SOC Analyst L2

Agile Blue is an AI-native Security Operations platform that detects, investigates, and auto-responds to cyber threats across cloud, network, and endpoint environments. Our platform combines Sapphire AI for automated detection with 24/7 human-led investigation, built for mid-market organizations and the MSPs that serve them.

Agile Blue is hiring L2 SOC Analysts to handle high severity investigations that go beyond standard playbook scope. You will build incident timelines from raw logs, write your own queries to follow an investigation wherever it leads, and handle complex cases that need a real investigative approach.

You will work alongside L1 analysts on shift, pick up cases they cannot resolve, and hand off the most complex situations to the senior analyst. The job requires independent judgment. Playbooks are a starting point, not a ceiling.

• Handle cases that exceed L1 scope, including complex and high-severity cases requiring open-ended investigation.
• Build incident timelines from raw logs without relying on a prescriptive playbook. Use playbooks as a reference, not a dependency.
• Investigate suspicious activity by forming hypotheses about attacker behavior based on TTPs, then testing them against available telemetry.
• Write security queries to explore beyond what the alert surface shows. Contain and disrupt threats where the situation calls for it.
• Analyze security breaches to identify root cause. Prioritize and document findings with enough detail for incident reporting and client communication.
• Communicate findings to clients through established channels with clear, accurate documentation. Surface vulnerabilities and patterns identified through daily case review.
• Execute pre-scoped threat hunts assigned by the senior analyst on shift. Document findings and escalate hits.
• Follow customer-specific playbooks and internal SOC procedures. Identify gaps and report them to senior analysts.

• 2 to 4+ years of SOC or security operations experience, or a strong L1 analyst with a demonstrated investigative track record.
• Hands-on experience building incident timelines from raw log sources without being handed a template.
• Active experience writing KQL, EQL, or equivalent query language in a real investigation context.
• Working knowledge of attacker TTPs across the MITRE ATT&CK framework.
• Familiarity with endpoint, network, identity, and cloud log sources and what normal looks like for each.
• Clear written communication under pressure. Clients read your case notes.

Job Type: Full-Time Employment

Shift: Multiple shifts available across our 24/7 operation

Location:

Cleveland, OH OR remote within the United States

Reporting To: SOC Manager

Competitive base salary | 401k with company match | Unlimited PTO | Paid training and certification support | Clear, measurable path to advancement

Submit your resume and a brief cover letter to  with 'SOC Analyst L2' as the subject line. Describe a specific investigation where you had to go beyond the playbook. Tell us what you found and how you found it.