SOC Analyst (Level 2)

About The Position

Requirements

• 2–5+ years of SOC / incident response / security operations experience (or equivalent hands-on experience in a fast-paced production environment).
• Strong ability to investigate across cloud security operations, endpoint security, identity, and core network fundamentals.
• Proficiency with at least one SIEM and common SOC tooling (e.g., Splunk/Elastic/Sentinel; CrowdStrike/Defender; Jira/ServiceNow).
• Ability to write clear incident documentation: timelines, scope, impact, containment actions, and recommended remediations.
• Comfort operating in an on-call or shift environment (depending on coverage model).

Nice To Haves

• Detection engineering experience: correlation rules, Sigma/KQL/SPL, alert pipelines, SOAR automation.
• DFIR fundamentals: triage acquisition, volatile vs. non-volatile evidence, endpoint artifact analysis.
• Container/Kubernetes logging and runtime security exposure.
• Practical scripting (Python/Bash) for analysis and automation.
• Digital-asset ecosystem exposure and 24/7 trading operations familiarity.
• Certifications (optional): GCIH, GCIA, GCED, SC-200, AWS Security Specialty, or equivalent.

Responsibilities

• Advanced detection and investigation
• Take escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration).
• Perform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails.
• Build and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments.
• Incident response and containment
• Serve as technical incident lead for defined incident types/severities (or co-lead with IR), driving containment and eradication steps within authorized bounds.
• Execute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals).
• Coordinate evidence collection and preservation to support legal/compliance needs and potential third-party investigations.
• Threat intelligence and adversary tradecraft
• Enrich investigations with threat intel (IOCs, TTPs) and map observed behavior to frameworks (e.g., ATT&CK) to improve detection fidelity.
• Maintain watchlists and detection logic for priority threats relevant to cloud-first financial and digital-asset operations.
• Detection engineering and SOC improvement
• Tune SIEM correlation rules, EDR policies, and alert thresholds to reduce false positives and increase signal quality.
• Propose and implement new detections for emerging techniques (identity + cloud abuse, OAuth/app consent attacks, API key leakage, CI/CD pipeline tampering).
• Improve runbooks and automate repetitive enrichment steps (SOAR workflows, scripts, queries).
• Operational leadership
• Provide mentorship and real-time guidance to L1 analysts; improve escalation quality through coaching and feedback.
• Manage shift handovers for active investigations and ensure high-quality case documentation.
• Contribute to SOC metrics (MTTD, MTTR, false-positive rate, escalation accuracy) and continuous improvement efforts.