SOC Tier 3 Analyst

Everforth ECS is seeking a SOC Tier 3 Analyst to work in our Portland, OR office. Please Note: This position is contingent upon contract award.

 

The SOC Analyst 3 supports the organization's security operations by leading complex incident analysis, validating advanced investigative findings, coordinating technical response actions, improving detection effectiveness, and mentoring lower-tier analysts. This role is the senior technical analysis and escalation tier within the SOC Analyst role family. 

The ideal candidate has advanced SOC, incident response, and detection-analysis experience; understands adversary tradecraft and enterprise security architecture; and can coordinate complex technical investigations while partnering with SOC leadership, threat hunting, threat intelligence, forensics, Splunk engineering, security engineering, and program stakeholders. 

 

Key Responsibilities 

Advanced Incident Analysis & Escalation Leadership 

• Lead analysis of complex, high-impact, multi-stage, or ambiguous security incidents across enterprise systems, cloud environments, identity platforms, endpoints, networks, and applications. 

• Validate incident severity, scope, attack path, affected assets, affected accounts, likely root cause, and potential operational or business impact. 

• Review and resolve escalated findings from SOC Analyst 1 and SOC Analyst 2, including disputed severity, inconclusive evidence, or multi-source correlation challenges. 

• Provide technical facts, risk context, and recommended response priorities to SOC leadership for major incident handling and stakeholder communication. 

Technical Response Coordination 

• Coordinate complex containment, eradication, and recovery support with Security Engineer, Senior Engineer, system owners, incident responders, and other technical teams. 

• Define evidence collection requirements and coordinate handoff to Forensics Lead or Forensics Mid when formal acquisition, preservation, chain of custody, or deep forensic analysis is required. 

• Guide investigation strategy, timeline development, technical response sequencing, and escalation decisions for complex incidents. 

• Maintain alignment with approved incident response plans, playbooks, evidence-handling expectations, and leadership direction. 

Detection Effectiveness & Analytic Improvement 

• Analyze adversary behaviors, attack patterns, vulnerabilities, threat intelligence, control gaps, and recurring incident trends to improve detection and response effectiveness. 

• Define analytic requirements and validate correlation rules, alert logic, dashboards, use cases, and response playbooks for operational effectiveness. 

• Map complex observed behaviors to MITRE ATT&CK and other applicable threat models to support analytic improvement and stakeholder reporting. 

• Coordinate with SOC Threat Hunter to convert hunt findings into operational detections and with Senior Splunk Engineer or Splunk Architect/Lead for technical implementation. 

Reporting, Briefings & Knowledge Transfer 

• Prepare or review complex incident summaries, technical timelines, investigation narratives, after-action inputs, and lessons-learned content. 

• Communicate complex technical findings in clear operational, business, and risk language for SOC leadership, program stakeholders, and technical teams. 

• Provide technical input to SOC Technical Writer for SOPs, playbooks, knowledge articles, and formal documentation products. 

• Mentor SOC Analyst 1 and SOC Analyst 2 personnel through escalation review, coaching, analytic guidance, and quality feedback. 

Governance, Quality & Continuous Improvement 

• Lead or support detection reviews, tabletop exercises, incident retrospectives, process assessments, and quality improvement activities. 

• Identify recurring gaps in telemetry, tools, controls, workflows, documentation, or analyst training and coordinate corrective action requirements with the appropriate owner. 

• Stay current with evolving cyber threats, vulnerabilities, adversary tradecraft, detection techniques, and security operations best practices. 

• Translate lessons learned and threat developments into improved detections, procedures, escalation criteria, and analyst enablement materials.