• Lead security incident investigations and ensure timely containment, root cause analysis, and cross-team collaboration. • Provide expert guidance on SIEM strategy, detection logic, and associated security technologies (EDR, email/web gateways, cloud controls). • Standardize and refine monitoring workflows to improve signal quality, reduce false positives, and expand visibility across the environment. • Leverage data from diverse sources (logs, telemetry, threat intel, case history) to identify patterns, emerging issues, and potential business impacts. • Develop, drive, and execute recommendations—technical or professional—that shape both short-term defensive actions and longer-term operational strategy. • Boost SOC effectiveness by implementing new tools, automation, AI-powered processes, and optimized playbooks supported by clear performance metrics. • Anticipate what’s next by actively monitoring emerging threats and regulatory changes that affect the company. • Mentor and elevate teammates by sharing expertise, modeling strong communication under pressure, and supporting a culture of learning within the SOC. • Collaborate closely with Technology teams, Legal/Privacy, Risk & Compliance, vendors, and third-party service providers. • Act as a subject matter expert for technology, policy, and regulatory topics in your area. • Maintain relevant professional certifications and stay current through conferences and ongoing professional development. • Advise peers and leadership on emerging risks, best practices, and operational implications.

• 24/7 monitoring and alert triage across SIEM/EDR/cloud security tooling; identify false positives vs. credible threats and set appropriate severity. • Initial investigation and enrichment: gather relevant logs/telemetry, add context, and document findings clearly in the case/ticketing system. • Escalation and coordination: escalate confirmed/suspected incidents quickly and cleanly to L2/IR with a complete handoff (timeline, scope, IOCs, actions taken). • Runbook execution: follow SOPs for common events (phishing, suspicious logins, endpoint detections, cloud key/token risk, malware alerts, data exfiltration signals), including containment actions you’re authorized to perform. • Threat-aware analysis: map alerts to adversary behaviors (e.g., MITRE ATT&CK techniques) to improve understanding and escalation quality. • Operational hygiene: maintain accurate shift handovers, update watchlists and investigation notes, and identify recurring alert patterns for tuning recommendations.

• Take escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration). • Perform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails. • Build and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments. • Serve as technical incident lead for defined incident types/severities (or co-lead with IR), driving containment and eradication steps within authorized bounds. • Execute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals).

• Continuously monitor the Security Information and Event Management (SIEM) dashboard and leverage security tools to detect potential security incidents and anomalies in real-time. • Analyze incoming alerts to determine their relevance and urgency; effectively distinguish between false and true positives to prioritize response efforts. • Conduct investigations by gathering context and other relevant logs to understand scope of alert. • Strictly adhere to established Service Level Agreements (SLAs), Incident Response (IR) playbooks and Standard Operating Procedures (SOPs) to ensure consistent and compliant handling of security events. • Create, update, and manage tickets in our case management system, ensuring all investigative steps, communications, and findings are thoroughly documented. • Identify and escalate complex or high-severity incidents to Tier II or Incident Response Team, providing clear details and a comprehensive summary of initial findings. • Perform basic remediation actions, such as blocking indicators and isolating compromised hosts, when authorized by SOPs or directed by senior personnel. • Demonstrate excellent verbal and written communication skills, when communicating with team members, clients, and/or stakeholders. • Contribute to the team’s knowledge base, creating or updating articles, SOPs, and/or playbooks when new trends or resolution methods are identified.