• 24/7 monitoring and alert triage across SIEM/EDR/cloud security tooling; identify false positives vs. credible threats and set appropriate severity. • Initial investigation and enrichment: gather relevant logs/telemetry, add context, and document findings clearly in the case/ticketing system. • Escalation and coordination: escalate confirmed/suspected incidents quickly and cleanly to L2/IR with a complete handoff (timeline, scope, IOCs, actions taken). • Runbook execution: follow SOPs for common events (phishing, suspicious logins, endpoint detections, cloud key/token risk, malware alerts, data exfiltration signals), including containment actions you’re authorized to perform. • Threat-aware analysis: map alerts to adversary behaviors (e.g., MITRE ATT&CK techniques) to improve understanding and escalation quality. • Operational hygiene: maintain accurate shift handovers, update watchlists and investigation notes, and identify recurring alert patterns for tuning recommendations.

• Take escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration). • Perform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails. • Build and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments. • Serve as technical incident lead for defined incident types/severities (or co-lead with IR), driving containment and eradication steps within authorized bounds. • Execute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals).

• Continuously monitor the Security Information and Event Management (SIEM) dashboard and leverage security tools to detect potential security incidents and anomalies in real-time. • Analyze incoming alerts to determine their relevance and urgency; effectively distinguish between false and true positives to prioritize response efforts. • Conduct investigations by gathering context and other relevant logs to understand scope of alert. • Strictly adhere to established Service Level Agreements (SLAs), Incident Response (IR) playbooks and Standard Operating Procedures (SOPs) to ensure consistent and compliant handling of security events. • Create, update, and manage tickets in our case management system, ensuring all investigative steps, communications, and findings are thoroughly documented. • Identify and escalate complex or high-severity incidents to Tier II or Incident Response Team, providing clear details and a comprehensive summary of initial findings. • Perform basic remediation actions, such as blocking indicators and isolating compromised hosts, when authorized by SOPs or directed by senior personnel. • Demonstrate excellent verbal and written communication skills, when communicating with team members, clients, and/or stakeholders. • Contribute to the team’s knowledge base, creating or updating articles, SOPs, and/or playbooks when new trends or resolution methods are identified.

• Collaborating with Security Operations Center (SOC) team members to monitor, detect, and respond to cybersecurity threats in a timely manner. • Responding to cybersecurity incidents from identification through resolution. • Developing and maintaining up-to-date knowledge of the threat landscape, as well as advancements in cybersecurity technologies and methodologies. • Identifying, configuring and onboarding security telemetry sources/logs in support of threat detection and incident response • Collaborating with Engineering and SRE to identify and mitigate logging deficiencies • Developing new detection scenarios and queries to broaden and deepen the team’s detection coverage • Tuning and continuously improving existing detection queries to increase signal-to-noise ratio, and ensure our detections remain relevant and functional • Executing and improving incident response protocols and procedures to swiftly and effectively manage security incidents. • Identifying, developing and maintaining automation solutions to increase the efficiency and effectiveness of the team • Integrating various security and IT tools to enhance threat detection, incident response, and operational efficiency. • Conducting regular security assessments, threat hunts, and continuous monitoring to identify vulnerabilities, opportunities for posture enhancements and better incident preparedness. • Collaborating with Engineering, IT and other departments to support the implementation and evangelization of established cybersecurity best practices across the organization. • Leveraging JIRA for creating and managing dashboards, reports, and metrics that support cybersecurity operations and decision-making.