L2 SOC Analyst

L2 SOC Analyst

Location: Remote / Anywhere in the Philippines

Employment Type: Full-Time | Mid-Level | Flexible Shifts (24x7 Coverage)

Industry: Cybersecurity / Managed Security Operations Center (MSOC)

About Us

Graybox Security is a trusted information security, data privacy, and cybersecurity firm dedicated to protecting organizations from evolving digital threats. We offer expert-driven solutions to help businesses safeguard their assets, maintain compliance, and ensure operational resilience. Specializing in cybersecurity consulting and managed security services, we provide advanced capabilities such as Managed Detection and Response (MDR) and Managed Security Operations Center (MSOC) for 24/7 threat monitoring and protection. Founded by industry professionals with decades of experience and leadership in ISO, OWASP, CIS. Graybox Security supports clients from S&P 500 enterprises to SMEs and government agencies with proactive and scalable security solutions.

Why Join Us?

• Learn from the best: Work alongside and learn from top-tier cybersecurity specialists from a leading expert security firm.
• Premium Certifications & Training: Gain access to certifications like CompTIA, EC-Council, and exclusive internal cybersecurity programs.
• Personalized Mentorship: Receive coaching from some of the Philippines' best security professionals.
• Flexible, People-First Culture: Experience a work environment that supports your career and personal development.
• Clear Career Progression: Opportunity to advance your career to   Level 3 SOC Analyst, SOC Manager, DFIR Specialist or Security Consultant roles.
• Cutting-Edge Technology: Work with AI-driven security technologies in a modern MSOC environment.

Role Overview

The L2 SOC Analyst serves as the second line of defense within the Managed Security Operations Center (MSOC), responsible for advanced security event triage, enrichment, containment, and incident investigation, escalation and communication with customers. This role requires deep technical skills and an ability to collaborate closely with L1 and  L3 analysts and customers for incident escalation and response.

Key Responsibilities

• Incident Triage and Enrichment: Validate alerts, contact users, and enrich the case with Cyber Threat Intelligence (CTI) and host context.
• Containment Execution: Oversee  immediate host isolation ,, suspend credentials, block Indicators of Compromise (IOCs), and kill malicious processes, manually or leveraging SOAR automation
• Deep Investigation and Analysis: Conduct full forensic collection, define the scope of the breach, perform Root Cause Analysis (RCA), and map the attack techniques to the MITRE ATT&CK framework. Assist L3 in threat hunting.
• Eradication and Recovery Guidance: Guide and support the client's IT team in the removal of persistence mechanisms, patching, and service restoration
• .War-Room Participation: Lead the war-room initiation for high severity incidents as needed.
• Engagement/Escalation: Engage within a customer IT admins and management , L3 and SOC Manager under the target SLA  time. Document incidents with detailed context for escalation or closure.

Qualifications & Skills

The role requires strong technical skills in specific security domains and a deep understanding of the core security ecosystem

• Platform Proficiency: Expertise in utilizing the core security ecosystem tools: SIEM/XDR, log aggregation, and extended detection, Incident Response , workflow management  and case management systems, Endpoint Detection and Response (EDR), deep forensic collection, and real-time host isolation, automated threat intelligence feeds and event enrichment, SOAR Automation: For executing automated playbooks and response actions
• Forensics and Investigation: Demonstrated ability to perform full forensic collection, build attack timelines, and determine the Root Cause Analysis (RCA)
• Threat Knowledge: Understanding of the MITRE ATT&CK framework for mapping and classifying adversarial tactics, techniques, and procedures (TTPs)
• Containment Expertise: Practical skill in executing containment actions such as host isolation, account disabling, and IOC blocking (via FW/WAF/DNS)
• Incident Response Lifecycle: Comprehensive knowledge of the end-to-end incident lifecycle (triage- contain- eradicate- recovery)
• Communication and Management: Ability to work flexible shifts supporting 24x7 operations and under pressure, coordinating multiple internal and external  stakeholders