Lead Analyst, Cyber Defense

ABOUT THE DEPARTMENT

The University of Southern California (USC) is committed to strengthening its cybersecurity posture through resilience, cyber risk management, and threat-informed defense. As a world-class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape.

This role sits within USC’s cybersecurity organization, which is advancing threat-informed defense and operational excellence. You’ll join a team committed to scalable, proactive defense strategies, incident preparedness, and high-impact partnership across the university, working alongside experts who are deeply committed to service, innovation, and impact.

If you’re driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your expertise to the table.

POSITION SUMMARY

As the Lead Analyst, Cyber Defense you will be an integral member of the cybersecurity department while also collaborating with stakeholders across the university ecosystem and reporting to the Manager, Cyber Defense. This is a full-time exempt position, eligible for all of USC’s fantastic Benefits + Perks. This opportunity is remote.

The Lead Analyst, Cyber Defense serves as a technical authority responsible for elevating the university’s cyber detection and response posture. Leads advanced incident investigations, threat hunting and detection development while partnering across the SOC, threat intelligence, MSSPs, and distributed university partners. Ensures high-fidelity threat detection by operationalizing threat intel, optimizing SIEM tools (e.g., Splunk and Chronicle) and shaping detection logic, playbooks and standards. Drives cyber defense maturity across diverse systems, aligning with MITRE ATT&CK and other frameworks. Contributes to the development of detection standards, SOC engineering priorities, and incident readiness and response.

The Lead Analyst, Cyber Defense:

• Coordinates and manages the response to actual and potential security breaches, engaging in the identification, triage, categorization of security incidents and events. Leads incident response efforts (e.g., investigation, remediation) during security breaches. Leads major incident investigations and complex forensic analysis of systems, logs, and artifacts inclusive of identifying, investigating, and responding to security incidents. Works with cyber defense team members to assign criticality and priority levels to security incidents and events. Actively reports on security incidents as they are escalated or identified to cyber leadership and management. Collaborates with SOC teams and MSSPs to support round-the-clock monitoring and triage.

• Assists in the development and implementation of incident response policies and procedures to ensure a structured approach to handling security incidents. Assists with development and implementation of SIRPs, as well as detection, containment, eradication, and recovery strategies. Develops and maintains incident response plans specific to OT and IoT environments. Applies risk analysis techniques and strategies when evaluating the impact of cyber threats and vulnerabilities, as well as recommended remediation steps. Assists with design and delivery of incident response exercises to test client SIRP. Supports purple team initiatives and adjusts detections based on red team findings.

• Communicates with university management and other cybersecurity teams during high-security events, following incident response guidelines and escalating issues when necessary. Works with information security officers (ISOs) and cyber governance to exchange information with IT directors and support departments, schools, or units (DSUs) in their recovery from incidents. Collaborates with the USC Office of Culture, Ethics and Compliance and Office of the General Counsel to build forensic case documentation, including chain-of-custody information, data categorization, and investigatory results. Provides executive communication, finished incident reports and forensics data, as appropriate, advising management on decisions that may significantly affect operations, policies, or procedures. Participates in and leads after-action reviews from tabletop exercises and major incidents.

• Works with senior cyber defense analysts to analyze security logs, network traffic, and other data sources to identify indicators of compromise (IOC) and malicious activity. Forensically analyzes end-user systems and servers found to have possible IOC, as well as artifacts collected during a security incidents. Reviews and addresses false positives, collaborating with other cyber teams (including pro and managed service teams) to refine and improve the accuracy of security tool configuration rules and policies.

• Documents security incidents and incident response activities; analyzes metrics and trends. Leads and conducts post-incident reviews and lessons learned sessions to identify areas for improvement. Produces and reviews related reports (e.g., incident reports, findings, impact assessments, remediation recommendations). Reviews analysis and conclusions of other analysts and/or consultants, when applicable. Supports digital forensic investigations on a variety of digital devices (e.g., computers, mobile devices, network systems). Ensures processes and procedures follow established standards, guidelines, and protocols. Maintains currency with legal, regulatory, and technological changes and/or advancements that may impact incident response operations; communicates changes to cyber defense leadership and staff.

• Collaborates with senior cyber defense analyst and cyber threat team to stay informed about the latest threats, vulnerabilities, and attack vectors to enhance the organization's incident response capabilities. Maintains currency with emerging OT security trends, technologies, and compliance requirements. Supports performance analysis of detection and response workflows through KPIs and SLA metrics.

• Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

MINIMUM QUALIFICATIONS

Great candidates for the position of Lead Analyst, Cyber Defense will meet the following qualifications:

• 5 years in key Cyber Defense areas (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management).

• Bachelor's degree or combined experience/education as substitute for minimum education.

• Familiarity with security tools and solutions such as security information and event management (SIEM), intrusion detection/prevention systems (IDS/IPS), as well as endpoint protection solutions, network security zones, and firewall configurations.

• Significant experience in a SOC analyst or detection engineering role.

• Experience in a senior incident response role or threat hunting capacity.

• Ability to coordinate and work efficiently with cybersecurity monitoring and threat intelligence managed service teams.

• Ability to work closely with other cybersecurity teams (e.g., cyber threat intelligence, cybersecurity monitoring).

• Ability to coordinate and work efficiently with cybersecurity monitoring and threat intelligence managed service teams.

• Familiarity with security tools and solutions such as security information and event management (SIEM), intrusion detection/prevention systems (IDS/IPS), as well as endpoint protection solutions, network security zones, and firewall configurations. Familiarity with detection tuning languages and tooling.

• Ability to develop and maintain incident response OT cybersecurity policies, standards, and related documentations.

• Knowledge of industrial control systems (ICS).

• Knowledge of digital forensics and incident response (DFIR), as well as digital forensic investigation processes related to OT/IoT systems.

• Demonstrated understanding of security threats, vulnerabilities, intrusion techniques, malware capabilities and system diagnostics.

• Demonstrated understanding of electronic investigation, forensic tools and methodologies (e.g., log correlation and analysis).

• Experience with computer security investigative processes and malware identification and analysis. Experience with incident response and digital forensics across IT and cloud platforms.

• Knowledge of network security zones, firewall configurations, and intrusion detection systems (IDS).

• Familiarity with various log protocols/formats (e.g., syslog, logs, database logs) and the ability to perform forensic traceability.

• Proficiency in packet capture and analysis, as well as experience with log management or security information management tools.

• Experience with security assessment tools (e.g., NMAP, Nessus, Metasploit, Netcat).

• Skill in log source validation and coverage assessment in a decentralized environment.

• Ability to guide playbook design and SOC process improvement without formal management.

• Demonstrated organizational, critical thinking and analytical skills; ability to assess cybersecurity risks and make informed decisions.

• Excellent written and oral communication skills, and an exemplary attention to detail.

• Ability to analyze complex data sets and logs to identify anomalies and potential threats.

• In-depth knowledge of industry standards and regulations (e.g., ISO 27001, NIST CSF).

• Ability to work evenings, weekends and holidays as the schedule dictates.

PREFERRED QUALIFICATIONS

Exceptional candidates for the position of Lead Analyst, Cyber Defense will also bring the following qualifications or more:

• 7 years of related experience.

• A bachelor’s degree in information science or computer science or computer engineering or in related field(s).

• GIAC Certified Incident Handler (GCIH), GIAC Security Essentials (GSEC), or equivalent.

• Cisco Certified CyberOps Associate or similar.

• MITRE ATT&CK Defender certifications preferred.

In addition, the successful candidate must also demonstrate, through ideas, words and actions, a strong commitment to USC’s Unifying Values ( of integrity, excellence, community, well-being, open communication, and accountability.

SALARY AND BENEFITS

The annual base salary range for this position is $164,175.55 to $196,000. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate’s work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.

To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents’ health, wealth, and future. These benefits are available as part of the overall compensation and total rewards package. You can learn more about USC’s comprehensive benefits here ( .

Join the USC cybersecurity team within an environment of innovation and excellence.

Minimum Education: Bachelor's degree Addtional Education Requirements Combined experience/education as substitute for minimum education Minimum Experience: 5 years in key Cyber Defense areas, (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management). Minimum Skills: Familiarity with security tools and solutions such as security information and event management (SIEM), intrusion detection/prevention systems (IDS/IPS), as well as endpoint protection solutions, network security zones, and firewall configurations. Significant experience in a SOC analyst or detection engineering role. Experience in a senior incident response role or threat hunting capacity. Ability to coordinate and work efficiently with cybersecurity monitoring and threat intelligence managed service teams. Ability to work closely with other cybersecurity teams (e.g., cyber threat intelligence, cybersecurity monitoring). Ability to coordinate and work efficiently with cybersecurity monitoring and threat intelligence managed service teams. Familiarity with security tools and solutions such as security information and event management (SIEM), intrusion detection/prevention systems (IDS/IPS), as well as endpoint protection solutions, network security zones, and firewall configurations. Familiarity with detection tuning languages and tooling. Ability to develop and maintain incident response OT cybersecurity policies, standards, and related documentations. Knowledge of industrial control systems (ICS). Knowledge of digital forensics and incident response (DFIR), as well as digital forensic investigation processes related to OT/IoT systems. Demonstrated understanding of security threats, vulnerabilities, intrusion techniques, malware capabilities and system diagnostics. Demonstrated understanding of electronic investigation, forensic tools and methodologies (e.g., log correlation and analysis). Experience with computer security investigative processes and malware identification and analysis. Experience with incident response and digital forensics across IT and cloud platforms. Knowledge of network security zones, firewall configurations, and intrusion detection systems (IDS). Familiarity with various log protocols/formats (e.g., syslog, logs, database logs) and the ability to perform forensic traceability. Proficiency in packet capture and analysis, as well as experience with log management or security information management tools. Experience with security assessment tools (e.g., NMAP, Nessus, Metasploit, Netcat). Skill in log source validation and coverage assessment in a decentralized environment. Ability to guide playbook design and SOC process improvement without formal management. Demonstrated organizational, critical thinking and analytical skills; ability to assess cybersecurity risks and make informed decisions. Excellent written and oral communication skills, and an exemplary attention to detail. Ability to analyze complex data sets and logs to identify anomalies and potential threats. In-depth knowledge of industry standards and regulations (e.g., ISO 27001, NIST CSF). Preferred Education: Bachelor's degree In Information Science Or Computer Science Or Computer Engineering Or in related field(s) Preferred Certifications: GIAC Certified Incident Handler (GCIH), GIAC Security Essentials (GSEC), or equivalent. Cisco Certified CyberOps Associate or similar. MITRE ATT&CK Defender certifications preferred. Preferred Experience: 7 years