Cyber Security Operations Centre (CSOC) Analyst – Critical National Infrastructure (CNI)
These roles require Security Clearance (SC) and sole British citizenship due to security constraints.
We are seeking specialist, high-calibre Cyber Security Operations Centre (CSOC) Analysts to support essential energy operations within a Critical National Infrastructure (CNI) environment. This role is responsible for real-time security monitoring, alert triage, investigation, and early-stage incident response.
You will work with industry-standard security monitoring and incident/event management platforms to identify suspicious activity, validate alerts, and escalate confirmed incidents. This is a highly operational position requiring strong technical judgement, excellent written communication, and the ability to remain calm and effective under time pressure.
You will also contribute to continuous improvement by capturing lessons learned from incidents, helping tune detections, and strengthening operational procedures and documentation.
Key Responsibilities
Monitoring and Triage
- Monitor security events and alerts using industry-standard SIEM and incident/event management platforms (e.g., Elastic, Microsoft Sentinel, Splunk).
- Perform rapid triage to determine alert validity, severity, scope, and potential business or operational impact.
- Correlate related events and identify patterns across multiple alerts to reduce duplication and improve incident clarity.
Investigation and Evidence-led Analysis
- Conduct investigations across endpoint, identity, network, and log telemetry, building timelines and hypotheses grounded in evidence.
- Maintain high-quality investigation records, including key evidence and the queries/search logic used to reach conclusions, supporting peer review, auditability, and reliable handover.
- Apply foundational host-based forensic concepts, including process ancestry, persistence artefacts, lateral movement indicators, and log integrity considerations.
Incident Response and Escalation
- Manage security incidents from initial identification through to handover to incident management / incident response teams, ensuring escalations are timely, complete, and actionable.
- Support containment and mitigation activities where authorised, including coordinating response actions with relevant teams and tooling.
Continuous Improvement and PIR Learnings
- Develop and fine-tune detection rules and alerts to identify malicious activity, validating effectiveness and reducing false positives.
- Identify and implement lessons learned from incidents and post-incident reviews (PIRs) to improve processes, runbooks, and detection logic.
- Contribute to a culture of quality and standardisation by improving documentation and operational practices.
Skills and Experience Required
- Strong technical communication skills in time-pressured environments, with excellent written communication (clear, structured incident notes and stakeholder updates).
- Strong foundational knowledge of incident and event management / SIEM platforms (e.g., Elastic, Sentinel, Splunk), including query languages used for investigations and detections such as:
- Kusto Query Language (KQL)
- ES|QL
- Kibana Query Language
- Strong understanding of attacker tactics, techniques, and procedures (TTPs), including detecting indicators of compromise (IOCs) and knowing how to locate them in logs or telemetry.
- Evidence of keeping up to date with industry-specific threat trends, attacker tradecraft, and emerging defensive techniques.
- Experience across the complete lifecycle of security incidents, including initial detection, triage, escalation to incident response teams, response, remediation, and PIR learnings.
Desirable
- Deep understanding of one or more SIEM technologies, with Elastic knowledge considered a strong advantage.
- GIAC / SANS certifications highly desired, or equivalent credible industry certifications aligned to SOC operations, incident handling, threat detection, or forensic fundamentals.