*Position is Eligible for Remote / Work from Home Opportunity* Department: Systems Security Telecommuting Eligible: Yes Job Grade: E11 As a condition of employment physical work location must be in one of the 50 states or the District of Columbia. Notice of Collection & Privacy Policy for Applicants Residing in California: California Applicant Privacy Policy | Noridian (noridiansolutions.com) Job Title Security Operations Analyst II Job Summary Security Operations Analysts are responsible for monitoring, detecting, and responding to cybersecurity threats and incidents across the enterprise. They perform threat analysis, incident response, and proactive threat hunting while ensuring compliance with Centers for Medicare & Medicaid Services (CMS) Acceptable Risk Safeguards (ARS) 5.1, National Institute of Standards and Technology (NIST) 800-53, and Federal Information Systems Management Act (FISMA) standards. The team works to continuously improve security processes, tools, and automation, with a focus on advanced monitoring, containment and remediation activities. Essential Functions (Key Duties/Responsibilities/Accountabilities) - Performs initial triage and investigation of alerts generated by System Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Data Loss Prevention (DLP), and other monitoring tools using critical thinking, problem-solving, and the MITRE ATT&CK framework. - Monitors network, host, and application alerts for indicators of compromise or policy violations. - Vulnerability intake and classification. Manages the intake and classification of security vulnerabilities. - Researches and classifies software patch updates. - Creates and updates incident tickets in accordance with defined SLAs and escalation procedures. - Participates in continuous monitoring operations, including log correlation and alert tuning. - Maintains detailed documentation of all alerts, investigations, and response activities. - Supports daily and weekly reporting of security operations metrics and trends. - Adheres to established playbooks and incident handling procedures. - Maintains basic knowledge of cyber threat landscapes and emerging attack vectors. - As assigned, provides after-hours support by responding to and assisting with incidents as part of an on-call or escalation rotation. - Conducts advanced analysis and correlation of events across multiple data sources (endpoint, network, identity, and cloud). - Performs threat hunting activities leveraging MITRE ATT&CK and other intelligence frameworks. - Leads containment and eradication steps for medium-severity incidents. - Coordinates with IT and Security Engineering for incident response, remediation, and lessons learned. - Develops and refines security operations use cases and detection rules to reduce false positives and improve alert quality. - Maintains and improves security operations playbooks, runbooks, and standard operating procedures. - Conducts quality review of Analyst I investigations and provides coaching and feedback. - Contributes to weekly threat reports, metrics, and situational awareness briefings. - Participates in vulnerability management reviews and validation scans. - Collaborates with the Governance, Review and Compliance (GRC) team to support compliance evidence collection related to continuous monitoring controls. Non-Essential Duties and Functions - Other duties as assigned. Minimum Qualifications - Bachelors degree in Information Technology, Cybersecurity, or related field OR equivalent work experience determined by Human Resources. - 3 years of experience in security operations, threat detection, or incident response. - Hands-on experience with EDR, SIEM, Intrusion Detection System/Intrusion Prevention System, and SOAR platforms. - Understanding of incident lifecycle (detect, analyze, contain, eradicate, recover) and NIST 800-53 - Proficiency in interrupting network packets, logs, and endpoint telemetry. - Working knowledge of MITRE ATT&CK and its application to detection logic, automation, and threat modeling. - Strong attention to detail, communication, and documentation skills. - Strong analytical and critical-thinking skills with ability to prioritize under pressure. Preferred Qualifications - CompTIA Security+, CySA+, or equivalent entry-level certification - 4 years experience in security operations, threat detection, or incident response. Environment and Cognitive/Physical Demands - Office environment - Ability to read, hear, speak, keyboard, reason, communicate effectively and problem solve - Requires prolonged sitting and telephone usage - Requires the use of office equipment such as computer terminals, telephones, copiers and printers - Infrequent lifting to 20 pounds - Infrequent stooping Segregation of Duties Every employee is responsible to perform their duties and responsibilities in accordance with Noridian values, policies and procedures, including but not limited to, Segregation of Duties Principles, HIPAA, Security and Privacy, CMS requirements, the Noridian Compliance Program, and any other applicable laws, rules and regulations. Statement of Other Duties This document describes the essential functions, requirements, and responsibilities of this job, and is not intended to be a complete list of all tasks and functions. Employees may be requested to perform job related tasks other than those specifically listed in this description and may be required to perform any task requested by the supervisor or management. Total Rewards Package: Health, Dental and Vision Insurance, Voluntary Insurance Plans, Health Savings and Flexible Spending Accounts, 401k and Company Match, Company-paid Life Insurance, Education Assistance Program, Paid Sick Leave, Paid Holidays, Increasing PTO Accrual Plan, Medical/Parental/Disability Leave, Workers Compensation, Retiree Benefits, Severance Package, Employee Assistance Program, Financial and Health Wellness Benefits, Casual Dress, Open Office Setting, and Online Learning System. CMS Access Compliance and Regulation Contingency Statement Some positions require compliance with (i) federal and agency specific regulations and related clauses included in Noridian's prime contracts with the Government, (ii) background checks, and (iii) eligibility for a government-issued identification card. An employee in this position may be required to possess a “Federal Identification Card” (Federal ID) as a condition of employment. Federal ID’s may include one of the following: Personal Identity Verification (PIV) card, Personal Identity Verification-Interoperable (PIV-I) card, a Local-Based Physical Access Card issued by CMS, or a Local-Based Physical Access Card issued by another Federal agency and approved by CMS. Obtaining a Federal ID and continued eligibility for this position may require the successful completion of a Federal Background Investigation performed by the Federal Government and a residency requirement that you have lived in the United States at least three out of the last five years. Failure to obtain a Federal ID may result in the removal from the position or termination of employment. Equal Employment Opportunity Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, protected veteran status or other characteristics protected by state or federal law. The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c) Below is the salary range for potential new hires. Salary Range: The pay range for this position is $52,120.20 – $85,724.33 per year, however, the base pay offered may vary depending on geographic region, internal equity, job-related knowledge, skills, and experience among other factors. Other Compensation: Incentive Plan & Lifestyle Benefit This job will be closed 04/13/2026 at 8:00AM CST. No further applications will be considered.

• Own the log ingestion pipeline end-to-end: identify gaps, build feeds, validate parsing, maintain coverage dashboards • Close the federal logging gap and stand up commercial logging across AWS, Azure, Entra ID, and SaaS • Activate and configure SecOps SOAR capabilities including Domain-Wide Delegation, marketplace integrations, and bidirectional response actions • Build and maintain SOAR playbooks for major incident types such as phishing, malware, account compromise, lateral movement, and cloud-specific threats • Develop and maintain operational dashboards for SOC metrics, alert volumes, MTTA/MTTR, and coverage status • Manage Google SecOps RBAC • Build and deploy production detection rules mapped to MITRE ATT&CK within the first year • Develop custom parsers for AWS-native security services including GuardDuty, Security Hub, Inspector, WAF, CloudTrail, and VPC Flow Logs • Establish a detection lifecycle including proposal, testing, deployment, tuning, and retirement • Conduct quarterly detection quality reviews to measure false positive rates, coverage gaps, and rule health • Develop alert threshold optimization to reduce noise and analyst fatigue • Drive SentinelOne deployment across Azure VMs in commercial environments and all federal endpoints • Configure and operationalize Cloud Funnel for log export into Google SecOps • Build correlation rules between EDR alerts and SIEM detections • Manage SentinelOne RBAC groups and policy configuration • Coordinate with IT on agent deployment, health monitoring, and version management • Serve as senior escalation point for SOC incidents, ensuring investigations are thorough and reports include root cause, remediation actions, credential rotation plans, and follow-up timelines • Improve MTTA and MTTR through process optimization, better tooling, and analyst development • Lead quarterly tabletop exercises and after-action reviews • Maintain and improve incident response runbooks for all major incident categories • Integrate incident response workflows with Jira Service Management for tracking and escalation • Operationalize monthly scanning cadence across all environments using tools such as Nessus, AWS Inspector, and Azure Defender • Define and enforce remediation SLAs by severity: Critical within 72 hours, High within 7 days, Medium within 30 days • Build consolidated vulnerability dashboards in Google SecOps • Track SLA compliance and report metrics to the CISO • Coordinate remediation with engineering and infrastructure teams • Serve as primary technical interface with MSSP partner for 24/7 SOC coverage • Define and hold the MSSP accountable to SLAs, alert quality, and escalation procedures • Review MSSP deliverables such as dashboards, reports, and playbooks for quality and completeness • Manage the transition from the previous MSSP and ensure no coverage gaps • Provide day-to-day technical direction to SOC analysts by setting priorities, assigning tasks, and reviewing work products • Ensure incident response reports, playbooks, and dashboards meet quality standards before delivery to leadership or external stakeholders • Drive OKR execution for SOC-related objectives including logging coverage, detection counts, incident response metrics, and vulnerability SLA compliance • Identify skill gaps and development opportunities for junior analysts • Establish and enforce SOC processes that are documented, repeatable, and auditable

Location: Remote (US-based) About Dispel: Dispel is the fastest-growing cybersecurity company recognized in the 2025 Cybersecurity Excellence Awards. We deliver zero trust secure remote access and real-time data streaming for operational technology (OT) and industrial control systems (ICS). Our patented Moving Target Defense technology — referenced in NIST 800-172 — protects critical infrastructure for utilities serving 54 million+ people, manufacturers producing over 50% of US baby formula, and major defense contracts including a $950M IDIQ with the US Air Force. Why This Role Exists: Dispel is pursuing FedRAMP High authorization while simultaneously operating a commercial security program. We have a functioning SOC built on Google SecOps (Chronicle) and SentinelOne, but we need a senior IC who can take it from "stood up" to "operationally mature." Today our SIEM ingests approximately 35% of total log sources. Our federal environment is at 75% coverage; commercial AWS sits at 30%; Azure and Entra ID are at 0%. Our MSSP recently transitioned and needs an internal technical owner to drive accountability. Our detection library, SOAR playbooks, and vulnerability dashboards are in draft or partially built. This person will be the day-to-day technical owner of SOC operations, responsible for closing coverage gaps, building detections, maturing incident response, and providing senior technical direction to the existing SOC analyst. This is a hands-on-keyboard role with leadership expectations — you will not formally manage people, but you will set priorities, review deliverables, and drive execution across the SOC function.

• Execute SOC Operational Strategy • Oversee all global SOC operations, ensuring alignment with MassMutual’s cybersecurity strategy and regulatory requirements • Review SOC metrics, staffing needs, and budget requirements with security leadership • Drive Threat Detection & Incident Response Excellence • Lead the response to cybersecurity events and critical incidents, ensuring appropriate analysis, prioritization, escalation, and communications • Ensure structured and consistent incident handling processes across all SOC tiers • Strengthen Enterprise Communication & Decision Support • Act as the escalation and communication liaison with senior leadership and other critical stakeholders • Ensure timely, risk-aware decisions and clear communication of incident impacts and recommended actions • Advance Detection Engineering & Automation Capabilities • Partner with Detection Engineering and Security Platforms to optimize SIEM/SOAR alerting logic, tuning, and playbook development • Expand automation to improve analyst efficiency and response consistency • Develop & Inspire a High-Performing Global Team • Guide analyst growth through training, mentorship, certifications, and hands-on exercises • Foster a culture rooted in MassMutual values of inclusion, innovation, and continuous improvement