response playbooks/runbooks for common attack scenarios (phishing, suspicious PowerShell, credential dumping, suspicious service creation, etc.).
- Create and tune alerting rules, exclusions, and detections to improve signal quality and reduce noise while maintaining security coverage.
- Document investigations thoroughly: timelines, IOCs, impacted assets/users, actions taken, and recommendations for prevention.
- Support threat hunting activities using EDR/XDR telemetry and threat intelligence to identify suspicious patterns and proactively reduce risk.
- Participate in on-call rotation and shift-based SOC coverage as required.
- Research security enhancements and make recommendations for management.
- Stay up to date on information technology trends and security standards.
- Train, mentor, and guide teammates through direct comms and by hosting knowledge transfer calls.
Requirements
- 2–4 years of experience in a SOC, incident response, cyber analyst or security operations role.
- 2–4 years of hands-on experience working with at least one (1) of the following: Microsoft Defender for Endpoint (MDE), CrowdStrike EDR, SentinelOne EDR, Stellar Cyber XDR.
- Strong knowledge of attacker tactics and techniques aligned to MITRE ATT&CK, NIST, Lockhead Martin (e.g., persistence, privilege escalation, lateral movement, exfiltration).
- Solid understanding of Windows security fundamentals (event logs, authentication, common persistence locations) and basic Linux/macOS concepts.
- Familiarity with common security log sources and workflows (SIEM concepts, ticketing/case management, escalation processes).
- Ability to write clear incident documentation and communicate findings to both technical and non-technical stakeholders.
- Experience handling sensitive information and following documented procedures and change controls.
- Strong knowledge of the Windows and Linux operating systems.
- Ability to establish and maintain a strong level of customer trust and confidence.
Nice to Have
- Experience with Microsoft security ecosystem (e.g., Defender for Identity, Defender for Cloud, Entra ID/Azure AD sign-in logs).
- Basic scripting/automation skills (PowerShell, Python, or Bash) for investigation and enrichment tasks.
- Familiarity with network security concepts, protocols (TCP/UDP, DNS, HTTP/S, TLS, proxies, VPNs), and packet/log analysis.
- Threat hunting experience and building detections based on behavioral analytics.
- Experience with vulnerability management and remediation tracking.
- MSSP experience.
- A bachelor’s/master's degree in cyber security or related field, or equivalent level of experience within IT.
- Security certifications (nice-to-have): Security+, CySA+, GCIH, GCIA, SC-200, or equivalent.
Additional Information
- Fully remote model
- Participate in on-call rotation and shift-based SOC coverage as required
- Enrolled in the VirtualArmour Academy for training in other aspects of the role
