Job Description

Everforth ECS is seeking a SOC Tier 3 Analyst to work in our Portland, OR office. Please Note: This position is contingent upon contract award.

The SOC Analyst 3 supports the organization's security operations by leading complex incident analysis, validating advanced investigative findings, coordinating technical response actions, improving detection effectiveness, and mentoring lower-tier analysts. This role is the senior technical analysis and escalation tier within the SOC Analyst role family.

The ideal candidate has advanced SOC, incident response, and detection-analysis experience; understands adversary tradecraft and enterprise security architecture; and can coordinate complex technical investigations while partnering with SOC leadership, threat hunting, threat intelligence, forensics, Splunk engineering, security engineering, and program stakeholders.

Key Responsibilities

Advanced Incident Analysis & Escalation Leadership

• Lead analysis of complex, high-impact, multi-stage, or ambiguous security incidents across enterprise systems, cloud environments, identity platforms, endpoints, networks, and applications.

• Validate incident severity, scope, attack path, affected assets, affected accounts, likely root cause, and potential operational or business impact.

• Review and resolve escalated findings from SOC Analyst 1 and SOC Analyst 2, including disputed severity, inconclusive evidence, or multi-source correlation challenges.

• Provide technical facts, risk context, and recommended response priorities to SOC leadership for major incident handling and stakeholder communication.

Technical Response Coordination

• Coordinate complex containment, eradication, and recovery support with Security Engineer, Senior Engineer, system owners, incident responders, and other technical teams.

• Define evidence collection requirements and coordinate handoff to Forensics Lead or Forensics Mid when formal acquisition, preservation, chain of custody, or deep forensic analysis is required

• Guide investigation strategy, timeline development, technical response sequencing, and escalation decisions for complex incidents.

• Maintain alignment with approved incident response plans, playbooks, evidence-handling expectations, and leadership direction.

Detection Effectiveness & Analytic Improvement

• Analyze adversary behaviors, attack patterns, vulnerabilities, threat intelligence, control gaps, and recurring incident trends to improve detection and response effectiveness.

• Define analytic requirements and validate correlation rules, alert logic, dashboards, use cases, and response playbooks for operational effectiveness.

• Map complex observed behaviors to MITRE ATT&CK and other applicable threat models to support analytic improvement and stakeholder reporting.

• Coordinate with SOC Threat Hunter to convert hunt findings into operational detections and with Senior Splunk Engineer or Splunk Architect/Lead for technical implementation.

Reporting, Briefings & Knowledge Transfer

• Prepare or review complex incident summaries, technical timelines, investigation narratives, after-action inputs, and lessons-learned content.

• Communicate complex technical findings in clear operational, business, and risk language for SOC leadership, program stakeholders, and technical teams.

• Provide technical input to SOC Technical Writer for SOPs, playbooks, knowledge articles, and formal documentation products.

• Mentor SOC Analyst 1 and SOC Analyst 2 personnel through escalation review, coaching, analytic guidance, and quality feedback.

Governance, Quality & Continuous Improvement

• Lead or support detection reviews, tabletop exercises, incident retrospectives, process assessments, and quality improvement activities.

• Identify recurring gaps in telemetry, tools, controls, workflows, documentation, or analyst training and coordinate corrective action requirements with the appropriate owner

• Stay current with evolving cyber threats, vulnerabilities, adversary tradecraft, detection techniques, and security operations best practices.

• Translate lessons learned and threat developments into improved detections, procedures, escalation criteria, and analyst enablement materials.

Qualifications

• 5+ years of experience in SOC operations, incident response, detection engineering support, threat analysis, or advanced cybersecurity operations.
• Advanced experience using SIEM, EDR, log analysis, case management, and cross-tool correlation to investigate complex security incidents.
• Strong understanding of adversary tradecraft, MITRE ATT&CK, incident response lifecycle activities, evidence handling, detection logic, and enterprise security architecture.
• Experience leading complex investigations, validating technical findings, defining response priorities, and coordinating technical response across multiple teams.
• Experience developing or validating detection requirements, alert logic, analytic coverage, investigation workflows, or response playbooks.
• Strong written and verbal communication skills, including the ability to brief technical findings and mentor lower-tier analysts.