At Armor, we are committed to making a meaningful difference in securing cyberspace. Our vision is to be the trusted protector and de facto standard that cloud-centric customers entrust with their risk. We strive to continuously evolve to be the best partner of choice, breaking norms and tirelessly innovating to stay ahead of evolving cyber threats and reshaping how we deliver customer outcomes. We are passionate about making a positive impact in the world, and we are looking for highly skilled and experienced talent to join our dynamic team.

Armor has unique offerings to the market so customers can a) understand their risk, b) leverage Armor to co-manage their risk, or c) completely outsource their risk to Armor.

Learn more at: https://www.armor.com

SUMMARY

Armor is seeking an Incident Response and Security Operations Consultant (L2) to independently lead customer consultations on security incidents, threat analysis, and remediation strategy. Beyond incident response and security operations support, the L2 Consultant actively participates in projects that operationalize new customer-facing SOC capabilities, including vulnerability and exposure management, control validation, security technology management, data security, and policy management. This role mentors L1 Consultants, drives process improvement, contributes to the SOC knowledge base, and exercises direct detection tuning authority in support of Armor's expanding service model.

ESSENTIAL DUTIES AND RESPONSIBILITIES

Additional duties may be assigned as required.

Lead customer consultations on security incidents via video, phone, chat, and ticket; deliver expert analysis and actionable recommendations.
Conduct threat analysis using SIEM correlation, EDR telemetry, and threat intelligence to determine threat scope and impact.
Perform forensic analysis including memory analysis, log correlation, and malware triage; advise customers on findings and implications.
Develop and recommend detection and response strategies tailored to customer environments and risk profiles.
Recommend tuning within detection platforms (QRadar, Defender, Sentinel, and others) in accordance with defined QA and release procedures.
Actively participate in projects to operationalize new customer-facing SOC capabilities; contribute to delivery milestones and team adoption.
Lead vulnerability and exposure management consultations; provide customers with prioritized remediation guidance.
Participate in security technology management activities including platform configuration review and optimization recommendations.
Support customer policy management by reviewing, documenting, and recommending updates to security policies.
Mentor and train L1 Consultants on investigation techniques, customer engagement standards, and technical skills.
Develop and maintain formalized process documentation; ensure procedures are current, followed, and continuously improved.
Own handoff quality when escalating to L3+ or transitioning work between shifts; ensure full context continuity.
Contribute substantively to the SOC knowledge management system; document advanced techniques, threat patterns, and response playbooks.
Create detection signatures, correlation rules, and response procedures based on threat analysis and Armor procedures.
Actively pursue professional development; complete required certifications and seek advanced training aligned to role growth.
Ability to work nighttime or US Day shift (Note: the shift schedule for this role will be determined prior to offer.)

REQUIRED SKILLS

Strong proficiency with security tools: EDR/XDR (Defender/Sentinel required, Trend and Crowdstrike preferred), SIEM (Sentinel, QRadar), SOAR, and threat intelligence platforms,
Solid understanding of cloud security across Azure, AWS, and VMware including identity, networking, and workload protection.
Forensic analysis skills including host triage, log analysis, and malware identification.
Proficient in scripting (Python, PowerShell, KQL) for analysis, automation, and detection development.
Proficiency with git version control including branching, commits, and pull request workflows.
Experience using agentic AI tools (Claude, OpenAI Codex, or equivalent) to develop detection content, automate analysis, and build security tooling.
Understanding of AI/LLM security risks; ability to critically evaluate AI-generated outputs for accuracy, security implications, and operational fitness.
Working knowledge of vulnerability management, control validation, and security policy frameworks.
Demonstrated mentoring and training ability.
Strong customer consultation and advisory skills; comfortable leading engagements via video, phone, chat, and ticket in English.
Ability to analyze complex attack chains and communicate findings to both technical and non-technical audiences.
Ability to develop written deliverables including incident reports and remediation guidance.

EDUCATION AND/OR EXPERIENCE

3-5 years of experience in incident response, security consulting, or security operations; prior IR or consulting experience required.
Required certifications within 12 months: AZ-500, SC-200, SC-300, SC-401.
Certifications preferred: GCIH, GCFA, CySA+, CEH, or equivalent.
Bachelor's Degree in Information Technology, Cybersecurity, or related field preferred; equivalent experience accepted.
Demonstrated commitment to ongoing professional development and continuing education.

WHY ARMOR

Join Armor if you want to be part of a company that is redefining cybersecurity. Here, you will have the opportunity to shape the future, disrupt the status quo, and be a part of a team that celebrates energy, passion, and fresh thinking. We are not looking for someone who simply fills a role — we want talent who will help us write the next chapter of our growth story.

ARMOR CORE VALUES

Commitment to Growth: A growth mindset that encourages continuous learning and improvement with adaptability in the face of challenges.
Integrity Always: Sustain trust through transparency and honesty in all actions and interactions regardless of circumstances.
Empathy In Action: Active understanding, compassion, and support for the needs of others through genuine connection.
Immediate Impact: Taking initiative with swift, informed actions to deliver positive outcomes.
Follow-Through: Dedication to delivering finished results with attention to quality and detail to achieve the desired outcomes.

WORK ENVIRONMENT

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. The noise level in the work environment is usually low to moderate. This is an in-office position based at one of our SOC locations.

Equal opportunity employer — it is the policy of the company to comply with all employment laws and to afford equal employment opportunity to individuals in all aspects of employment, including in selection for job opportunities, without regard to race, color, religion, sex, national origin, age, disability, genetic information, veteran status, or any other consideration protected by federal, state, or local laws.

Incident Response and Security Operations Consultant — L2

Job Description