SOC Analyst - Level 2

Job Title: SOC Analyst – Level 2 

Location: Pakistan (Remote)

Employment Type: Full-time

Work Model: Remote (24/7 Shift Rotation)

About Us:

Arancia is a Canadian Cybersecurity Consulting, Advisory and Technology firm based in Mississauga, Ontario. Our team consists of geographically diverse professionals dedicated to solving complex cybersecurity challenges.

Offering a robust set of services across the IT and Cybersecurity landscape, supported by our proprietary security platform DarkSense, Arancia delivers high-quality security solutions across industries such as Healthcare, Financial Services, and Critical Infrastructure to a global client base.

Operating a modern 24/7 Security Operations Center, we combine advanced tooling with an evolving Agentic SOC platform to reduce noise, improve detection quality, and enable analysts to focus on meaningful investigations.

If you are interested in working in a fast-paced, growing cybersecurity environment with a strong focus on innovation, investigation quality, and operational excellence, this role is for you.

Job Summary:

We are seeking a skilled and highly motivated SOC Analyst – Level 2 to join our Security Operations team. This role is ideal for someone with hands-on experience in SOC operations, threat investigation, and incident response.

As an L2 SOC Analyst, you will take ownership of advanced triage and investigation of alerts escalated from L1, execute containment actions across customer environments, and drive detection quality through structured tuning and feedback loops.

You will work closely with L1 analysts, Detection Engineering, Incident Response, and Threat Intelligence teams, as well as our Agentic SOC platform, to reduce dwell time and false positives. During evening shifts, you will also transition into proactive threat hunting, using dedicated time blocks to identify detection gaps and improve coverage.

This role serves as a direct progression pathway into L3, Threat Hunting, Detection Engineering, or Incident Response.

Key Responsibilities:

• Alert Triage & Investigation:

Perform advanced triage of alerts escalated from L1, determining true vs false positives. Investigate security events across endpoint, identity, network, and cloud telemetry. Correlate events and map adversary behavior to MITRE ATT&CK while enriching findings with relevant threat intelligence context.

• Incident Response Execution:

Execute or coordinate containment actions including host isolation (EDR), account disablement (Entra ID / IAM), and blocking indicators such as IPs, domains, or hashes. Partner with Incident Response teams on high-severity or multi-system incidents and document actions, timelines, and evidence with a clear chain of reasoning.

• Threat Hunting:

Conduct hypothesis-driven threat hunting across endpoint, identity, and cloud datasets, particularly during evening shifts and on rotation. Convert hunt findings into new detections or tuning recommendations and maintain proper documentation of hunts and derived detections.

• Detection Quality & Tuning:

Provide structured feedback to Detection Engineering on false positives, detection gaps, and tuning opportunities. Validate new detection rules (Sigma, KQL, SPL, or equivalent) before production rollout and contribute to playbook authoring and continuous improvement.

• Case Management & Reporting:

Produce clear, complete incident reports suitable for both technical and non-technical stakeholders. Track and support SLA metrics including MTTD, MTTR, and MTTC. Participate in structured shift handovers and post-incident reviews.

• Collaboration & Cross-Functional Teamwork:

Collaborate closely with internal teams including Detection Engineering, Incident Response, and Threat Intelligence. Mentor L1 analysts on triage quality and investigation techniques, and contribute to internal knowledge bases and lessons-learned sessions.

Qualifications:

• Experience:

2–5 years of experience in a SOC, Incident Response, or equivalent hands-on blue team role. Demonstrable experience handling real security incidents end-to-end with a strong understanding of SOC workflows, escalation paths, and on-shift discipline.

• Industry Knowledge:

Strong understanding of cybersecurity concepts including endpoint, network, identity, and cloud security. Solid grounding in MITRE ATT&CK and its operational application in investigations.

• Technical Skills:

Hands-on experience with at least one modern SIEM (Microsoft Sentinel, Elastic SIEM, OpenSearch, or similar) and at least one EDR solution (Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, or similar). Working knowledge of identity and cloud telemetry (Entra ID, Office 365, AWS/Azure logs). Proficiency in KQL is required; additional query languages such as SPL or OpenSearch DQL are a plus. Basic scripting in Python or PowerShell for automation and enrichment.

• Analytical & Soft Skills:

Strong investigative mindset with the ability to pivot across data sources and build timelines. Clear written communication suitable for customer-facing reports. Ability to remain calm under pressure during live incidents and shift transitions. Team-oriented with a willingness to mentor and continuously learn.

• Education:

Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field (or equivalent practical experience).

• Certifications:

Certifications such as BTL1, CySA+, GCIH, Microsoft SC-200, or CompTIA Security+ are considered a plus.

Nice to Have:

Exposure to SOAR platforms (Cortex XSOAR, Shuffle, Tines), threat intelligence platforms (MISP, OpenCTI), malware analysis or sandboxing tools (Any.Run, Joe Sandbox, Cuckoo), network detection tools (Zeek, Suricata), and cloud security experience across Azure, AWS, or GCP.

Shift Details:

This role operates on a 24/7 rotating schedule including day, evening, and night shifts. Evening shifts follow a hybrid structure combining live queue work with scheduled threat hunting blocks. Structured handovers are conducted at every shift change to ensure continuity on active incidents. Shift allowances apply for evenings, nights, weekends, and public holidays.

Onboarding (First 30 Days):

• Days 1–15 — Shadowing:
  Pair with senior analysts across shifts to observe live investigations, understand playbooks, tooling, customer environments, and escalation thresholds. No production alert ownership during this phase.
• Days 16–30 — Supervised Queue:
  Take ownership of alerts under direct supervision. All cases are reviewed with structured feedback on triage decisions, incident response actions, and reporting quality.
• Day 30+ — Full Ownership:
  Independently manage the queue, continue shadowing complex incidents, and rotate into threat hunting responsibilities.

What a Typical Shift Looks Like:

Start by reviewing handover notes, open incidents, and any ongoing hunts. Work through the escalation queue by triaging, investigating, containing, and documenting incidents. During evening shifts, execute scheduled hunts or deep-dive into complex investigations. End the shift by updating case notes, preparing a clear handover, and flagging detection tuning opportunities.

Why Join Us:

• Modern SOC stack and tooling
• Agentic SOC platform enabling AI-assisted triage and investigations
• Clear career progression into L3, Threat Hunting, Detection Engineering, or IR
• Structured onboarding and continuous learning support
• Investigation-led culture focused on quality over ticket volume

Hours:

40 hours per week (shift-based schedule)

Compensation:

Market competitive salary based on experience & qualifications.