Analytic Developer/Insider Threat Analyst - Journeyman

About The Position

Requirements

• U.S. Citizenship is required
• Security Clearance: Secret Eligible
• Required Certifications: DCWF Work Role 462-Control Systems Security Specialist — Intermediate proficiency; must hold ONE OR MORE of the following: DAF 462 (Intermediate) (ICS), or, DAF 462 (Intermediate) (CS3-300)
• 3+ years of experience in cybersecurity
• Bachelors degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering
• Experience developing or tuning analytic rules, detection logic, or behavioral indicators for cybersecurity monitoring or insider threat use cases.
• Experience correlating data from multiple security or user activity sources to support triage, investigative analysis, and reporting.
• Ability to document investigative findings clearly, including supporting evidence, case notes, and escalation details.
• Experience coordinating with security operations, incident response, or defensive cyber teams to validate findings and improve analytic content.
• Working knowledge of continuous monitoring objectives and security activities aligned to RMF-supported environments.
• Familiarity with MITRE ATT&CK-based analytic development or threat-informed detection approaches.
• Experience supporting enterprise cybersecurity operations in classified, unclassified, or mixed-enclave environments.
• Ability to contribute to analysis and reporting supporting large-scale enterprise environments with distributed users, endpoints, and sites.

Responsibilities

• Develop, implement, and tune analytic rules and detection content to identify anomalous user activity, insider threat behaviors, and high-risk patterns across ARNG enterprise environments.
• Correlate data from multiple security and user activity sources to support alert triage, investigative analysis, and evidence-based findings.
• Perform in-depth analysis of alerts and suspicious activity, document investigative results, and maintain supporting artifacts for case development and reporting.
• Support Task 3 Cybersecurity Operations Support deliverables by contributing analytic content and investigative outputs used in 24x7x365 monitoring, threat detection, and DCO-IDM activities across the DoDIN-A(NG) area of responsibility.
• Coordinate with SOC and CIRT personnel to validate analytic findings, escalate actionable incidents, and improve detection logic based on operational feedback and post-incident analysis.
• Build and refine MITRE ATT&CK-based analytics and support correlation activities aligned with USIEM detection engineering and broader ARNG monitoring and analysis objectives.
• Leverage integrated SIEM/C2C/DLP analytics and available enterprise data sources to improve centralized visibility and machine-speed response for insider threat and anomalous behavior detection.
• Coordinate with cyber intelligence, defensive cyber, and security engineering teams to align analytic development with threat-informed defense priorities and evolving enterprise risk.
• Ensure analytic activities, reporting, and evidence handling align with DoD and ARNG cybersecurity policy, insider threat program requirements, RMF controls, and continuous monitoring objectives.
• Support coordination and information sharing with Task 3 stakeholders and operational partners, including alignment with cybersecurity operations performed in conjunction with the NETCOM Global Cyber Center and DISA DCDC.