Security Operations Center (SOC) Analyst, Level 2

Purpose:

Ensure the security and integrity of organizational information systems by proactively monitoring, detecting, and investigating security threats. By maintaining a vigilant and responsive security posture, the SOC Analyst helps protect sensitive data, supports business continuity, and improves detection and response outcomes. The analyst uses AI-assisted capabilities to accelerate triage and investigations, while independently validating model outputs against authoritative telemetry and established procedures.

Scope:

As an L2 SOC Analyst you will primarily focus on deeper analysis of security alerts and incidents that require cross-source correlation, hypothesis-driven investigation, and risk-based decisioning (e.g., monitor vs contain). You will execute response actions that are pre-approved in playbooks, verify outcomes, and escalate exceptions (critical assets, high business impact, ambiguous root cause, or destructive/high-blast-radius actions) to senior SOC/Incident Response resources. You will produce investigation artifacts (timeline, evidence, and queries used) suitable for peer review and audit and contribute to continuous improvement through structured feedback to detection engineering.

Influence:

As a member of Xerox Cyber Security (XCS), the SOC Analyst actively influences the security culture through operational rigor, clear documentation, and disciplined escalation. You will share investigation insights to improve detections, reduce recurring false positives, and strengthen the organization’s overall security posture. You will also participate in security awareness and end-user engagement activities as needed to reinforce secure behaviors and reporting practices.

What You Will Do:

Incident Monitoring, Investigation, and Response:

• Monitor and triage security alerts and events using security tools and technologies (e.g., SIEM, EDR/XDR, IAM/IdP telemetry, email security, cloud audit logs).
• Investigate medium-to-complex alerts to determine scope, impact, and likely root cause; build defensible incident narratives grounded in evidence.
• Perform cross-source correlation and create timelines across endpoint, identity, network, and cloud/SaaS telemetry to validate detections and identify related activity.
• Use hypothesis-driven investigation techniques: generate competing hypotheses, design targeted tests, and update conclusions as evidence changes.
• Make risk-based decisions aligned to runbooks (e.g., contain vs monitor); document rationale, confidence level, and next steps.

AI-Augmented Investigation and Verification (Key 90-Day Expectation):

• Leverage AI-assisted investigation capabilities (e.g., summarization, enrichment, clustering, prioritization) to accelerate triage and investigations.
• Perform AI-augmented investigations as a core responsibility, using AI tools to enhance hypothesis generation, evidence correlation, and incident analysis.
• Independently validate all AI-generated outputs against authoritative telemetry and established runbooks before taking action.
• Translate “why flagged” signals into evidence-based explanations suitable for peer review.
• Identify and document inconsistencies, hallucinations, and gaps in AI outputs, ensuring accuracy and reliability.
• Execute response actions that are pre-approved in playbooks and verify outcomes with clear documentation of results.
• Escalate cases with complete context including timeline, evidence, impact assessment, actions taken, and recommended next steps.

Documentation, Communication, and Automation Safety:

• Document investigations in the case management system, including queries used, evidence excerpts, timelines, decisions, and residual risk.
• Provide structured feedback to detection engineering and ML stakeholders to improve alert fidelity and reduce false positives.
• Maintain up-to-date knowledge of cybersecurity threats, attacker techniques, detection methodologies, and AI-assisted security operations practices.

Basic Qualifications:

• Bachelor's degree in Computer Science, Information Technology, or a related field (or equivalent practical experience).
• 2+ years of experience in a Security Operations Center, security monitoring, or incident triage/investigation role (Level 2 or equivalent).
• Applied proficiency investigating alerts using SIEM queries/pivots and one or more of the following: EDR/XDR, IAM/IdP telemetry, cloud audit logs, email security, network telemetry.
• Strong analytical and problem-solving skills with the ability to conduct hypothesis-driven investigations and produce defensible conclusions.
• Strong written and verbal communication skills with the ability to collaborate effectively across teams and produce audit-ready documentation.
• Ability to work in a fast-paced environment and manage multiple concurrent investigations.
• Working knowledge of AI-assisted security operations concepts and limitations (e.g., false positives, bias, hallucinations) with a strong emphasis on validation and evidence-based decision making.
• Strong discipline in handling sensitive data and using AI tools responsibly (approved platforms, data minimization, and secure practices).

Preferred Qualifications:

• Certifications such as CompTIA Security+, CEH, GIAC (e.g., GCIH/GCIA/GMON), or similar.
• Experience with MITRE ATT&CK mapping to structure investigations and communicate findings.
• Experience investigating cloud environments (AWS, Azure) and interpreting cloud/SaaS telemetry.
• Experience with scripting or query languages (e.g., Python, PowerShell, SQL) for enrichment and analysis.
• Experience executing SOAR playbooks with human-in-the-loop validation.
• Experience contributing to detection engineering improvements and SIEM tuning.
• Experience using LLM/AI copilots to accelerate investigations while maintaining strict validation and secure data handling practices.

Benefits:

• Competitive salary and benefits package.
• Opportunities for professional growth and development.
• Collaborative and inclusive work environment.
• Access to advanced cybersecurity tools and technologies.

Success Criteria (First 90 Days):

• Consistently produces complete, reviewable incident case notes including evidence, queries, timelines, and rationale.
• Demonstrates strong capability in AI-augmented investigations with reliable validation of AI outputs against telemetry.
• Identifies and corrects AI model errors such as hallucinations or inconsistencies.
• Provides actionable feedback that improves detection quality and reduces false positives.
• Executes containment actions safely and escalates complex cases with clear, well-documented context.