Cybersecurity Analyst

VA Office

Role Description Summary: The Cybersecurity Analyst supports the organization's Security Operations Center (SOC) by monitoring, detecting, analyzing, and escalating security events across cloud and on-premises environments. This blended analyst role is primarily alert-driven with some proactive threat hunting. The analyst will also help administer and tune key security platforms (SIEM/EDR and related controls), coordinate vulnerability management with IT Operations, and serve as the after-hours escalation point for the MSSP.

Role Responsibilities

• SOC Monitoring, Triage, and Detection – 35%
• Monitor and triage security alerts and events from SIEM/EDR and related tools across Azure, AWS, Microsoft 365, Okta/Entra ID, email security platforms, and other SaaS environments.
• Contribute to tuning and expansion of detection rules and playbooks, help onboard and validate security telemetry for key systems, and identify and recommend improvements to detection coverage and data quality.
• Follow established playbooks and severity criteria to ensure consistent triage, escalation, and ticket hygiene, maintaining high-quality case notes and evidence in ServiceNow to support operational continuity and audit readiness.
• Investigation, Threat Hunting, and Analysis – 25%
• Classify and prioritize alerts using defined criteria (impact, confidence, asset criticality, user risk, threat context) and perform in-depth investigation and analysis across endpoint, identity, email, and cloud signals.
• Conduct guided threat hunting (IOC-driven and hypothesis-based), use structured analysis methods (e.g., kill chain/diamond model mindset), and document findings and follow-up recommendations to improve detections and response.
• Investigate identity and access anomalies in Okta and Entra ID (e.g., suspicious sign-ins, MFA challenges, OAuth consent/activity) and escalate in accordance with playbooks.
• Incident Escalation, Containment, and Response Support – 20%
• Drive internal alert-handling workflow from detection through validation, enrichment, and escalation to appropriate resolver groups based on severity and playbook guidance.
• Support incident response by coordinating containment and remediation actions (e.g., endpoint isolation, account disablement, conditional access responses) with IT Operations, Security Engineering, and the MSSP.
• Maintain escalation communications with stakeholders and vendors, contribute to incident documentation and post-incident reviews, and participate in incident response exercises/tabletops.
• Vulnerability and Exposure Management – 10%
• Coordinate vulnerability remediation tracking with IT Operations by prioritizing findings with risk context, tracking remediation progress, supporting exception handling, and validating closure where applicable.
• Help validate remediation effectiveness, confirm risk reduction, and provide feedback into detection and monitoring improvements based on vulnerability and exposure trends.
• Metrics, Documentation, and Continuous Improvement – 5%
• Contribute to SOC metrics and reporting (e.g., MTTD/MTTR, MTTA, backlog, SLA adherence, false-positive trends, detection coverage) and support evidence collection for audits/exams (FFIEC/GLBA) by maintaining traceable alert samples, incident records, and response timelines.
• Maintain operational SOC documentation (runbooks/playbooks, tuning backlogs, investigation notes) and recommend improvements to processes, tools, and coverage based on operational lessons learned.
• Threat Intelligence and External Collaboration – 5%
• Collect, normalize, and operationalize relevant threat intelligence and IOCs into detections and hunts and provide feedback on observed threat activity to inform defensive improvements.
• Contribute to external information-sharing and collaboration with vendors and partners (including the MSSP) by participating in intake, evaluation, dissemination, and tracking of actionable intelligence.
  
  

Skills Needed

• Strong analytical and investigative skills with attention to detail
• Working knowledge of security controls and concepts (MITRE ATT&CK, phishing/BEC patterns, malware behaviors, identity attacks, log analysis)
• Experience investigating alerts across endpoint, identity, email, and cloud signals
• Familiarity with SIEM content development (KQL, rule logic, detections, parsers, workbooks/dashboards)
• Strong written and verbal communication abilities for escalation and stakeholder coordination
• Ability to work independently and make sound decisions under pressure
• Comfort operating with privileged access to security tools and sensitive customer/enterprise data
  
  

Minimum Qualifications

• Bachelor's degree (required)
• 3--5 years of hands-on cybersecurity operations experience (SOC / IR / monitoring / detection engineering support)
• Experience investigating alerts across endpoint, identity, email, and cloud signals
• Familiarity with FFIEC and GLBA expectations for security monitoring, incident response, and access to sensitive data
  
  

Education: Bachelor’s degree in computer science, Information Technology, Cybersecurity, or related field

Preferred/Strongly Desired

• Experience with Microsoft security ecosystem (Sentinel, Defender, Entra ID) and cloud security monitoring in Azure/AWS
• Experience with SIEM content development (KQL, rule logic, detections, parsers, workbooks/dashboards)
• Experience coordinating with an MSSP and managing alert escalation workflows
• Preferred certifications: CompTIA Security (or equivalent), Microsoft SC-200
• Nice-to-have: CySA or AZ-500
  
  

Work Environment

Hybrid -- Employees will work from both remote and onsite locations. Employees must live within a reasonable commuting distance of the office and are required to be onsite at least two (2) days per week, specifically on Tuesdays and Wednesdays. Certain positions or business needs may require additional in-office days.

AA/EOE