Job Description
Hello Future Security Operations Centre Analyst IIIWelcome to FNB, the home of the #changeables. We design for the shapeshifters and deliver products and services that make us incredibly proud of people that make it happen.
As part of our talent team, you will be surrounded by unique talents, diverse minds, and an adaptable environment that lives up to the promise of staying curious. Now’s the time to imagine your potential in a team where experts come together and ignite effective change.
Overview of the role:
Lead end-to-end incident response and digital forensics with deep expertise in log and artifact analysis across host, network, and application layers. Function as SOC L3 between incidents owning escalations, threat hunts, detection engineering, and mentoring
Required Skills & Experience
- Expert-level log and artifact analysis across Windows/Linux/macOS and web/network layers.
- Hands-on proficiency with PCAP analysis, Network IDS (Zeek etc.), NetFlow/IPFIX, and TLS/DNS telemetry.
- Strong SIEM/EDR skills: Microsoft Sentinel, Splunk, Microsoft Defender for Endpoint.
- Scripting for data parsing and automation (PowerShell, Python).
- IR methodologies: evidence preservation, timeline construction, ATT&CK mapping, defensible reporting.
- Networking fundamentals: TCP/IP, HTTP, proxies/WAF behavior, SSL/TLS.
- Digital Forensics Evidence Analysis: Experience with analyzing digital forensics evidence using tools such as Magnet Axiom Cyber, FTK, SleuthKit and Autopsy, or Redline.
- Offensive Security Assessment Experience: Understand attacks and how to execute these attacks to identify vulnerabilities and gaps within the organization
- Preferred qualification: Certification in Cyber security / Splunk certificate / certified ethical hacker Offensive Security Certified Professional preferred
Primary Responsibilities
Incident Response & Forensics
Rapid triage and scoping for P1/P2 incidents; define hypotheses and investigative plan.
Evidence acquisition: volatile (RAM, network) and non-volatile (disk, artifacts) with chain-of custody.
Web server log analysis: IIS (W3C, u_ex*, HTTPERR), Apache/Nginx (access/error); detect LFI/RFI, RCE, SSRF, auth abuse, webshell indicators
Endpoint artifacts (Windows): Prefetch, Shimcache/AppCompatCache, Amcache, SRUM, UserAssist, Jump Lists, LNK, browser artifacts, registry keys, $MFT/USN basics.
Endpoint artifacts (Linux): auth.log, syslog, journald, bash history, cron, SSH logs; process/file lineage.
Network: PCAP (Wireshark/tshark), Zeek logs, NetFlow/IPFIX; identify C2, beaconing (JA3/JA3S), DNS tunneling, data exfiltration, lateral movement.
Firewall/Proxy/WAF/IDS: Correlate rule hits, proxies, WAF logs, IPS alerts; reconstruct attacker pathing and egress controls.
Malware/binary triage: static/dynamic (strings, headers, sandbox); derive IOCs/IOAs and containment steps.
Timeline & correlation: Build and maintain multi-source timelines (Timeline Tacker) to reconstruct intrusion and dwell time; ATT&CK technique mapping.
Reporting: Technical reports and executive summaries; remediation guidance and validation testing.
SOC L3 Functions
Threat hunting: Hypothesis-driven hunts across SIEM/EDR/network; codify repeatable playbooks.
Detection engineering: Create/tune SIEM rules with Detection Engineering Team (e.g., Splunk), EDR analytics (MDE), Sigma Rule queries / conversions, to reduce false positives.
Purple teaming: Collaborate with red teams to validate detections and test response playbooks.
Telemetry assurance: Review logging coverage, retention, integrity; recommend improvements.
Process maturity: maintain IR runbooks, forensic SOPs, chain-of-custody templates, evidence vault workflows.
Technology Stack
- SIEM: Microsoft Sentinel, Splunk
- EDR/XDR: Microsoft Defender Suite (MDI, MDE, MDO, MDC)
- OS: Windows, Linux, macOS
- Network & Microsegmentation: Cisco Secure Workload (formerly Tetration)
- Identity: Cisco Identity Services Engine (ISE), Microsoft Defender for Identity (MDI), Microsoft Purview
- Network sensors/tools: Zeek, Suricata, Wireshark/tshark, NetFlow/IPFIX collectors
- Web Application Firewalls: F5 BIG-IP Advanced WAF (formerly ASM); other major WAFs (Imperva, Akamai Kona, Cloudflare WAF, AWS/Azure WAF)
- Firewalls/Proxies/IDS: Enterprise firewall/WAF/secure web gateway platforms that integrate with SIEM for centralized logging.
You will have access to:
- Opportunities to network and collaborate.
- Challenging Work.
- Opportunities to innovate.
#Post
#FNB
#LI-NN2
Are you interested to take the step? We look forward to engaging with you further. Apply now!
Important Closing Date Note
Take note that applications will not be accepted on the below date and onwards, kindly submit applications ahead of the closing date indicated below.
20/04/26All appointments will be made in line with FirstRand Group’s Employment Equity plan. The Bank supports the recruitment and advancement of individuals with disabilities. In order for us to fulfill this purpose, candidates can disclose their disability information on a voluntary basis. The Bank will keep this information confidential unless we are required by law to disclose this information to other parties.