Security Operations Centre (SOC) Analyst - SIEM | EDR | Incident Response - SC Cleared

This is an Outside IR35 contract - a genuinely attractive opportunity offering strong take-home pay for an experienced SOC Analyst. We are seeking a Security Operations Centre (SOC) Analyst to support the continuous monitoring, detection, triage and response to cyber security events across a UK public sector environment. Operating at Associate/Practitioner level within the Government Cyber Security Profession, you will play a critical part in identifying, investigating and responding to threats across systems, identities, networks, cloud platforms and data, while continuously improving detection capability through tuning, automation and threat-informed defence. The role contributes directly to outcomes under the NCSC Cyber Assessment Framework (CAF), in particular Objective C (Detecting Cyber Security Events) and Objective D (Minimising the Impact of Cyber Security Incidents). This is a hybrid contract based in London, with 2-3 days per week onsite, for an initial 6 months., * Monitor and analyse alerts from SIEM platforms, EDR/XDR, identity providers (eg Entra ID/Active Directory), cloud platforms (AWS, Azure, M365) and network and DNS telemetry

• Triage alerts to identify true positives, prioritise based on risk, and reduce false positives through tuning
• Investigate security events using endpoint telemetry, authentication logs, proxy/DNS/network logs and cloud activity logs
• Perform incident response activities including containment, eradication and recovery support, in line with established procedures and playbooks
• Escalate incidents promptly and accurately based on impact, confidence and threat severity, in accordance with escalation criteria
• Develop and refine detection rules and queries (eg KQL, SPL), contributing to the use-case lifecycle
• Support or conduct threat hunting activities appropriate to level
• Contribute to automation and response playbooks (SOAR)
• Produce reporting including technical investigation notes, incident reports and executive summaries tailored to the audience
• Maintain threat awareness of current cyber threats, attacker techniques (including MITRE ATT&CK) and defensive technologies
• Contribute to outcomes under the NCSC Cyber Assessment Framework (CAF), particularly Objectives C and D, supporting GovAssure assessment

• Strong commercial experience working as a SOC Analyst across security monitoring and incident response
• Sound knowledge of SOC operations, alert tiering, triage and incident workflows
• Hands-on experience with SIEM platforms, including querying, correlation and investigation
• Experience with EDR/XDR tooling and endpoint telemetry
• Identity security experience (eg Entra ID, authentication flows, MFA abuse)
• Cloud security monitoring across AWS, Azure and M365
• Solid network fundamentals (DNS, HTTP/S, TCP/IP)
• Log analysis across authentication, endpoint, proxy, DNS and cloud sources
• Knowledge of incident response frameworks and methodologies (NIST SP 800-61 Rev. 3, NCSC incident management guidance)
• Working knowledge of threat intelligence, threat-informed defence and MITRE ATT&CK
• Active SC clearance, or eligibility to obtain it (BPSS minimum on appointment, with SC to follow)

Nice To Have

• Detection engineering experience
• Scripting and query languages (KQL, SPL, Python)
• SOAR and automation tooling
• Experience operating within NCSC CAF/GovAssure or similarly regulated assurance environments
• Relevant certifications (eg CySA+, BTL1, GIAC GCIH/GCIA) or equivalent demonstrable experience