SOC/CSIRT Level 3 Analysts

Incident Response (CSIRT) / Security Operations Centre (SOC) Level 3 Analyst

2-3 Days onsite - Crawley

6-9 Month duration

Reporting line: The Analyst will report to the Cyber Security Response Manager and work within the Information Systems directorate, based in the Crawley office.

The role of an Incident Response (CSIRT) / SOC Level 3 Analyst is to respond to high-severity cybersecurity incidents and escalated events or alerts, using experience and industry tools to expedite containment, eradication, and recovery strategies that minimise business impact and protect network systems and customer data from cyber threats.

• People Work collaboratively in a team of around 14 cyber security operations staff. Mentor Level 1 and Level 2 SOC Analysts, providing guidance and training.
• Suppliers Regular interaction with technical resources from outsourced Managed Security Service Providers (MSSPs) and cyber security tooling vendors.
• Communication Communicate technical cybersecurity concepts to both technical and non-technical colleagues across all levels of seniority.
• Stakeholders Build and maintain collaborative working relationships with internal technology teams, external partners, suppliers, and providers to drive outcomes and agree on courses of action.

1. Advanced Threat Hunting: Analyse and assess multiple threat intelligence sources and indicators of compromise (IOC) to identify patterns, vulnerabilities, and anomalies, then use this intelligence and tooling to uncover and remove hidden threats that may have bypassed existing defences across IT and OT environments.
2. Policy Development: Develop SOC policies, technical standards, and procedure documentation aligned to industry best practice.
3. Log Management: Work with MSSPs and service owners to ensure log sources are onboarded into the SIEM solution. Create use cases to correlate suspicious activities across endpoints, networks, applications, and both on-premises and cloud environments.
4. Incident Response: Improve playbooks and processes, lead escalated security incidents, oversee remediation and recovery actions, track incidents, liaise with partners, report findings, and apply root cause analysis with lessons learned.
5. SOAR Development: Support and develop the SOAR platform by producing workflows to automate responses to common attack types and enhance operational playbooks.
6. Digital Forensics: Use forensic tools and techniques to analyse data sources such as logs, SIEM data, applications, and network traffic patterns, and recommend appropriate response actions to ensure threats are contained and eradicated.
7. Cyber Crisis Testing: Participate in cyber-attack simulations and scenario exercises to test resilience and improve preparedness.
8. Reporting: Develop and improve reporting dashboards and security/performance metrics to drive continuous improvement in security operations.
9. Security Tools Support: Support the implementation, maintenance, and configuration of security tools and systems for prevention, detection, and response.
10. Audit: Contribute to security audits (e.g. SOC Type II, NCSC CAF, ISO 27001) and ensure compliance with regulations and standards.
11. Continuous Improvement: Automate event monitoring, detection, and response. Enhance alert use cases and log correlation processes to adapt to evolving threats.

The Information Systems Department provides and optimises technology solutions to improve organisational operations. This role underpins that mission by strengthening cyber security operations. The main measure of success is upholding IT, OT, and organisational resilience against cyber threats and incidents.

• Considerable experience in a SOC Level 2 or 3 role with expertise in advanced threat hunting and incident response across IT and OT environments.

• SOC-specific training, qualifications, or a degree in Computer Science, Cybersecurity, IT, or a related subject.

• Ideally hold recognised security qualifications such as CISSP, AZ-500, GIAC/GCIA/GCIH, CASP+, CEH, or SIEM certifications.

• Strong knowledge of log correlation, analysis, forensics, and chain of custody requirements.

• Familiarity with regulatory frameworks (NCSC CAF, ISO/IEC 27001/27002, GDPR, CIS, NIST).

• Practical knowledge of SIEM, SOAR, EDR, AV, IDS/IPS, NAC, AD, DLP, web/email filtering, behavioural analytics, TCP/IP and OT protocols, and security applications.

• Understanding of adversarial TTPs and frameworks such as MITRE ATT&CK.

• Experience with SIEM and SOAR solutions, IAM, and DLP tools (e.g. FortiSIEM, Q-Radar, Microsoft Secure Gateway, Darktrace, Microsoft Defender, Sentinel).

• Experience developing incident response playbooks, SOAR workflows, red-team exercises, and tabletop simulations.

• Experience in investigating advanced intrusions, such as targeted ransomware or state-sponsored attacks.

Summary: My client are looking for an experienced Incident Response (CSIRT) / SOC Level 3 Analyst with deep expertise in advanced threat hunting, incident response, and cyber defence operations, capable of leading on high-severity incidents and mentoring junior analysts while strengthening resilience across IT and OT environments.