SOC Analyst (Level 1–2)

Position Summary
We are seeking a SOC Analyst (Level 1–2) to join our Security Operations team. In this role, you will be responsible for triaging security alerts, conducting in-depth investigations, performing root cause analysis (RCA), and recommending or executing remediation steps. You'll work across a modern security stack including Microsoft Sentinel, Defender, FortiGate, Netskope, ObserveIT, Auvik, and NinjaRMM - and you'll leverage AI-assisted analysis tools (including Claude) to accelerate investigation and response.

This is a hands-on, technically rigorous role for someone who thrives on solving puzzles, communicating clearly under pressure, and constantly leveling up their security craft.

Key Responsibilities

Alert Triage & Monitoring
Monitor security alerts and events across Microsoft Sentinel, Microsoft Defender (Endpoint, Identity, Cloud Apps, Office 365), Netskope, FortiGate firewalls, ObserveIT, Auvik, and NinjaRMM.
Perform initial triage of incoming alerts: validate fidelity, classify severity, assign priority, and determine whether an alert is a true positive, false positive, or benign true positive.
Acknowledge, document, and escalate alerts per defined SLAs and runbooks.
Maintain situational awareness across multiple client environments, tenants, and Azure stack workloads (AVD, Azure VMs, Azure AD/Entra ID, Azure networking).

Investigation & Root Cause Analysis
Conduct detailed investigations into security i ---------- — pivoting across logs, endpoint telemetry, network flows, identity signals, and user activity to build a full picture of what happened.
Construct timelines of events, identify the initial access vector, lateral movement, and impact.
Perform root cause analysis (RCA) to determine the underlying conditions that allowed an i ---------- to occur (misconfiguration, missing control, user behavior, vulnerability, etc.).
Use Microsoft Sentinel KQL queries to hunt across log sources, build investigations, and validate hypotheses.
Leverage AI-assisted tools (including Claude) to accelerate log analysis, summarize findings, draft queries, and support investigation workflows - while maintaining analyst judgment and validation.

Response & Next Steps
Recommend and, where authorized, execute containment and remediation actions (isolating endpoints, disabling accounts, blocking IOCs at the firewall or proxy, revoking sessions, etc.).
Coordinate with Tier 3 / IR specialists and client-facing teams to hand off complex i ---------- with complete context.
Document clear, actionable next steps for clients — including technical remediation, policy changes, user education, and follow-up validation.
Produce concise, professional i ---------- write-ups suitable for both technical and non-technical client audiences.

Continuous Improvement
Tune detection rules and analytics in Sentinel and Defender to reduce false positives and improve signal quality.
Contribute to and maintain SOC runbooks, playbooks, and standard operating procedures.
Identify recurring i ---------- patterns and recommend systemic improvements (control gaps, configuration drift, training opportunities).
Stay current on threat intelligence, emerging TTPs, and vulnerabilities relevant to client environments.

Required Qualifications
Experience: 1–3+ years in a SOC, NOC with security responsibilities, MSP/MSSP, IT security, or similar hands-on role.
SIEM: Hands-on experience with Microsoft Sentinel, including writing and tuning KQL queries.
Microsoft Security Stack: Working knowledge of Microsoft Defender (Endpoint, Identity, Cloud Apps, O365) and Azure AD / Entra ID.
Azure: Familiarity with Azure stack components — Azure Virtual Desktop (AVD), Azure VMs, Azure networking, and core IAM concepts.
Network Security: Practical experience reading FortiGate firewall logs, policies, and traffic flows.
Endpoint & Cloud Tools: Exposure to Netskope (SWG/CASB), ObserveIT (or similar UAM/insider risk), NinjaRMM (or comparable RMM), and Auvik (or comparable network monitoring).
Investigation Skills: Demonstrated ability to perform structured triage, root cause analysis, and produce clear i ---------- documentation.
Foundations: Solid grasp of TCP/IP, DNS, HTTP(S), authentication protocols, common attack techniques (MITRE ATT&CK), and Windows event logs.
Communication: Strong written and verbal communication — able to explain technical findings to non-technical stakeholders.
Mindset: Curiosity, attention to detail, and the discipline to follow process without losing the ability to think critically.

Preferred Qualifications
Industry certifications such as Security+, AZ-500, SC-200, SC-900, CySA+, GCIA, GCIH, or equivalent.
Experience in an MSP or MSSP environment supporting multiple client tenants.
Scripting / automation experience (PowerShell, Python, KQL functions, Logic Apps, Sentinel playbooks).
Experience integrating or working with AI-assisted security tooling (e.g., Claude, Security Copilot) for investigation and reporting workflows.
Exposure to threat intelligence platforms, EDR forensic workflows, and basic malware triage.
Familiarity with compliance frameworks (NIST CSF, CIS, HIPAA, SOC 2).

What You'll Get
A modern, well-instrumented security stack with real depth across endpoint, network, identity, and cloud.
Direct exposure to a wide variety of environments and i ---------- types — accelerated growth vs. a single-enterprise SOC.
Access to AI-assisted tooling that augments (not replaces) your analytical work.
Clear mentorship from senior analysts and a defined progression path from Tier 1 to Tier 2 and beyond.
Support for certifications and ongoing training.

Working Conditions
This role may include shift work or on-call rotation to support SOC coverage requirements.
Remote, hybrid, or onsite arrangements per AlphaRidge policy.
AlphaRidge is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.