Senior SOC Analyst
Listed on 2026-07-09
-
IT/Tech
Cybersecurity
This position involves advanced threat detection, incident response, and software integration within a Security Operations Center (SOC), leveraging tools like SIEM, SOAR, and cloud security platforms. Analysts collaborate with cross‑functional teams to investigate complex security incidents, develop detection methodologies, and maintain multi‑tenant environments.
As a Senior SOC Analyst within RSM Defense, you own high‑severity security investigations and help guide the SOC’s technical direction across a growing managed security services environment supporting diverse client organizations. You will lead end‑to‑end incident analysis, validate adversary behavior, and translate evidence into clear containment and remediation guidance tailored to each client’s environment and risk context. You will also influence detection engineering and response automation by identifying content gaps, validating improvements against live telemetry, and converting operational lessons learned into durable, repeatable change.
The SOC operates on an integrated detection and response model across endpoint, identity, cloud, and network telemetry, supported by AI‑assisted analysis and automation to reduce repetitive triage and maximize analyst focus on complex tradecraft, proactive improvements, and mentorship.
LocationStrong preference for candidates in Harrisburg, PA. Open to any candidates living in a city close to an RSM location. This role will be hybrid and will require going onsite to the RSM office closest to you a few times per week.
ScheduleFour 10‑hour shifts per week, giving three days off each week. The schedule may change quarterly, though there are times when it can remain consistent. The role supports 24/7 operations.
Key Responsibilities Advanced Investigation, Incident Handling & Incident Response- Lead complex, high‑severity investigations across endpoint, network, cloud, and identity telemetry.
- Perform root cause analysis and reconstruct incident timelines using aligned MITRE ATT&CK mapping.
- Serve as the primary technical liaison during escalated incidents, delivering clear findings and remediation steps to internal leadership and clients.
- Drive the creation of After‑Action Reports (AARs) and lessons learned to improve tooling, detections, and workflow performance.
- Identify detection gaps and collaborate with Detection Engineering to develop, refine, and tune detection content across relevant telemetry sources.
- Validate new detections before SOC deployment and provide measurable feedback based on production telemetry.
- Leverage SOAR platforms to automate enrichment, triage, and response actions.
- Identify repetitive patterns ideal for automation and propose workflow enhancements to reduce MTTR.
- Validate automation logic prior to production rollout and ensure alignment with SOC escalation policies.
- Collaborate with engineering teams to incorporate additional enrichment sources, threat intel lookups, and AI‑driven analysis steps.
- Utilize AI copilots, enrichment agents, and LLM‑based analysis tools to support case triage, enrichment, and investigation.
- Develop, optimize, and maintain prompt templates for SOC use cases (enrichment summaries, detection validation, log interpretation, hypothesis generation).
- Evaluate the accuracy and reliability of AI‑generated outputs and implement QA steps to avoid hallucinations or misleading results.
- Identify opportunities to integrate AI agents into detection, triage, and response workflows—improving analyst speed and consistency.
- Provide feedback to engineering teams on model behavior, content gaps, and automation integration opportunities.
- Support hypothesis‑driven and intelligence‑led hunts by validating findings, artifacts, and suspicious patterns.
- Recommend new hunts based on emerging TTPs, anomalous case trends, or telemetry gaps discovered during investigations.
- Ensure hunt findings translate into new detections, enhanced content, or instrumentation improvements.
- Mentor junior analysts on investigation techniques, tooling…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).