L3 Threat Analyst Incident Response Lead

Role Overview

The L3 Threat Analyst leads complex incident response and advanced threat investigations, owning incidents end-to-end while guiding L1/L2 analysts. This role combines deep technical expertise, adversary understanding, and detection engineering to strengthen the organization’s overall security posture.

Key Responsibilities

Advanced Incident Response Leadership

• Lead high-severity and complex incidents (multi-stage attacks, APTs, lateral movement, data exfiltration)
• Own end-to-end response: detection → investigation → containment → eradication → recovery
• Act as the technical decision-maker during active incidents

Deep Threat Investigation

• Perform advanced analysis across.
• Endpoint telemetry, memory artifacts, disk forensics
• Network traffic (PCAP, NDR)
• Identity and cloud logs
• Reconstruct full attack chains and identify root cause + blast radius
• Handle fileless malware, living-off-the-land (LotL), and stealthy persistence techniques

Threat Hunting & Adversary Emulation

• Design and lead proactive threat hunting campaigns
• Simulate attacker techniques (red/purple mindset) to validate detection coverage
• Identify gaps and convert them into high-fidelity detections

Detection Engineering

• Design, build, and optimize advanced detection logic
• Develop detections across
• SIEM (correlation rules, anomaly detection)
• EDR/NDR analytics
• Ensure coverage across the MITRE ATT&CK framework
• Mentor L1/L2 on detection quality and tuning

Forensics & Malware Analysis

• Conduct host and network forensics
• Perform static and basic dynamic malware analysis
• Extract IOCs, behaviors, and detection patterns

Automation & SOC Engineering Collaboration

• Define and drive automation strategy (SOAR, pipelines)
• Collaborate with engineering teams to
• Improve telemetry pipelines
• Optimize data ingestion and correlation
• Scale detection systems for high EPS environments

Incident Command & Stakeholder Management

• Act as Incident Commander for critical incidents +
• Provide clear, structured communication to leadership
• Lead post-incident reviews and drive corrective actions

SOC Maturity &

• StrategyDefine and
• improve:IR p
• laybooksDetection coverage
• roadmapSOC metrics (MTTD, MTTR, detection f
• idelity)Continuously enhance SOC capabilities and re

silience

Required Skills & Quali

• fications5+ years of experience in Incident Response / Threat Hunting / SOC En
• gineeringStrong expe
• rtise in:Advanced attack techniques (APT, lateral movement, per
• sistence)MITRE ATT&CK mapping and adversary behavior
• analysisWindows & Linux
• internalsHands-on experie
• nce with:SIEM (Splunk, ELK, Sentin
• el, etc.)EDR/NDR
• platformsLog correlation in large-scale distribute
• d systemsDeep know
• ledge of:Networking (packet-level understanding, DNS abuse, C2
• patterns)Identity attacks (Kerberos, AD abuse, credenti
• al theft)Strong scripting/programming skills (Python, PowerShe

ll, Bash)

Go

• od to HaveExperience in high-throughput environments (100K+ EPS, d
• ata lakes)Detection engineering frameworks (Sigma, YARA,
• KQL, SPL)Cloud security and container en
• vironmentsReverse engineering (intermedi
• ate level)Experience in SOAR and automat

ion design

• Key TraitsThinks like an attacker, acts like
• a defenderStrong ownership and decision-making und
• er pressureSystems-level thinking (not just alerts, but pipelines and ar
• chitecture)Mentorship mindset for L1/

L2 analysts