Keyrock is looking for a SOC Analyst (Level 2) to serve as the technical escalation point for sophisticated security incidents. You'll take ownership of high-severity alerts, lead investigations through containment, and coordinate across teams to strengthen our security posture.
What You'll Do
- Take escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration).
- Perform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails.
- Build and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments.
- Serve as technical incident lead for defined incident types/severities, driving containment and eradication steps within authorized bounds.
- Execute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals).
- Coordinate evidence collection and preservation to support legal/compliance needs and potential third-party investigations.
- Enrich investigations with threat intel (IOCs, TTPs) and map observed behavior to frameworks (e.g., ATT&CK) to improve detection fidelity.
- Maintain watchlists and detection logic for priority threats relevant to cloud-first financial and digital-asset operations.
- Tune SIEM correlation rules, EDR policies, and alert thresholds to reduce false positives and increase signal quality.
- Propose and implement new detections for emerging techniques (identity + cloud abuse, OAuth/app consent attacks, API key leakage, CI/CD pipeline tampering).
- Improve runbooks and automate repetitive enrichment steps (SOAR workflows, scripts, queries).
- Provide mentorship and real-time guidance to L1 analysts; improve escalation quality through coaching and feedback.
- Manage shift handovers for active investigations and ensure high-quality case documentation.
- Contribute to SOC metrics (MTTD, MTTR, false-positive rate, escalation accuracy) and continuous improvement efforts.
What We're Looking For
- 2–5+ years of SOC / incident response / security operations experience (or equivalent hands-on experience in a fast-paced production environment).
- Strong ability to investigate across cloud security operations, endpoint security, identity, and core network fundamentals.
- Proficiency with at least one SIEM and common SOC tooling (e.g., Splunk/Elastic/Sentinel; CrowdStrike/Defender; Jira/ServiceNow).
- Ability to write clear incident documentation: timelines, scope, impact, containment actions, and recommended remediations.
- Comfort operating in an on-call or shift environment (depending on coverage model).
Nice to Have
- Detection engineering experience: correlation rules, Sigma/KQL/SPL, alert pipelines, SOAR automation.
- DFIR fundamentals: triage acquisition, volatile vs. non-volatile evidence, endpoint artifact analysis.
- Container/Kubernetes logging and runtime security exposure.
- Practical scripting (Python/Bash) for analysis and automation.
- Digital-asset ecosystem exposure and 24/7 trading operations familiarity.
- Certifications (optional): GCIH, GCIA, GCED, SC-200, AWS Security Specialty, or equivalent.
Technical Stack
- SIEM, EDR, Cloud logs, IAM, Network telemetry, Email security, SaaS audit trails
- SOAR, Python, Bash, Kubernetes
Team & Environment
You will coordinate with Incident Response, Cloud/Platform, Identity, and Engineering teams.
Work Mode
Not specified.
Keyrock fosters a culture of calm, structured response under pressure, high ownership, and strong communication across technical and non-technical stakeholders. We value a continuous-improvement mindset where every incident leads to better detections, better controls, and better resilience.
