L3 Threat Analyst/Incident Response Lead

Role Overview

The L3 Threat Analyst leads complex incident response and advanced threat investigations, owning incidents end-to-end while guiding L1/L2 analysts. This role combines deep technical expertise, adversary understanding, and detection engineering to strengthen the organization’s overall security posture.

Key Responsibilities

Advanced Incident Response Leadership

• Lead high-severity and complex incidents (multi-stage attacks, APTs, lateral movement, data exfiltration)
• Own end-to-end response: detection → investigation → containment → eradication → recovery
• Act as the technical decision-maker during active incidents

Deep Threat Investigation

• Perform advanced analysis across.
• Endpoint telemetry, memory artifacts, disk forensics
• Network traffic (PCAP, NDR)
• Identity and cloud logs
• Reconstruct full attack chains and identify root cause + blast radius
• Handle fileless malware, living-off-the-land (LotL), and stealthy persistence techniques

Threat Hunting & Adversary Emulation

• Design and lead proactive threat hunting campaigns
• Simulate attacker techniques (red/purple mindset) to validate detection coverage
• Identify gaps and convert them into high-fidelity detections

Detection Engineering

• Design, build, and optimize advanced detection logic
• Develop detections across
• SIEM (correlation rules, anomaly detection)
• EDR/NDR analytics
• Ensure coverage across the MITRE ATT&CK framework
• Mentor L1/L2 on detection quality and tuning

Forensics & Malware Analysis

• Conduct host and network forensics
• Perform static and basic dynamic malware analysis
• Extract IOCs, behaviors, and detection patterns

Automation & SOC Engineering Collaboration

• Define and drive automation strategy (SOAR, pipelines)
• Collaborate with engineering teams to
• Improve telemetry pipelines
• Optimize data ingestion and correlation
• Scale detection systems for high EPS environments

Incident Command & Stakeholder Management

• Act as Incident Commander for critical security incidents.
• Provide clear, structured, and timely communication to leadership and stakeholders.
• Lead post-incident reviews and drive corrective and preventive actions.

SOC Maturity & Strategy

• Define and continuously improve:
• Incident Response (IR) playbooks
• Detection coverage roadmap
• SOC metrics such as MTTD, MTTR, and detection fidelity
• Continuously enhance SOC capabilities, processes, and operational resilience.

Required Skills & Qualifications

• 5+ years of experience in Incident Response, Threat Hunting, or SOC Engineering.

Strong Expertise In:

• Advanced attack techniques including APTs, lateral movement, and persistence mechanisms.
• MITRE ATT&CK mapping and adversary behavior analysis.
• Windows and Linux internals.

Hands-on Experience With:

• SIEM platforms such as Splunk, ELK, Sentinel, etc.
• EDR/NDR platforms.
• Log correlation in large-scale distributed systems.

Deep Knowledge Of:

• Networking concepts including packet-level analysis, DNS abuse, and C2 patterns.
• Identity-based attacks such as Kerberos abuse, Active Directory attacks, and credential theft.

Technical Skills

• Strong scripting and programming skills in Python, PowerShell, or Bash.

Good to Have

• Experience working in high-throughput environments (100K+ EPS, data lakes).
• Knowledge of detection engineering frameworks such as Sigma, YARA, KQL, and SPL.
• Experience in cloud security and containerized environments.
• Intermediate-level reverse engineering experience.
• Experience with SOAR platforms and security automation design.

Key Traits

• Thinks like an attacker and acts like a defender.
• Strong ownership mindset and decision-making ability under pressure.
• Systems-level thinking with focus on pipelines, architecture, and operational visibility — not just alerts.
• Mentorship mindset with the ability to guide and support L1/L2 analysts.