Job Description

We are seeking a highly experienced Senior SOC Analyst – Layer 3 (DFIR) to lead advanced digital forensic investigations and incident response operations within our Cybersecurity Operations Center (SOC) in Jeddah.

The selected candidate will act as the highest technical escalation point for major security incidents, conduct in-depth forensic investigations, manage complex breach scenarios, and provide strategic guidance to SOC L1 and L2 teams. This role requires strong hands-on DFIR expertise in enterprise environments, including endpoint, network, cloud, and hybrid infrastructures.

Key Responsibilities

1. Advanced Incident Response Leadership

• Lead end-to-end handling of high-severity cybersecurity incidents (Ransomware, APT, data exfiltration, insider threats).

• Direct containment, eradication, and recovery strategies during critical incidents.

• Serve as primary escalation point for SOC L2 investigations.

• Coordinate with IT, Legal, Risk, Compliance, and executive leadership during crisis situations.

• Conduct post-incident reviews and lessons-learned workshops.

2. Digital Forensics Investigations

• Perform forensic acquisition and analysis of endpoints, servers, and cloud workloads.

• Conduct disk, memory, and network forensics using industry-standard tools.

• Preserve and maintain chain-of-custody documentation.

• Analyze artifacts such as registry, event logs, browser history, persistence mechanisms, and lateral movement traces.

• Prepare forensic reports suitable for executive and legal review.

3. Endpoint & EDR Deep Analysis

• Perform deep investigations using enterprise EDR platforms such as

Microsoft Defender for Endpoint,

CrowdStrike Falcon, or equivalent.

• Conduct advanced threat hunting and behavioral analysis.

• Reverse-engineer suspicious scripts or malware (basic to intermediate level).

4. SIEM & Log Correlation Expertise

• Conduct advanced log analysis across SIEM platforms such as

Splunk Enterprise Security,

Microsoft Sentinel, or equivalent.

• Develop and optimize advanced detection queries (SPL / KQL).

• Correlate endpoint, network, identity, and cloud telemetry for full attack chain reconstruction.

• Map incidents to MITRE ATT&CK framework techniques.

5. Network & Cloud Forensics

• Analyze PCAP, NetFlow, DNS, proxy, and firewall logs.

• Investigate suspicious lateral movement and command-and-control traffic.

• Perform forensic investigations within Microsoft 365, Azure, and AWS environments.

• Assess identity compromise scenarios (AD, Azure AD, privileged access abuse).

6. Threat Intelligence & Proactive Defense

• Integrate threat intelligence feeds into DFIR investigations.

• Conduct proactive threat hunting campaigns.

• Participate in red team / purple team exercises.

• Identify detection gaps and recommend defensive improvements.

7. Governance & Compliance Support

• Ensure forensic readiness aligned with NCA ECC, SAMA CSF, ISO 27001, and other regulatory frameworks.

• Maintain forensic documentation aligned with legal admissibility standards.

• Contribute to incident response policy and playbook development.

8. On-Call & Crisis Response

• Participate in 24x7 on-call rotation for major incidents.

• Provide immediate response and executive-level briefing during critical cybersecurity events.

Requirements

Candidates must demonstrate proven, hands-on DFIR experience in:

• Minimum 7–10 years of experience in cybersecurity operations.

• At least 3–5 years in L3 / DFIR role handling major enterprise incidents.

• Practical experience with forensic tools such as:

o EnCase

o FTK

o X-Ways

o Volatility

o Autopsy

• Memory forensics and live response techniques.

• Ransomware investigation and recovery coordination.

• Advanced Windows & Linux artifact analysis.

• Network protocol deep understanding (TCP/IP, DNS, HTTP/S, SMB, LDAP, Kerberos).

• Cloud security investigations (Azure / AWS / M365).

• Evidence handling and chain-of-custody documentation.

• Experience working in regulated sectors (Banking, Government, Critical Infrastructure preferred).