Incident Response (CSIRT) / Security Operations Centre (SOC) Level 3 Analyst
Location: Crawley (2-3 days onsite)
Reporting line: The Analyst will report to the Cyber Security Response Manager and work within the Information Systems directorate, based in the Crawley office.
Job purpose: The role is to respond to high-severity cybersecurity incidents and escalated events or alerts, using experience and industry tools to expedite containment, eradication, and recovery strategies that minimise business impact and protect network systems and customer data from cyber threats.
Responsibilities
* Lead escalated security incidents, oversee remediation and recovery actions, track incidents, liaise with partners, report findings, and apply root cause analysis with lessons learned.
* Improve playbooks and processes; develop and refine SOC policies, technical standards, and procedures aligned to industry best practice.
* Manage log sources with MSSPs and service owners; onboard logs into the SIEM and create use cases to correlate suspicious activities across endpoints, networks, applications, and both on-premises and cloud environments.
* Analyse and assess threat intelligence sources and indicators of compromise to identify patterns, vulnerabilities, and anomalies; use intelligence and tooling to uncover and remove hidden threats across IT and OT environments.
* Develop and enhance reporting dashboards and security/performance metrics to drive continuous improvement in security operations.
* Support and develop the SOAR platform by producing workflows to automate responses to common attack types and enhance operational playbooks.
* Use digital forensics techniques to analyse data sources and recommend appropriate response actions to contain and eradicate threats.
* Participate in cyber crisis testing, cyber-attack simulations, and scenario exercises to test resilience and improve preparedness.
* Support the implementation, maintenance, and configuration of security tools for prevention, detection, and response; contribute to security audits (e.g., SOC Type II, NCSC CAF, ISO 27001) and ensure regulatory compliance.
* Automate event monitoring and detection; enhance alert use cases and log correlation processes to adapt to evolving threats.
Advanced capabilities
* Threat hunting across IT and OT environments; correlate multiple data sources to identify threats that bypass existing defences.
* Develop incident response playbooks and SOAR workflows; conduct red-team exercises and tabletop simulations.
* Digital forensics across logs, SIEM data, applications, and network traffic patterns to guide containment and eradication efforts.
Dimensions
* People: Work in a team of around 14 cyber security operations staff; mentor Level 1 and Level 2 SOC Analysts.
* Suppliers: Regular interaction with outsourced MSSPs and cybersecurity tooling vendors.
* Communication: Explain technical concepts to technical and non-technical colleagues at all levels.
* Stakeholders: Build relationships with internal technology teams, external partners, suppliers, and providers to drive action.
Qualifications
* Considerable experience in a SOC Level 2 or 3 role with expertise in advanced threat hunting and incident response across IT and OT environments.
* SOC-specific training or a degree in Computer Science, Cybersecurity, IT, or related subject.
* Recognised security qualifications such as CISSP, AZ-500, GIAC/GCIA/GCIH, CASP+, CEH, or SIEM certifications preferred.
* Strong knowledge of log correlation, analysis, forensics, and chain of custody requirements.
* Familiarity with regulatory frameworks (NCSC CAF, ISO/IEC 27001/27002, GDPR, CIS, NIST).
* Practical knowledge of SIEM, SOAR, EDR, AV, IDS/IPS, NAC, AD, DLP, web/email filtering, behavioural analytics, TCP/IP and OT protocols, and security applications.
* Understanding of adversarial TTPs and frameworks such as MITRE ATT&CK.
* Experience with SIEM and SOAR solutions, IAM, and DLP tools (e.g., FortiSIEM, Q-Radar, Microsoft Defender, Sentinel).
* Experience developing incident response playbooks, SOAR workflows, red-team exercises, and tabletop simulations; experience investigating advanced intrusions (e.g., targeted ransomware or state-sponsored attacks).
Summary: The client is looking for an experienced Incident Response (CSIRT) / SOC Level 3 Analyst with deep expertise in advanced threat hunting, incident response, and cyber defence operations, capable of leading on high-severity incidents and mentoring junior analysts while strengthening resilience across IT and OT environments.
Note: This description reflects the role and responsibilities; it does not include non-essential recruitment boilerplate or site-specific notices.
#J-18808-Ljbffr