Keyrock is hiring a SOC Analyst (Level 2)

Keyrock is looking for a SOC Analyst (Level 2) to serve as the technical escalation point for sophisticated security incidents. You'll take ownership of high-severity alerts, lead investigations through containment, and coordinate across teams to strengthen our security posture.

What You'll Do

• Take escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration).
• Perform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails.
• Build and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments.
• Serve as technical incident lead for defined incident types/severities, driving containment and eradication steps within authorized bounds.
• Execute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals).
• Coordinate evidence collection and preservation to support legal/compliance needs and potential third-party investigations.
• Enrich investigations with threat intel (IOCs, TTPs) and map observed behavior to frameworks (e.g., ATT&CK) to improve detection fidelity.
• Maintain watchlists and detection logic for priority threats relevant to cloud-first financial and digital-asset operations.
• Tune SIEM correlation rules, EDR policies, and alert thresholds to reduce false positives and increase signal quality.
• Propose and implement new detections for emerging techniques (identity + cloud abuse, OAuth/app consent attacks, API key leakage, CI/CD pipeline tampering).
• Improve runbooks and automate repetitive enrichment steps (SOAR workflows, scripts, queries).
• Provide mentorship and real-time guidance to L1 analysts; improve escalation quality through coaching and feedback.
• Manage shift handovers for active investigations and ensure high-quality case documentation.
• Contribute to SOC metrics (MTTD, MTTR, false-positive rate, escalation accuracy) and continuous improvement efforts.

What We're Looking For

• 2–5+ years of SOC / incident response / security operations experience (or equivalent hands-on experience in a fast-paced production environment).
• Strong ability to investigate across cloud security operations, endpoint security, identity, and core network fundamentals.
• Proficiency with at least one SIEM and common SOC tooling (e.g., Splunk/Elastic/Sentinel; CrowdStrike/Defender; Jira/ServiceNow).
• Ability to write clear incident documentation: timelines, scope, impact, containment actions, and recommended remediations.
• Comfort operating in an on-call or shift environment (depending on coverage model).

Nice to Have

• Detection engineering experience: correlation rules, Sigma/KQL/SPL, alert pipelines, SOAR automation.
• DFIR fundamentals: triage acquisition, volatile vs. non-volatile evidence, endpoint artifact analysis.
• Container/Kubernetes logging and runtime security exposure.
• Practical scripting (Python/Bash) for analysis and automation.
• Digital-asset ecosystem exposure and 24/7 trading operations familiarity.
• Certifications (optional): GCIH, GCIA, GCED, SC-200, AWS Security Specialty, or equivalent.

Technical Stack

• SIEM, EDR, Cloud logs, IAM, Network telemetry, Email security, SaaS audit trails
• SOAR, Python, Bash, Kubernetes

Team & Environment

You will coordinate with Incident Response, Cloud/Platform, Identity, and Engineering teams.

Work Mode

Not specified.

Keyrock fosters a culture of calm, structured response under pressure, high ownership, and strong communication across technical and non-technical stakeholders. We value a continuous-improvement mindset where every incident leads to better detections, better controls, and better resilience.