Defensive Cyber Operations Watch Analyst Tier II

Cyber Security Analyst I, DCO Watch Analyst Tier II  
Stuttgart, Germany 
Secret Clearance required to start, with ability to obtain TS/SCI  
 
As a Tier 2 Defensive Cyber Operations (DCO) Watch Analyst you will responsible for analyzing and responding to security incidents within a Cybersecurity Service Provider (CSSP) environment. In addition to investigating validated events and mitigating incidents, you will help improve the quality of Tier 1 analysis by mentoring junior analysts. You will also assist the watch officer as needed, work on projects to enhance CSSP capabilities, and perform independent problem-solving while adhering to CJCSM 6510.01B reporting standards. 
Position Requirements and Duties 

• Analyze and respond to validated security incidents, determining severity and impact per CJCSM 6510.01B 
• Support incident response campaigns by organizing response efforts, tracking progress, and ensuring proper documentation 
• Coordinate with reporting agencies and subscriber sites to ensure timely and accurate incident reporting 
• Perform network and host-based digital forensics on Windows and other operating systems as needed 
• Conduct log correlation analysis using Splunk and supplemental tools to identify patterns in network and system activity 
• Compile and maintain internal SOP documentation, ensuring compliance with CJCSM 6510.01B and other directives 
• Provide 24/7 support for incident response during assigned shifts, including non-core hours 
• Support IDS/IPS signature development and implementation under guidance 
• Overtime may be required to support incident response actions (Surge) 
• Operations are conducted 24/7/365 across three regional operation centers (ROC) 
• Each ROC works four ten-hour shifts (Sunday-Wednesday or Wednesday-Saturday) 
• Shift placement is at the discretion of assigned managers 
• Up to 10% travel may be required, may include international travel  
• Must maintain a current US Passport  

Minimum Qualifications

• Bachelor’s Degree in relevant discipline or at least 5 years of experience working in a CSSP, SOC, or similar environment 
• At least 1 year experience conducting in-depth analysis or incident response with any of the following tools: Splunk, Elastic, Corelight, Palo Alto Panorama, Windows Azure/Defender, AWS, Crowdstrike, Volatility, or SIFT Workstation 
• At least 1 year of experience authoring technical documentation for security incidents, such as creating detailed investigation timelines, documenting indicators of compromise (IOCs), or writing shift turnover reports for ongoing incidents 
• Must be a U.S. Citizen  

Desired Qualifications  

• Demonstrated experience conducting in-depth log correlation and analysis for complex security incidents across multiple data sources (e.g., EDR, IDS/IPS, DNS, & operating system logging solutions) 
• Advanced proficiency in writing complex search queries in SIEM platforms (e.g., Splunk, Elastic, Sentinel) to identify anomalous or malicious activity 
• Experience building advanced scripts (e.g., in Python, PowerShell, Bash, etc) to automate detection and analysis tasks 
• Experience integrating and operationalizing threat intelligence feeds to create new detection mechanisms or enrich existing data 
• Previous experience informally mentoring junior analysts, creating training documentation, or leading small-group knowledge-sharing sessions 
• Demonstrated passion for cybersecurity and continuous learning through active participation in Capture the Flag (CTF) events, (e.g., TryHackMe, Hack The Box, etc) 
• Completion of practical, hands-on cybersecurity training courses or certifications (e.g., Security Blue Team BTL1/BTL2, AntiSyphon training courses, OffSec OSCP)  

Required Certifications 

• Must have DoD 8570 IAT Level II and CSSP IR compliant certifications