L3 SOC Analyst - Lead

Overview:SOFTSWISS continues to expand the team and is looking for a Lead SOC Analyst (L3). We need a true, experienced, and accomplished professional who shares our culture and values.Security Team:SOFTSWISS Security Team takes care of iGaming services protection, data privacy, and business continuity to ensure that nothing distracts satisfied customers from using our products. We work closely with the IT team that develops and supports our services, and together we create genuinely excellent and secure iGaming products.Purpose of the role:The L3 SOC Analyst is an expert-level SOC professional responsible for investigating complex and non-standard information security incidents, handling escalations from L1/L2 analysts, and enhancing the SOC’s analytical capabilities. The role focuses on thinking in terms of incidents and attack chains, quickly identifying affected systems, relevant log sources, hypotheses to test, and confirming or denying attacks.Key responsibilities:Incident Response & Investigation:Manage complex information security incidents, including APT-like attacks, data exfiltration, and insider threatsConduct in-depth analysis of incidents and identify initial access vectorsReconstruct attack paths/kill chains and assess incident scope (blast radius)Form clear conclusions: what happened, how, when, with what effect, and next stepsAnalysis & Hypothesis:Ability to think hypothetically:If this is a credential compromise, where will the traces/artifacts be?If this is C2, what artifacts should we expect?How can an attacker exfiltrate data?Ability to think one step ahead – attacker’s further actions predictionsCommunication & Escalation:Expert interaction with internal teams (Security, Development, Legal, ITSM, SE, etc.)Support decision-making (e.g., account lock, host isolation/block)Perform basic impact analysis balancing containment and business effectSOC Improvement & Knowledge Sharing:Enhance detection logic and provide feedback to L1/L2 analystsLearn from relevant incidents and contribute to post-incident reviewsParticipate in and organize tabletop exercises and root cause analysesRequired Experience:4-6+ years of experience in SOC / MSSP SOC / Incident Response / DFIR TeamPractical experience in investigating and preventing real incidents, not just alertsExperience as a Lead Security Analyst/ExpertThreat Hunting ExperienceDeep understanding of attacker TTPs according to MITRE ATT&CKThe ability to link: event - artifact - behavior - attack scenarioExpertise in infrastructure services: Email, Kubernetes, AD, Databases, Docker, etc.Operating Systems: Windows (EventLog, Sysmon, PowerShell, Task Scheduler), Linux (auth.log, auditd, bash history, cron, system.d).Identity & access: AD, IAM, KeyCloak, PAM, RBAC, ABAC.Knowledge of attack scenarios: credential theft, data exfiltration, PtH, service account abuse, etc.Endpoint & network security: EDR/XDR, Proxy, DNS, C2 patterns, VPN, WAF, Firewalls.Confident working with Splunk SIEM, Redash, ClickHouse, Wazuh.Ability to write complex search queries and correlate data from multiple sourceNice to have:Experience in high-risk business environments.Participation in Red Team / Purple Team exercises.Conducting or organizing tabletop exercises.Scripting and automation skills: Python, Bash, SPL, SQL.Security certifications: GCIA, GCED, GCIH, Splunk Power User, OSCP, CEH.Our Benefits:Full-time remote work opportunities and flexible working hoursPrivate insuranceAdditional 1 Day Off per calendar yearSports program compensationComprehensive Mental Health ProgrammeFree online English lessons with a native speakerGenerous referral programTraining, internal workshops, and participation in international professional conferences and corporate eventsLearn more about our hiring process here (link) – what to expect, how to prepare, and what makes SOFTSWISS differentOriginally posted on Himalayas