SOC Tier 3 Analyst

Everforth ECS is seeking a SOC Tier 3 Analyst to work in our Portland, OR office. Please Note: This position is contingent upon contract award.

The SOC Analyst 3 supports the organization's security operations by leading complex incident analysis, validating advanced investigative findings, coordinating technical response actions, improving detection effectiveness, and mentoring lower-tier analysts. This role is the senior technical analysis and escalation tier within the SOC Analyst role family.

The ideal candidate has advanced SOC, incident response, and detection-analysis experience; understands adversary tradecraft and enterprise security architecture; and can coordinate complex technical investigations while partnering with SOC leadership, threat hunting, threat intelligence, forensics, Splunk engineering, security engineering, and program stakeholders.

Key Responsibilities

Advanced Incident Analysis & Escalation Leadership

• Lead analysis of complex, high-impact, multi-stage, or ambiguous security incidents across enterprise systems, cloud environments, identity platforms, endpoints, networks, and applications.
• Validate incident severity, scope, attack path, affected assets, affected accounts, likely root cause, and potential operational or business impact.
• Review and resolve escalated findings from SOC Analyst 1 and SOC Analyst 2, including disputed severity, inconclusive evidence, or multi-source correlation challenges.
• Provide technical facts, risk context, and recommended response priorities to SOC leadership for major incident handling and stakeholder communication.

Technical Response Coordination

• Coordinate complex containment, eradication, and recovery support with Security Engineer, Senior Engineer, system owners, incident responders, and other technical teams.
• Define evidence collection requirements and coordinate handoff to Forensics Lead or Forensics Mid when formal acquisition, preservation, chain of custody, or deep forensic analysis is required.
• Guide investigation strategy, timeline development, technical response sequencing, and escalation decisions for complex incidents.
• Maintain alignment with approved incident response plans, playbooks, evidence-handling expectations, and leadership direction.

Detection Effectiveness & Analytic Improvement

• Analyze adversary behaviors, attack patterns, vulnerabilities, threat intelligence, control gaps, and recurring incident trends to improve detection and response effectiveness.
• Define analytic requirements and validate correlation rules, alert logic, dashboards, use cases, and response playbooks for operational effectiveness.
• Map complex observed behaviors to MITRE ATT&CK and other applicable threat models to support analytic improvement and stakeholder reporting.
• Coordinate with SOC Threat Hunter to convert hunt findings into operational detections and with Senior Splunk Engineer or Splunk Architect/Lead for technical implementation.

Reporting, Briefings & Knowledge Transfer

• Prepare or review complex incident summaries, technical timelines, investigation narratives, after-action inputs, and lessons-learned content.
• Communicate complex technical findings in clear operational, business, and risk language for SOC leadership, program stakeholders, and technical teams.
• Provide technical input to SOC Technical Writer for SOPs, playbooks, knowledge articles, and formal documentation products.
• Mentor SOC Analyst 1 and SOC Analyst 2 personnel through escalation review, coaching, analytic guidance, and quality feedback.

Governance, Quality & Continuous Improvement

• Lead or support detection reviews, tabletop exercises, incident retrospectives, process assessments, and quality improvement activities.
• Identify recurring gaps in telemetry, tools, controls, workflows, documentation, or analyst training and coordinate corrective action requirements with the appropriate owner.
• Stay current with evolving cyber threats, vulnerabilities, adversary tradecraft, detection techniques, and security operations best practices.
• Translate lessons learned and threat developments into improved detections, procedures, escalation criteria, and analyst enablement materials.