Responsibilities
- Take escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration).
- Perform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails.
- Build and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments.
- Serve as technical incident lead for defined incident types/severities (or co-lead with IR), driving containment and eradication steps within authorized bounds.
- Execute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals).
- Coordinate evidence collection and preservation to support legal/compliance needs and potential third-party investigations.
- Enrich investigations with threat intel (IOCs, TTPs) and map observed behavior to frameworks (e.g., ATT&CK) to improve detection fidelity.
- Maintain watchlists and detection logic for priority threats relevant to cloud-first financial and digital-asset operations.
- Tune SIEM correlation rules, EDR policies, and alert thresholds to reduce false positives and increase signal quality.
- Propose and implement new detections for emerging techniques (identity + cloud abuse, OAuth/app consent attacks, API key leakage, CI/CD pipeline tampering).
- Improve runbooks and automate repetitive enrichment steps (SOAR workflows, scripts, queries).
- Provide mentorship and real-time guidance to L1 analysts; improve escalation quality through coaching and feedback.
- Manage shift handovers for active investigations and ensure high-quality case documentation.
- Contribute to SOC metrics (MTTD, MTTR, false-positive rate, escalation accuracy) and continuous improvement efforts.
Requirements
- 2–5+ years of SOC / incident response / security operations experience (or equivalent hands-on experience in a fast-paced production environment).
- Strong ability to investigate across cloud security operations, endpoint security, identity, and core network fundamentals.
- Proficiency with at least one SIEM and common SOC tooling (e.g., Splunk/Elastic/Sentinel; CrowdStrike/Defender; Jira/ServiceNow).
- Ability to write clear incident documentation: timelines, scope, impact, containment actions, and recommended remediations.
- Comfort operating in an on-call or shift environment (depending on coverage model).
Nice to Have
- Detection engineering experience: correlation rules, Sigma/KQL/SPL, alert pipelines, SOAR automation.
- DFIR fundamentals: triage acquisition, volatile vs. non-volatile evidence, endpoint artifact analysis.
- Container/Kubernetes logging and runtime security exposure.
- Practical scripting (Python/Bash) for analysis and automation.
- Digital-asset ecosystem exposure and 24/7 trading operations familiarity.
- Certifications (optional): GCIH, GCIA, GCED, SC-200, AWS Security Specialty, or equivalent.
