Security Operations Centre Analyst

Key Responsibilities

• Monitor, triage and investigate security alerts across our internal estate and customer-operated solutions — covering cloud, identity, endpoint, network, application and AI workloads. 
• Drive incidents end-to-end: scoping, containment, eradication, recovery and post-incident review, working to clearly defined SLAs and rules of engagement. 
• Produce high-quality incident write-ups and lessons-learned for both technical and executive audiences, and feed findings back into detections, runbooks and engineering backlogs. 
• Act as an escalation point for first-line alerts and partner with on-call engineering when an incident crosses into platform reliability or customer impact.  

• Develop and execute hypothesis-driven threat hunts across cloud telemetry, identity signals, endpoint data and application logs — looking for what alerts won’t catch. 
• Map adversary behaviour to frameworks such as MITRE ATT&CK, and turn confirmed findings into durable detections, dashboards and automated playbooks. 
• Track emerging threats, CVEs and threat-actor TTPs relevant to our stack and customer base, and translate them into concrete hunts and detections. 
• Partner with our Red Team and AI Ethics functions on purple-team exercises to validate and improve coverage. 

• Treat automation as a core part of the role — use code, scripts and AI to remove repetitive toil and free up time for the work only humans should do.  
• Build, tune and maintain detections in our SIEM and XDR tooling (e.g. Microsoft Sentinel, Defender XDR), keeping a tight handle on signal-to-noise. 
• Develop SOAR playbooks and enrichment pipelines that turn one-off investigations into repeatable, measured workflows.  
• Contribute to internal tooling — log normalisation, alert enrichment, case-management integrations, threat-intel feeds — in Python or similar. 

• Use AI and agentic workflows as a force amplifier on day-to-day SOC work — triage summarisation, log analysis, hypothesis generation, drafting reports and playbooks. 
• Help shape how we monitor and defend the AI services we operate — LLM workloads, RAG pipelines, agent integrations — alongside our AI Ethics and engineering teams. 
• Stay close to evolving guidance on AI security (e.g. OWASP Top 10 for LLMs, NIST AI RMF) and translate it into practical monitoring, detection and response patterns. 

• Operate detections and investigations across cloud workloads — primarily Microsoft 365 and Azure, with meaningful coverage of AWS and GCP and the wider enterprise IT stack.  
• Understand the security signals that matter in IAM, network, container, serverless and data-layer services, and how attackers actually move through them. 
• Work closely with platform engineering and SRE teams on misconfiguration, exposure and identity hygiene — not just incidents. 

• Work alongside the Head of Information Security, Red Team, AI Ethics leads, platform engineering and product teams to embed defensive thinking early.  
• Partner with customer-facing teams when incidents or hunts touch the solutions we operate on behalf of customers — with care for production stability, customer data and contractual obligations. 
• Contribute to runbooks, detection libraries, threat-intel notes and post-incident reviews so the whole team gets better with every engagement. 
• Operate within strict rules of engagement and a strong ethical compass around evidence handling, privacy and disclosure. 

Skills Knowledge and Expertise

• Demonstrable hands-on experience in a SOC, CSIRT, MDR or equivalent defensive security role — triage, investigation, incident response and threat hunting against modern cloud-based environments. 
• Strong understanding of common attacker techniques (MITRE ATT&CK), modern intrusion patterns, and the telemetry needed to detect and investigate them.  
• Solid grasp of cloud security and operations in at least one major provider — ideally Microsoft 365 and Azure — including IAM, networking, logging/telemetry, common misconfigurations and attack paths. 
• Working knowledge of SIEM, EDR/XDR and SOAR tooling (e.g. Microsoft Sentinel, Defender XDR, or equivalents) — writing and tuning detections, building playbooks, managing signal quality. 
• Coding capability in at least one of Python, PowerShell, Go, JavaScript/TypeScript or similar — comfortable writing scripts, automations and integrations, not just running other people’s tools. 
• Practical understanding of AI/LLM systems — how they work, where they fail, and the new risks they introduce (prompt injection, insecure tool use, training/RAG data exposure) — and an interest in defending them.  
• An automation-first mindset: you instinctively look for the repeatable pattern, the script, the playbook — and you measure improvement, not effort.  
• Comfort with agentic development workflows — using AI coding assistants and AI co-work / pair-development models (Claude Code, Copilot, Cursor or equivalent) as part of your day-to-day delivery.  
• Awareness of the wider AI ecosystem — major model providers, agent frameworks, vector stores, MCP-style tool integrations — and an instinct for where defenders need to pay attention.  
• Clear written and verbal communication in English: able to brief engineers, executives and (where relevant) customers on incidents, hunts and risk. 
• A strong ethical compass and discipline around scope, evidence handling, customer data and responsible disclosure.  

• Industry certifications such as GCIA, GCIH, GCFA, GCDA, GNFA, BTL1/BTL2, CySA+, AZ-500/SC-200, AWS/Azure/GCP security specialties or equivalent. 
• Hands-on experience defending or monitoring AI / LLM workloads in production — detections for prompt injection, tool abuse, data exfiltration via agents, or anomalous model usage.  
• Meaningful exposure to AWS and/or GCP security operations alongside Microsoft 365 / Azure.  
• Experience with identity-centric detections across Entra ID / Azure AD, Active Directory, OAuth/OIDC and federated environments.  
• Detection engineering experience: writing and maintaining content in KQL, Sigma, YARA or equivalent, with version control and test coverage. 
• Familiarity with CI/CD, containers and IaC (Docker, Kubernetes, Terraform or equivalent) and how to monitor and defend them. 
• Purple-teaming experience: working with offensive colleagues to validate and improve detections from real attacker behaviour. 
• Familiarity with regulatory and standards contexts relevant to enterprise customers — ISO 27001, SOC 2, PCI DSS, GDPR, POPIA. 
• Threat-intel experience: consuming, producing or operationalising CTI in a way that actually changes what the SOC does day-to-day. 

• Prior experience in a SaaS, cloud platform or AI/ML company where production systems were the thing being defended — useful context, but not required. 
• Public research, conference talks, blog posts or community contributions in detection engineering, threat hunting or AI security.  
• Experience contributing to or running CTFs, blue-team exercises, or open-source defensive tooling.  
• Exposure to emerging agent interoperability and security standards (e.g. MCP, A2A) and their defensive implications.  

Benefits

• Remote/Flexible work
• Discovery Medical Aid  
• Connectivity Allowance
• 15 days paid holiday a year- (this includes three Sabio days)
• Momentum EAP