What You Will Do
The Cybersecurity Analyst II at EXOS CYBER is the escalation point for the SOC. You take the alerts and tickets that Tier 1 cannot fully resolve, drive them to a confident answer, and pass anything beyond standard playbooks to the Cybersecurity Engineers and Team Lead with a clear recommendation. You will support day-to-day security operations for our clients with a primary focus on security monitoring, detection, and incident response, working alongside senior security engineers and incident responders.
Beyond the queue, you play a deliberate role in assisting of maturing the SOC by writing and refining playbooks, tuning detections in coordination with our Senior Engineer / Purple Team and AI Automation Engineer, and mentoring Tier 1. This is a hands-on, high volume technical role designed for analysts with 3 to 6 years of experience who are ready to deepen their SOC skills while gaining broad exposure to a real world MSSP detection and response stack across diverse client environments.
Monitor and triage security alerts across multiple client environments using SIEM, EDR, email security, and cloud security tools. Validate and investigate common alert types, determine impact, and recommend or execute initial response actions based on runbooks.
Take ownership of escalated alerts and tickets, drive them through full investigation, and either resolve or escalate to engineering with a recommended action. Escalations to senior responders include accurate context, evidence, and timelines.
Run point on confirmed true positive incidents within scope, including containment via SentinelOne, account isolation in Entra ID, credential rotation guidance, evidence collection, post incident documentation, and client communication.
Analyze endpoint, identity, and network telemetry to identify suspicious activity, lateral movement, and persistence attempts.
Conduct phishing triage and support email-based threat investigations, including user impact assessment and remediation steps.
Partner with the Senior Engineers / Purple Team and AI Automation Engineer to identify noisy alerts, tune rules in the SIEM and EDR, and reduce false positive load through alert suppression and use case enhancements.
Execute scheduled hunts against client environments using SDL queries, EDR telemetry, and indicators from CTI feeds. Document findings and feed results back into detection engineering.
Support vulnerability scanning programs by helping interpret results, tracking remediation, and coordinating follow-ups with client IT teams.
Review escalations, give kind and direct feedback, run weekly walk-throughs of recent investigations, and contribute to Tier 1 onboarding curriculum.
Maintain thorough case notes, incident summaries, and client-ready communications in the ticketing system. Author the analytical narrative for monthly client reports covering what we saw, what it means, and what we recommend.
What You Have Done
3+ years of experience in a SOC, incident response, MSSP, or security operations focused role or 2+ years post-Tier 1 in a comparable role
Demonstrated investigation skills across endpoint, identity, email, and network telemetry.
Working command of an EDR (SentinelOne, CrowdStrike, or Defender for Endpoint) and a SIEM (Blumira, Sentinel, Splunk, or QRadar) at the query-and-pivot level.
Familiarity with common log sources such as Windows event logs, Active Directory, Azure AD or Entra ID, firewall, VPN, DNS, and email security logs.
Practical scripting in PowerShell and/or Python for investigation, log parsing, and lightweight automation.
Experience triaging phishing, malware, suspicious authentication activity, and policy or misconfiguration-driven alerts
Working knowledge of incident response lifecycle, escalation criteria, and evidence preservation
Ability to prioritize effectively in a multi-client environment and manage multiple active cases without losing quality
Strong documentation habits with the ability to produce clear, client-ready updates and incident summaries
Solid fundamentals in TCP/IP, DNS, HTTP/S, Windows and Linux concepts, and identity and access management
Experience with ticketing systems and meeting SLAs for response, escalation, and customer communication
Relevant certifications such as CompTIA Security+, CySA+, Microsoft security fundamentals, or equivalent experience preferred
Preferred Qualifications
Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or related discipline. Equivalent military training or certifications considered.
CompTIA CySA+, GIAC GCIH, GIAC GCFA, GIAC GCDA, BTL2, or equivalent.
Prior MSSP experience, especially in a multi-tenant ticketing model (ConnectWise, Autotask, ServiceNow, etc.).
Familiarity with Sigma rules, KQL, or SentinelOne / Blumira query syntax.
Experience with SOAR or rules-based automation; comfort working alongside an AI Automation Engineer to operationalize playbooks.
Exposure to vulnerability management workflows (ConnectSecure, Tenable, Qualys, or similar) and pentesting output review (NodeZero or comparable).
Experience with MITRE ATT&CK Framework
Hands-on lab experience: TryHackMe, LetsDefend, Blue Team Labs, or home-lab portfolio.
Experience in proactive Cyber Threat Hunting activities