SOC Analyst L1

As a SOC Analyst L1, you will monitor and triage cybersecurity alerts from multiple sources (SIEM/EDR/network), determine whether activity is benign or suspicious, document evidence clearly, and escalate confirmed or potentially high-risk cases following playbooks and SLAs.

Responsibilities:

• Monitor security events and alerts in SIEM and defensive tools; perform initial triage and classification (benign / false positive / suspicious / incident).
• Collect and review basic evidence: endpoint telemetry, Windows/Linux logs, firewall/IDS, DNS/proxy; perform initial correlation (host/user/IP/IOC/process).
• Execute runbooks/playbooks (e.g., password reset request, IOC block request, host isolation request) when authorized and aligned with procedures.
• Create and maintain high-quality tickets with a clear narrative: what happened, supporting evidence, potential impact, actions taken, recommended next steps.
• Escalate to L2/L3/IR when there is evidence of compromise, material risk, lateral movement, or uncertainty that requires deeper investigation.
• Deliver structured shift handovers (case status, findings, hypotheses, next steps, blockers).
• Meet operational SLAs and documentation of quality standards.

Requirements

• 0–2 years in SOC/NOC/IT Security operations or equivalent hands-on experience demonstrated via labs/casework.
• Solid fundamentals in networking: TCP/IP, DNS, HTTP/S, VPN, NAT.
• Basic working knowledge of Windows and Linux (processes, authentication, logging concepts).
• Ability to interpret log fields (source/destination, user, process, hash, URL, action, result).
• Strong spoken and written English (minimum B2) — must be able to join technical calls and write clear tickets and summaries in English.
• Strong attention to detail, structured thinking, prioritization, and ability to work under pressure and repetitive workflows without quality loss.
• Experience with SIEM/EDR/IDS tools (e.g., Wazuh, Splunk, Sentinel, QRadar; Defender/CrowdStrike; Suricata/Snort). (Nice to have )
• Basic query skills (KQL/SPL/Lucene/DQL) and familiarity with MITRE ATT&CK concepts. (Nice to have )
• Entry-level certifications (e.g., Security+, BTL1, CySA+) or equivalent proof of competence. (Nice to have )