SOC Tier 1 Analyst

SOC Tier 1 Analyst

Everforth ECS is seeking a SOC Tier 1 Analyst to work in our Portland, OR office. The SOC Analyst 1 supports the organization's security operations by monitoring security events, performing first-level alert triage, validating suspicious activity, documenting tickets, and escalating confirmed or higher-risk events using approved runbooks and procedures. This role is the initial monitoring and triage tier within the SOC Analyst role family.

The ideal candidate has foundational cybersecurity or IT operations experience, understands basic security concepts and defensive technologies, and can follow established procedures while communicating clearly with SOC Analyst 2, SOC Analyst 3, incident response, engineering, and other program stakeholders.

This role involves shift work schedule to support our 24/7 operation, including weekends and holidays. Candidates must be flexible in their availability. While we make every effort to accommodate individual preferences, it's essential to understand that specific shift requests are not guaranteed and are assigned based on operational needs.

Key Responsibilities

Security Monitoring & Initial Alert Triage

• Monitor security events and alerts across SIEM, EDR, IDS/IPS, cloud, network, identity, case management, and other approved security platforms.
• Perform first-level alert validation to determine whether activity is benign, suspicious, policy-related, or requires escalation.
• Assign initial severity, scope, affected assets, affected accounts, and potential impact using approved triage criteria and runbooks.
• Escalate confirmed, ambiguous, high-risk, or complex alerts to SOC Analyst 2, SOC Analyst 3, or SOC leadership according to established procedures.

Ticketing, Documentation & Shift Handoff

• Create and update incident tickets with clear descriptions, timestamps, evidence references, preliminary findings, and actions taken.
• Document investigation steps, alert context, decisions, and escalation rationale clearly and accurately.
• Prepare shift handoff notes and status updates to ensure continuity of monitoring and incident follow-up.
• Maintain case management hygiene, including accurate categorization, status tracking, and closure documentation for routine alerts.

Incident Response Support

• Support standard incident response activities under direction of SOC Analyst 2, SOC Analyst 3, incident responders, or SOC leadership.
• Collect readily available logs, alert details, endpoint information, user information, and other operational evidence needed for escalation.
• Coordinate basic information requests with system owners, security engineers, and other technical teams as directed.
• Track escalations and provide status updates until ownership is accepted by the appropriate SOC or specialized role.

Tool Use & Procedure Adherence

• Use SOC tools such as SIEM, SOAR, EDR, threat intelligence portals, case management systems, and vulnerability platforms in accordance with approved procedures.
• Follow playbooks, standard operating procedures, evidence-handling expectations, and escalation thresholds consistently.
• Report suspected data quality issues, missing telemetry, dashboard problems, or tool availability concerns to SOC Analyst 2/3, Splunk engineering, or security engineering teams.
• Participate in training, drills, tabletop exercises, and lessons-learned activities to improve monitoring and triage performance.

Continuous Learning

• Stay current with common cyber threats, phishing techniques, malware trends, vulnerabilities, user behavior risks, and security operations best practices.
• Apply feedback from senior analysts to improve alert validation, documentation quality, and escalation accuracy.
• Contribute operational observations and recurring alert patterns to process improvement discussions.

U.S. Citizenship with ability to obtain and maintain a DOE "L" clearance after start. 1-3 years of experience in cybersecurity, IT operations, help desk, networking, systems administration, or SOC monitoring. Basic experience using SIEM, EDR, ticketing, case management, or log-search tools to review security events or operational alerts. Foundational knowledge of Windows, Linux, networking, cloud, identity, endpoint, and common cyber threat concepts. Ability to follow runbooks, validate alerts, document findings, and escalate issues accurately and promptly. Familiarity with incident escalation procedures, shift handoff practices, and basic evidence-handling expectations. Strong attention to detail, written documentation skills, and ability to communicate clearly with technical teams.