Cybersecurity Operations Analyst II

The Cybersecurity Operations Analyst II (COA2) is responsible for the initial triage and monitoring of security events, working exclusively in Microsoft 365 E5 environments, and helping to enforce CMMC 2.0 requirements.   

The COA 2 is responsible for advanced incident response, proactive threat hunting, vulnerability lifecycle management, and escalation support for Microsoft 365 E5 customers. This role bridges the gap between COA 1 alert/triage and senior analyst/engineering roles, working in-depth with Microsoft Defender XDR, external SOCs, and industry-standard vulnerability tools like Qualys and Tenable.  

Role & Responsibilities: 

Advanced Threat Detection & Response  

• Lead investigations of escalated alerts across the following:  

• Defender for Endpoint  

• Defender for Office 365  

• Defender for Cloud Apps (MCAS)  

• Defender for Identity (formerly ATA)  

• Microsoft Defender XDR  

• Correlate log and alert data to detect lateral movement, privilege escalation, anomalous behavior, and advanced persistent threats using Microsoft Defender data and investigative tools from external SOC vendors.  

• Conduct live incident response across customer tenants (containment, eradication, recovery) in accordance with CMMC 2.0 and NIST 800-171 incident response standards.  

• Coordinate post-incident documentation including RCA, timeline analysis, and recommendations.  

Incident Handling & Response Support  

• Assist senior analysts during active incidents by collecting logs, screenshots, and device/user activity history.  

• Document timelines, observations, and artifacts to support root cause analysis and reporting.  

• Conduct follow-up on low-risk alerts and phishing investigations (possibly with supervised guidance).  

Customer Interaction & Ticket Management  

• Document findings and updates in the SOC ticketing system with accuracy and clarity.  

• Respond to basic client inquiries related to user behavior, alert definitions, or mitigation steps under supervision.  

• Follow documented workflows to support CMMC 2.0 incident response requirements, including reporting timelines and evidence handling.  

Threat Hunting & Detection Engineering Support  

• Conduct proactive threat hunting using KQL queries in Microsoft Sentinel and hunting dashboards in Defender XDR.  

• Assist with tuning analytics rules and alert thresholds and reducing false positives in detection logic.  

• Work with external SOC services to tune rules and alert thresholds.  

• Identify opportunities for new detections based on threat intelligence and customer risk profiles.  

• Support configuration and optimization of Microsoft Sentinel data connectors, workbooks, automation rules, and response playbooks.  

• Monitor log ingestion and telemetry gaps from M365 Defender products, Entra ID, and endpoint clients.  

• Maintain detection signatures and IOCs provided by Microsoft, ISACs, or third-party feeds.  

Vulnerability & Patch Management  

• Manage operating system and third-party software patching cycles for customer environments.  

• Prioritize and manage vulnerability remediation in coordination with infrastructure teams and customer needs.  

• Perform vulnerability scans using Qualys, Tenable.io, or Nessus across hybrid and cloud environments.  

• Analyze, prioritize, and track vulnerabilities by CVSS score, exploitability, and exposure relevance to customer mission.  

• Collaborate with customer IT and endpoint teams to validate and remediate critical vulnerabilities in operating systems, applications, and Microsoft 365 services.  

• Report on vulnerability trends and threat exposure as part of recurring customer security reviews.  

Customer Engagement & Documentation  

• Participate in high-touch incident communications and brief customers on security events, containment actions, and risk.  

• Generate clear, actionable incident summaries and vulnerability reports tailored for both technical and executive audiences.  

• Assist with compliance evidence collection during audits or IR tabletop exercises.  

• Lead or assist in conducting security awareness training campaigns and tabletop exercises for customers.  

• Assist in gathering and assembling audit evidence to support compliance assessments. 

Competencies / Skills: 

• 3–5 years of cybersecurity experience, with at least 1 year in a SOC, IR, or detection-focused role.  

• Strong knowledge of attacker TTPs, MITRE ATT&CK, and Zero Trust principles.  

• Hands-on experience with Microsoft 365 E5 security stack.  

• Familiarity with CMMC 2.0, NIST 800-171, and FedRAMP security controls.  

• Experience conducting or responding to vulnerability scans and remediation workflows.  

• Security+ or SC-900 certification  

• Must be a U.S. citizen eligible for ITAR-compliant work.  

Preferred: 

• Certified Ethical Hacker (CEH)  

• Microsoft SC-100, SC-200, SC-300, or SC-400 certifications  

• Microsoft AZ-500  

Where required by law, this posting includes a good‑faith pay range for candidates who will perform the role in specific jurisdictions. For other locations, the actual compensation may differ. Final compensation will be determined based on qualifications, experience, skills, work location, internal equity, and current market data. This job posting is not a contract or promise of employment or any particular compensation, and any employment offer will be set out in a written offer letter.