Security Operations Center Analyst L3

The Security Operations Center (SOC) Analyst L3 is a critical member of the Information Security team responsible for monitoring, detecting, analyzing, and responding to cybersecurity threats across the organization's environment. This role serves as the frontline defense against adversarial activity, operating within a 24×7 detection-first SOC model.

The primary responsibility of this position is the security alert workflow — the continuous triage, investigation, and disposition of security alerts and events generated across our security tooling ecosystem. Beyond queue operations, this role offers structured growth into threat hunting, detection engineering, incident response, vulnerability management, insider risk management and cross-functional InfoSec support.

This is a shift-based role supporting 24×7 operations; schedules may include evenings, overnight shifts, weekends, and holidays as business needs require.

ESSENTIAL DUTIES AND RESPONSIBILITIES:

DETECTION & MONITORING (PRIMARY FOCUS)

• Oversee detection queue health and ensure consistent SLA adherence, assisting with prioritization during high-volume or high-severity events
• Conduct advanced investigations involving complex, multi-stage attacks across endpoint, identity, network, cloud, and third-party environments
• Provide expert-level case documentation that supports executive reporting, compliance, and post-incident reviews
• Act as a primary escalation point for major incidents, coordinating with Incident Response, Threat Intelligence, IT, and business stakeholders
• Drive continuous improvement of detection logic, escalation criteria, and investigative workflows
• Ensure effective shift transitions, including direct briefings when required
• Author and maintain SOC documentation, including playbooks, SOPs, runbooks, training content, and detection standards
• Support SOC maturity initiatives, such as detection tuning, automation use cases, metrics refinement, and analyst skill development

INCIDENT RESPONSE (AS NEEDED)

• Support incident response efforts during active security events, including evidence gathering, containment actions, and timeline construction
• Assist in the preparation of incident summaries, post-incident reports, and lessons-learned documentation
• Execute containment and remediation actions under the guidance of IR leads (e.g., endpoint isolation, account disablement)
• Participate in tabletop exercises and IR simulations to develop and validate response readiness

THREAT HUNTING (STRUCTURED OPPORTUNITIES)

• Participate in threat hunting missions derived from threat intelligence reporting, new TTPs, or internal hypotheses
• Query SIEM, EDR, and log sources proactively to identify undetected malicious activity or policy gaps
• Document hunting findings and translate confirmed gaps into detection use cases or tuning recommendations
• Leverage frameworks such as MITRE ATT&CK to structure hunting hypotheses and report on coverage gaps

DETECTION ENGINEERING (COLLABORATIVE SUPPORT)

• Contribute to the development, testing, and refinement of detection rules and correlation logic in the SIEM
• Analyze emerging threats and map indicators and behaviors to proposed detection logic
• Validate new detections in a test environment and provide real-world feedback from queue experience
• Assist with SIEM content library management including periodic rule review and retirement of stale logic

VULNERABILITY MANAGEMENT (SUPPORTING ROLE)

• Review vulnerability scan results and assist in triaging findings based on severity, exploitability, and asset criticality
• Support the coordination of remediation activities with IT asset owners, tracking tickets through to closure
• Cross-reference active vulnerabilities with threat intelligence to identify weaponized CVEs that require prioritization
• Assist in producing vulnerability reporting for team leads and stakeholders on a periodic basis

INSIDER RISK MANAGEMENT (SUPPORTING ROLE)

• Support the review and triage of alerts generated by User and Entity Behavior Analytics (UEBA) platforms, Data Loss Prevention (DLP) tools, and insider threat-specific monitoring solutions
• Correlate insider risk indicators across identity, endpoint, email, and cloud data sources to build a complete picture of potential policy violations or malicious intent
• Assist in the investigation of data exfiltration attempts, unauthorized access to sensitive systems, and anomalous after-hours or off-network activity
• Maintain strict confidentiality and chain-of-custody standards when handling insider risk cases, ensuring investigations are properly documented and legally defensible
• Contribute to the ongoing refinement of the Insider Threat Program by surfacing patterns, gaps, and lessons learned from completed investigations

CROSS-FUNCTIONAL INFOSEC SUPPORT (AD HOC/STRUCTURED)

• Serve as an available resource to other InfoSec teams, lending hands-on support for security-related tasks, reviews, and initiatives on an as-needed basis
• Assist with security awareness initiatives, phishing simulations, and education campaigns
• Support access reviews, security tool deployments, and policy compliance assessments as directed

EDUCATION & EXPERIENCE

• Bachelor's degree in Cybersecurity, Computer Science, Information Systems, or equivalent practical experience
• 2–4+ years of experience in a SOC, IT security, or related technical role depending on level applied for
• Familiarity with enterprise IT environments including Windows/Linux systems, Active Directory, and cloud platforms (Azure, AWS, GCP)
• Experience with security tools such as SIEM (Sentinel, Splunk), EDR (CrowdStrike, SentinelOne, Defender), or email security platforms

CERTIFICATIONS (PREFERRED)

• CompTIA Security+, CySA+, or equivalent foundational security certification
• Microsoft SC-200 (Security Operations Analyst) or AZ-900/AZ-500
• EC-Council CEH, SANS GCIA/GCIH, or GREM (preferred for L3)

TECHNICAL SKILLS

• Proficiency in log analysis and event correlation across multiple data sources
• Working knowledge of attacker TTPs mapped to the MITRE ATT&CK framework
• Understanding of network protocols, traffic analysis, and common attack vectors
• Familiarity with scripting languages (Python, PowerShell, KQL/SPL) for investigation and automation
• Experience with case management platforms (ServiceNow, Jira, or similar ITSM tools)
• Understanding of the NIST CSF, incident response lifecycle, and the cyber kill chain model

SOFT SKILLS & WORK STYLE

• Strong analytical and critical-thinking skills with high attention to detail
• Clear and concise written and verbal communication, including to non-technical stakeholders
• Ability to remain composed and effective under pressure during active security incidents
• Team-oriented and collaborative with a proactive, security-first mindset
• Ability to approach security challenges with genuine curiosity and a questioning attitude, consistently digging deeper to understand the "why" behind alerts, behaviors, and anomalies rather than accepting surface-level conclusions

Career Progression

Analyst I

PRIMARY FOCUS

• First-pass alert triage
• Alert classification and basic investigation
• Data collection and alert enrichment
• Following established playbooks and SOPs
• Accurate case documentation in case management platform
• Escalation to L2 where appropriate

KEY COMPETENCIES

• Understand common attack vectors
• Navigate security tooling proficiently
• Apply MITRE ATT&CK conceptually

Analyst II

PRIMARY FOCUS

• Deep-dive investigation of escalated and notable alerts
• Lead coordination of remediation and containment for single asset incidents
• Active threat hunting participation
• Detection rule feedback and tuning
• Mentoring L1 analysts

KEY COMPETENCIES

• Root cause analysis across multi-source evidence
• Write/contribute to detection use cases
• Operate independently across all alert types

Analyst III

PRIMARY FOCUS

• Co-lead and orchestrate complex incidents
• Design and author detection content
• Act as SME for escalated issues
• Influence SOC strategy and process improvement
• Mentoring L1/L2 analysts

KEY COMPETENCIES

• Expert SIEM query and detection authoring
• Malware analysis and forensic investigation
• Own SOC runbooks and playbooks

Sandisk is committed to providing equal opportunities to all applicants and employees and will not discriminate against any applicant or employee based on their race, color, ancestry, religion (including religious dress and grooming standards), sex (including pregnancy, childbirth or related medical conditions, breastfeeding or related medical conditions), gender (including a person’s gender identity, gender expression, and gender-related appearance and behavior, whether or not stereotypically associated with the person’s assigned sex at birth), age, national origin, sexual orientation, medical condition, marital status (including domestic partnership status), physical disability, mental disability, medical condition, genetic information, protected medical and family care leave, Civil Air Patrol status, military and veteran status, or other legally protected characteristics. We also prohibit harassment of any individual on any of the characteristics listed above. Our non-discrimination policy applies to all aspects of employment. We comply with the laws and regulations set forth in the "Know Your Rights: Workplace Discrimination is Illegal” poster. Our pay transparency policy is available here.

Sandisk thrives on the power and potential of diversity. As a global company, we believe the most effective way to embrace the diversity of our customers and communities is to mirror it from within. We believe the fusion of various perspectives results in the best outcomes for our employees, our company, our customers, and the world around us. We are committed to an inclusive environment where every individual can thrive through a sense of belonging, respect and contribution.

Sandisk is committed to offering opportunities to applicants with disabilities and ensuring all candidates can successfully navigate our careers website and our hiring process. Please contact us at jobs.accommodations@sandisk.com to advise us of your accommodation request. In your email, please include a description of the specific accommodation you are requesting as well as the job title and requisition number of the position for which you are applying.

Sandisk understands how people and businesses consume data and we relentlessly innovate to deliver solutions that enable today’s needs and tomorrow’s next big ideas. With a rich history of groundbreaking innovations in Flash and advanced memory technologies, our solutions have become the beating heart of the digital world we’re living in and that we have the power to shape.

Sandisk meets people and businesses at the intersection of their aspirations and the moment, enabling them to keep moving and pushing possibility forward. We do this through the balance of our powerhouse manufacturing capabilities and our industry-leading portfolio of products that are recognized globally for innovation, performance and quality.

Sandisk has two facilities recognized by the World Economic Forum as part of the Global Lighthouse Network for advanced 4IR innovations. These facilities were also recognized as Sustainability Lighthouses for breakthroughs in efficient operations. With our global reach, we ensure the global supply chain has access to the Flash memory it needs to keep our world moving forward.