Role SummarySenior monitoring analyst and technical authority within the SOC. Not here to follow playbooks — here to improve them. Handles the most complex incidents, mentors L1/L2 analysts, drives detection engineering, and owns escalation decisions. If you still need someone to tell you what to investigate after 5 years, this is not your role.Core ResponsibilitiesAdvanced Incident ResponseOwn investigation and response for high and critical severity incidents end-to-endPerform deep-dive forensic analysis across endpoints, network, cloud, and identity systemsMake containment and remediation decisions independently — no waiting for approval on obvious threatsLead incident response bridge calls and coordinate across IT, legal, and leadership during major incidentsProduce detailed post-incident reports with root cause analysis and actionable recommendationsDetection EngineeringDevelop, tune, and maintain SIEM detection rules, correlation logic, and alert thresholdsContinuously reduce false positive rates without creating detection blind spotsBuild detection use cases mapped directly to MITRE ATT&CK techniques relevant to the organization's threat landscapeIdentify gaps in current detection coverage and propose solutions with justificationMentorship & Quality ControlReview L1/L2 triage decisions and provide structured feedback — not just correctionsDevelop and deliver internal training on attack techniques, tools, and investigation methodologyValidate and update incident response playbooks based on real incident learningsSet the quality standard for documentation, escalation, and closure in the SOCReporting & Stakeholder CommunicationTranslate complex technical incidents into clear executive-level briefingsProvide weekly and monthly SOC performance metrics to SOC ManagerRecommend process and tooling improvements backed by data and incident evidenceRequirementsExperienceMinimum 5 years in cybersecurity with at least 3 years in a SOC environmentProven experience handling critical incident response independentlyDemonstrated experience building or tuning SIEM detection rules — not just consuming alertsTrack record of mentoring junior analysts with measurable improvement in team outputTechnical SkillsExpert-level SIEM proficiency: Splunk, Microsoft Sentinel, IBM QRadar, or equivalentDeep knowledge of Windows and Linux internals, log structures, and artifact analysisStrong network forensics: packet analysis, NetFlow, DNS, proxy logsEDR proficiency: CrowdStrike Falcon, SentinelOne, Microsoft Defender for EndpointCloud security monitoring: AWS CloudTrail, Azure Monitor, GCP Security Command CenterScripting mandatory: Python or PowerShell for automation and investigation toolingMemory forensics and disk forensics capability: Volatility, FTK, AutopsyThreat intelligence consumption and application — not just reading reports, actually using IOCs and TTPs in investigationsFrameworksMITRE ATT&CK — must be able to map incidents to techniques without looking it upNIST Incident Response FrameworkCyber Kill ChainDiamond Model of Intrusion AnalysisCertifications (strongly preferred)GIAC Certified Incident Handler (GCIH)GIAC Certified Enterprise Defender (GCED)GIAC Security Essentials (GSEC)Splunk Certified Power User or ArchitectMicrosoft SC-200CISSP (advantage)EducationBachelor's degree in Cybersecurity, Computer Science, or related fieldRelevant certifications and demonstrated experience outweigh degree if portfolio is strongWhat This Role is NOTNot a senior title for someone who just does faster L2 workNot a role where you escalate everything upward — you are the escalation pointNot limited to shift monitoring — you own detection quality across the entire SOC operationShift & AvailabilityPrimary daytime shift with on-call availability for critical incidentsExpected to respond to P1 incidents outside business hours when required