Job Description
The SOC Lead ensures continuous, high-quality security monitoring and incident response across assigned customers while maintaining awareness of alerts, workloads, and analyst capacity. Serving as the primary escalation point, this role leads complex and high-severity incidents, ensuring consistent handling, effective remediation guidance, and clear customer communication in line with runbooks and SLAs. The SOC Lead owns the quality of SOC output, mentoring analysts, driving QA and process improvements, and partnering with engineering teams to improve detections, tooling, and automation. Success is measured through SLA adherence, escalation accuracy, response times, quality metrics, and the ability to translate operational performance and threat trends into actionable insight.
KEY RESPONSIBILITIES:
SOC Execution and Coverage
• Ensure continuous, high-quality security monitoring and response across all assigned customers.
• Maintain situational awareness of alert queues, case workloads, and analyst capacity.
• Step in directly during spikes, escalations, or high-severity incidents.
Incident Escalation and Technical Leadership
• Act as the primary escalation point for complex, high-impact, or high-visibility incidents.
• Lead investigations through containment, remediation guidance, and customer communication.
• Ensure incidents are handled consistently with runbooks and SLAs.
Service Quality and Assurance
• Own day-to-day quality of SOC output.
• Review customer-facing tickets for accuracy, clarity, risk articulation, and recommended actions.
• Perform regular QA review and drive corrective actions with analysts.
Analyst Enablement and Mentorship
• Coach and mentor SOC Analysts on investigation methodology and documentation standards.
• Support onboarding and cross-training across SOC services.
• Raise skill gaps and training needs to SOC Management.
Process and Runbook Ownership
• Maintain and improve SOC workflows, runbooks, and SOPs.
• Ensure consistent application of triage, escalation, incident handling, and change management.
• Identify operational friction and propose improvements.
Tooling, Detection and Automation Feedback Loop
• Partner with Detection Engineering to tune detections and reduce false positives.
• Partner with Engineering to validate and test SOC automations before production rollout.
• Ensure new tooling is operationally usable before adoption.
Metrics, Reporting and Customer Narrative
• Track and contribute to operational metrics (alert volume, response time, escalation rates).
• Provide qualitative insights on SOC performance and threat trends.
• Contribute to monthly customer “storytelling” and internal operational reviews.
• Key Measurables:
o SLA adherence (%)
o Escalation accuracy (right-level escalation rate)
o False positive reduction trend
o QA pass rate on reviewed tickets
o Mean Time to Triage (MTTT)
o Mean Time to Respond (MTTR)
o Analyst rework rate
MINIMUM QUALIFICATIONS
• 4+ years of Cyber Security experience, with at least 2+ years in a SOC, MSSP, or similar operational security environment.
• 1+ years of leadership experience (formal or informal) in a security operations role.
• Demonstrated experience with incident handling, security monitoring, and threat analysis across endpoint, network, and cloud environments.
• Experience with SIEM platforms, including rule tuning and dashboard creation.
• Experience identifying and optimizing internal processes related to SOC operations and incident management.
• Strong analytical and problem-solving skills, including ability to define and interpret SOC KPIs.
• Excellent written and verbal communication skills, with ability to simplify complex technical findings into clear, actionable guidance for clients.
• Proven ability to work effectively in a fast-paced, multi-tenant MSSP environment and influence change within a team.
• Passionate about emerging threats and security tools/technologies.
• Able to work under general to minimal supervision.
PREFERRED QUALIFICATIONS
• Recent experience with SIEM management and tuning, SOAR, platforms (e.g., Swimlane), and EDR platforms.
• Experience with Elastic Stack (Elasticsearch, Kibana, Beats, Logstash) or equivalent technologies.
• Experience with incident response, including forensic analysis and post-incident reporting
• Familiarity with vulnerability management, threat intelligence, scripting/automation, and network security.
• Exposure to Red Team tools and frameworks or offensive security concepts.
• Bachelor’s Degree in Computer Science, Cyber Security, Engineering, or related field.
