SOC Tier 3 Analyst

Job Overview
Everforth ECS is seeking a SOC Tier 3 Analyst to work in our Portland, OR office. This position is contingent upon contract award. The SOC Analyst 3 supports the organization's security operations by leading complex incident analysis, validating advanced investigative findings, coordinating technical response actions, improving detection effectiveness, and mentoring lower-tier analysts. This role is the senior technical analysis and escalation tier within the SOC Analyst role family.

• Lead analysis of complex, high-impact, multi-stage, or ambiguous security incidents across enterprise systems, cloud environments, identity platforms, endpoints, networks, and applications.
• Validate incident severity, scope, attack path, affected assets, affected accounts, likely root cause, and potential operational or business impact.
• Review and resolve escalated findings from SOC Analyst 1 and SOC Analyst 2, including disputed severity, inconclusive evidence, or multi-source correlation challenges.
• Provide technical facts, risk context, and recommended response priorities to SOC leadership for major incident handling and stakeholder communication.

• Coordinate complex containment, eradication, and recovery support with Security Engineer, Senior Engineer, system owners, incident responders, and other technical teams.
• Define evidence collection requirements and coordinate handoff to Forensics Lead or Forensics Mid when formal acquisition, preservation, chain of custody, or deep forensic analysis is required.
• Guide investigation strategy, timeline development, technical response sequencing, and escalation decisions for complex incidents.
• Maintain alignment with approved incident response plans, playbooks, evidence-handling expectations, and leadership direction.

• Analyze adversary behaviors, attack patterns, vulnerabilities, threat intelligence, control gaps, and recurring incident trends to improve detection and response effectiveness.
• Define analytic requirements and validate correlation rules, alert logic, dashboards, use cases, and response playbooks for operational effectiveness.
• Map complex observed behaviors to MITRE ATT&CK and other applicable threat models to support analytic improvement and stakeholder reporting.
• Coordinate with SOC Threat Hunter to convert hunt findings into operational detections and with Senior Splunk Engineer or Splunk Architect/Lead for technical implementation.

• Prepare or review complex incident summaries, technical timelines, investigation narratives, after‑action inputs, and lessons‑learned content.
• Communicate complex technical findings in clear operational, business, and risk language for SOC leadership, program stakeholders, and technical teams.
• Provide technical input to SOC Technical Writer for SOPs, playbooks, knowledge articles, and formal documentation products.
• Mentor SOC Analyst 1 and SOC Analyst 2 personnel through escalation review, coaching, analytic guidance, and quality feedback.

• Lead or support detection reviews, tabletop exercises, incident retrospectives, process assessments, and quality improvement activities.
• Identify recurring gaps in telemetry, tools, controls, workflows, documentation, or analyst training and coordinate corrective action requirements with the appropriate owner.
• Stay current with evolving cyber threats, vulnerabilities, adversary tradecraft, detection techniques, and security operations best practices.
• Translate lessons learned and threat developments into improved detections, procedures, escalation criteria, and analyst enablement materials.

• 5+ years of experience in SOC operations, incident response, detection engineering support, threat analysis, or advanced cybersecurity operations.
• Advanced experience using SIEM, EDR, log analysis, case management, and cross‑tool correlation to investigate complex security incidents.
• Strong understanding of adversary tradecraft, MITRE ATT&CK, incident response lifecycle activities, evidence handling, detection logic,…