Lead threat hunts and intrusion investigations — form and test hypotheses, map adversary activity against MITRE ATT&CK, perform forensic artefact analysis, and establish scope and root cause clearly enough that the team and client can act on your findings.
Author, tune, and peer-review detection content
treat detections as code (version-controlled, reviewed), translate threat intelligence into new rules, and contribute to iterative improvement of the SIEM ruleset; onboard new log sources, including cloud and application feeds, to close coverage gaps.
Own sub-cycles of the intelligence lifecycle
run structured collection against defined requirements, track actor TTPs, manage indicator lifecycles, and produce situational-awareness products that inform both detection priorities and client risk decisions.
Lead incident response and drive improvement
co-ordinate containment across engineering and analyst teams, communicate incident detail clearly to client stakeholders, and turn every incident into improved detection content, hardening, or runbook coverage; design for resilience by anticipating failure modes and ensuring systems degrade gracefully.
Build SOAR playbooks and auto-triage
identify toil and repetition in analyst workflows, and build automation that saves the team time and improves consistency without removing human judgement where it matters.
Align security operations to UK public sector standards
ensure investigations, evidence handling, and detection coverage reflect NCSC CAF Objective C, GovAssure requirements, and lawful-monitoring obligations; feed gaps back into risk governance.
Mentor junior analysts and raise team standards
pair deliberately on complex investigations, review triage work, share adversary tradecraft with the team, and help create an environment where people feel safe raising concerns and learning from mistakes.
Contribute to the practice beyond your immediate engagement
improve shared SOC standards and onboarding documentation, turn good solutions into reusable playbooks and accelerators the next team can pick up, contribute detection content to practice-level repositories, and engage with cross-government security communities such as NCSC CISP and relevant ISACs.
Requirements
Hold one of the following
Systems Security Certified Practitioner (SSCP), CompTIA Security+, or an equivalent foundational operational security credential expected of Senior SOC analysts.
Certifications that would strengthen your application: Certified Cloud Security Professional (CCSP)
ACH, key-assumptions checks, or similar, to produce rigorous, bias-resistant intelligence assessments, and comfort peer-reviewing others' analytic tradecraft.
Working knowledge of cloud security event investigation and cloud detection tuning, particularly across AWS, Azure, or GCP environments, including understanding of infrastructure-level telemetry.
Experience framing security findings in risk terms for non-technical stakeholders — communicating likelihood, impact, and recommended treatment clearly, and reflecting asset criticality and threat context in prioritisation decisions.
Evidence of building or improving SOAR playbooks, automated triage workflows, or equivalent automation that reduced analyst toil in a SOC or detection-engineering context.
Familiarity with UK government security frameworks — in particular the NCSC CAF, GovAssure, and HMG Security Policy Framework — and experience aligning detection or response work to those standards in a government or regulated environment.
Experience working within an agile or Kanban-based team model, contributing to workflow improvement, running or participating in retrospectives, and helping the team improve its own practices — not just delivering within them.
Experience acting as a trusted working-level contact for client security stakeholders — anchoring on their actual outcomes, raising concerns or opportunities proactively, and contributing subject-matter expertise to proposals or bids.
Tech Stack
AWS
Azure
Cloud
Google Cloud Platform
Objective-C
Benefits
30 days Holiday
we offer 30 days of paid annual leave
Flexible Working Hours
we are flexible with what hours you work
Flexible Parental Leave
we offer flexible parental leave options
Remote Working
we offer part time remote working for all our staff
Paid counselling
we offer paid counselling as well as financial and legal advice