SOC Engineer

About Mobiz

Mobiz is a global technology services leader, Microsoft-aligned managed services and cloud solutions provider, empowering mid-market and enterprise organizations across North America and the Middle East. We deliver end-to-end IT operations, Modern Work and Security, Data and AI, cybersecurity, infrastructure, and digital transformation services—driving resilience, innovation, and measurable business impact at scale.

With a Solutions Partner designation and active pursuit of Azure Expert MSP status, Mobiz combines the agility of a boutique consultancy with the delivery rigor of a tier-1 integrator. Our NOC and SOC teams operate as the always-on backbone of client environments, monitoring thousands of endpoints, network nodes, and cloud workloads around the clock.

What Can You Expect?

Every day at Mobiz we work with a deep sense of purpose. We continuously innovate. Our mission is to empower our clients to do more through transformation.  You’ll work in a collaborative environment alongside highly talented people that improve client operations and exceed expectations.  We strive to simplify technology challenges, and no less.

Who Are We Looking For?

The SOC Engineer is a mid-level security operations practitioner on Mobiz's 24×7 Security Operations Center team, responsible for monitoring, investigating, and responding to security threats across a portfolio of managed client environments. This role goes beyond alert acknowledgement — SOC Engineers are expected to own the investigation lifecycle for assigned cases, apply structured analytical thinking to determine threat validity and scope, execute response actions per defined playbooks, and document findings to an evidentiary standard. Working under the direction of the SOC Manager, this engineer interfaces directly with Microsoft Sentinel, Defender XDR, and endpoint detection tools daily, and will participate in real-world incident response engagements — including ransomware, BEC, and identity compromise — giving mid-career security professionals hands-on experience that would typically require years in a larger enterprise SOC.

Key Responsibilities

Alert Triage & Investigation

• Monitor client security environments across SIEM, EDR, email security, and identity platforms throughout assigned shift using Microsoft Sentinel and Defender XDR dashboards.
• Acknowledge, assess, and prioritize incoming security alerts within defined SLA windows; distinguish true positives from false positives using structured triage methodology.
• Conduct end-to-end investigation of assigned incidents — correlating signals across log sources, mapping observed behavior to MITRE ATT&CK tactics and techniques, and determining blast radius.
• Execute containment and remediation actions per approved playbooks: host isolation, account disablement, token revocation, firewall rule deployment, and email quarantine.
• Escalate confirmed P1 security incidents to the SOC Manager with a complete investigation package — timeline, affected assets, indicators of compromise (IOCs), and recommended next steps.
• Create and maintain accurate, well-structured ServiceNow security incident records throughout the investigation lifecycle.

Threat Detection & Analysis

• Perform log-based analysis using KQL across Microsoft Sentinel workspaces — querying identity, network, endpoint, and cloud audit logs to surface attacker behavior.
• Analyze alerts from Microsoft Defender for Endpoint (MDE), Defender for Identity (MDI), Defender for Office 365 (MDO), and Defender for Cloud Apps (MDCA) for threat validity and lateral movement indicators.
• Review and triage identity-based alert patterns: unusual sign-in activity, MFA bypass attempts, Entra ID risky sign-ins, Conditional Access failures, and service principal anomalies.
• Investigate email-based threats: phishing, BEC indicators, malicious attachment analysis, and spoofing pattern review within Defender for Office 365 and message trace.
• Support proactive threat hunting operations directed by the SOC Manager — execute defined hunt hypotheses, document findings, and flag patterns for detection rule development.

Incident Response Support

• Participate in P1 incident response bridge calls as a technical contributor — providing investigation findings, asset context, and real-time log analysis to the incident commander.
• Execute host-level response actions via MDE or CrowdStrike: live response sessions, memory artifact collection, process termination, and network isolation.
• Assist with identity containment actions during active incidents: account disablement, session revocation in Entra ID, PIM role removal, and OAuth token invalidation.
• Support evidence collection and chain-of-custody documentation for incidents involving legal, insurance, or regulatory stakeholders.
• Contribute to post-incident review (PIR) documentation — providing accurate technical timelines, IOC lists, and attack path reconstruction to support the SOC Manager's PIR output.

Detection & Playbook Quality

• Review assigned detection rules in Microsoft Sentinel for tuning opportunities — identify false-positive sources, propose threshold adjustments, and validate changes in a test environment.
• Execute and follow SOC playbooks precisely; flag procedural gaps, ambiguous steps, or missing runbook coverage to the SOC Manager for revision.
• Author knowledge base articles and investigation notes in ServiceNow following resolution of novel or complex incidents to support team learning.
• Maintain IOC lists, watchlists, and threat actor TTP notes within Sentinel and the team's threat intelligence repository.
• Stay current on emerging threats, CVEs, and attacker techniques relevant to the Microsoft cloud and hybrid environments Mobiz clients operate in.

Client & Operational Communication

• Provide clear, professional incident status updates to the SOC Manager and, where directed, to client IT contacts during active security events.
• Contribute data and investigation summaries to monthly Security Operations Reports (SORs) as requested by the SOC Manager.
• Coordinate with the NOC team on shared alert queues — route infrastructure-layer events correctly and maintain clear escalation boundaries between NOC and SOC functions.
• Participate in shift handovers with complete operational context — open cases, active hunts, suppressed alerts, and any client-specific situational awareness.

Candidate Profile: Requirements & Preferred Qualifications 

Required Qualifications

• Bachelor’s degree in IT, Computer Science, or relevant field.
• 3–5 years of information security experience with direct SOC, MSSP, or security operations responsibilities.
• Hands-on experience with Microsoft Sentinel — KQL query writing for investigation (not rule authoring required), alert review, incident management, and workbook consumption.
• Working knowledge of the Microsoft Defender XDR suite: at minimum Defender for Endpoint (MDE) and Defender for Office 365 (MDO) for daily triage and response.
• Solid understanding of identity-based attack patterns: credential theft, Pass-the-Hash, MFA fatigue, Entra ID risky sign-ins, and OAuth application abuse.
• Familiarity with MITRE ATT&CK framework — ability to map observed alert activity to tactics and techniques without reference documentation.
• Experience writing and closing structured security incident records in ServiceNow or an equivalent ITSM platform.
• Demonstrated ability to independently triage and investigate P2-level security incidents with defensible documentation.
• Strong written communication — able to produce clear incident timelines, executive-facing summaries, and technical IOC reports.
  

Preferred Qualifications

• Microsoft SC-200 (Security Operations Analyst) certification — or actively pursuing.
• Additional Microsoft certifications: SC-300 (Identity & Access Administrator), AZ-500 (Azure Security Engineer).
• CompTIA CySA+ or GIAC certifications (GCIA, GCIH) — or equivalent vendor-neutral security operations credential.
• Experience with CrowdStrike Falcon — EDR alert triage, threat graph review, and basic response actions.
• Exposure to SOAR tooling — Azure Logic Apps playbooks, Sentinel automation rules, or equivalent.
• Basic scripting skills: KQL (intermediate), PowerShell, or Python for log parsing, enrichment, and response automation.
• Familiarity with email forensics: header analysis, attachment detonation, and phishing kit identification.
• Exposure to network security monitoring: firewall log analysis (Palo Alto, Fortinet), NetFlow review, or IDS/IPS alert triage.
  

Core Technical Skill Set

SOC Engineers at Mobiz work with the following platforms daily:

• SIEM: Microsoft Sentinel — analytics rules, incidents, workbooks, hunting, SOAR playbooks
• EDR / XDR: Microsoft Defender for Endpoint, CrowdStrike Falcon (client-dependent)
• Email & Collaboration Security: Defender for Office 365 (MDO), message trace, attack simulation
• Identity Security: Defender for Identity (MDI), Microsoft Entra ID, PIM, Conditional Access, risky sign-in review
• Cloud Security: Defender for Cloud Apps (MDCA), Defender for Cloud, Azure Security Center
• ITSM: ServiceNow (Security Incidents, Cases, Knowledge, Timecards)
• Network Security: Palo Alto Panorama, Fortinet FortiManager, WatchGuard (log triage and firewall rule review)
• Threat Intelligence: Microsoft Threat Intelligence, ISAC feeds, vendor CVE advisories
• Automation: Azure Logic Apps, Sentinel automation rules, PowerShell
• Productivity: Microsoft 365 (Teams, Outlook, SharePoint, OneNote)
  

Core Competencies (Power Skills)

• Critical Thinking & Threat Analysis
• Incident Response & Decision Making
• Problem Solving & Root Cause Analysis
• Communication & Technical Reporting
• Attention to Detail
• Ownership & Accountability
• Time & Priority Management
• Adaptability in High-Pressure Environments
• Collaboration & Cross-Functional Coordination
• Analytical Thinking & Investigation Skills
  

What We Offer

• A team of bright, hard-working, and innovative people that will contribute to your growth.
• Competitive Salary and comprehensive benefits plan.
• A dynamic and collaborative work environment with opportunity to work with cutting-edge technology and innovative solutions. 

Other
This is a full-time, on-site position based in Karachi, Pakistan.

Equal Opportunity & Diversity Commitment

At Mobiz, we believe that diverse perspectives, experiences, and backgrounds strengthen our organization and drive innovation. We are committed to fostering an inclusive workplace where all employees are valued, respected, and empowered to succeed. As an equal opportunity employer, we make employment decisions based on qualifications, merit, and business needs, without regard to race, gender, age, religion, disability, national origin, or any other protected characteristic.

What Happens Next?

Thank you for your interest in becoming part of Mobiz. We are committed to attracting exceptional talent and building a team that drives innovation, excellence, and meaningful impact. Every application is reviewed with care and consideration. If your experience and qualifications are a match for the role, a member of our team will connect with you regarding the next stage of the hiring process. 

We appreciate your interest in joining Mobiz and wish you success in your career endeavors.