Position Summary

ECS is seeking a Cybersecurity Analyst (CDAP) - Journeyman to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. In this Task 3 role supporting Cybersecurity Operations Support, the Analytic Developer/Insider Threat Analyst develops, implements, and tunes analytic rules and detection logic to identify anomalous user activity, insider threat indicators, and high-risk behavioral patterns across ARNG enterprise environments. The position correlates data from multiple security and user activity sources, performs alert triage and investigative analysis, documents findings with supporting evidence, and supports case development and reporting in coordination with SOC/CIRT, CTIC, defensive cyber, and security engineering teams to strengthen Defensive Cyberspace Operations - Internal Defensive Measures (DCO-IDM) across the DoDIN-Army-NG area of responsibility.

Please Note: This position is contingent upon contract award.

This role directly supports the ARNG mission to deliver and defend DoDIN services for more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories, including Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations. The analyst contributes to a 24x7x365 cybersecurity operations environment that coordinates with the NETCOM Global Cyber Center and DISA DCDC and leverages ARNG's Unified Security Information & Event Management (USIEM) analytics ecosystem, integrated SIEM/C2C/DLP analytics, MITRE ATT&CK-based detections, Zeek metadata, Sysmon-informed monitoring, EDR, SOAR, and continuous monitoring processes to improve visibility, detection fidelity, and response across classified and unclassified network environments.

Responsibilities

• Develop, implement, and tune analytic rules, correlation logic, and behavioral detections to identify anomalous user activity, insider threat indicators, and high-risk patterns across ARNG enterprise environments.
• Correlate data from multiple security and user activity sources to support triage, investigation, and evidence-based analysis of alerts, suspicious behaviors, and potential insider threat activity.
• Perform in-depth alert analysis and document investigative findings, recommended actions, and supporting artifacts for case development, reporting, and follow-on response activities.
• Coordinate with SOC, CIRT, CTIC, defensive cyber, and security engineering personnel to validate findings, refine detection content, and support escalation through Tier 2 incident, problem, and change processes as appropriate.
• Create and improve MITRE ATT&CK-based analytics within the ARNG USIEM environment to enhance threat-informed detection and centralized visibility.
• Support integration and refinement of detections using relevant enterprise data sources identified in ENOCS operations, including SIEM/C2C/DLP analytics, Zeek metadata, Sysmon-based monitoring, EDR telemetry, and baseline/trend analysis.
• Coordinate with USIEM engineers and AESS-aligned endpoint security stakeholders to improve enabling data sources, detection coverage, and analytic effectiveness across classified and unclassified enclaves.
• Ensure analytic development and investigative activities align with DoD and ARNG cybersecurity policy, insider threat program requirements, RMF controls, eMASS evidence expectations, and continuous monitoring objectives.
• Contribute to reporting and governance activities that strengthen cyber defense across the DoDIN-Army-NG AOR and support coordination with NETCOM, ARCYBER, USCYBERCOM, and RCC stakeholders when required.

Required Qualifications

U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 462-Control Systems Security Specialist - Basic proficiency; must hold ONE OR MORE of the following: DAF 462 (Basic) (ICS)

Experience: 3+ years of experience in cybersecurity

• Experience developing and tuning detection logic or analytic content for anomalous activity, behavioral indicators, or insider threat use cases.
• Experience correlating data from multiple security or user activity sources to support alert triage, investigative analysis, and documented findings.
• Ability to produce clear investigative documentation, supporting evidence, and reporting suitable for case development and stakeholder review.
• Experience coordinating with incident response, security operations, cyber intelligence, or security engineering teams to validate findings and improve detection outcomes.
• Familiarity with continuous monitoring objectives, RMF-aligned security operations, and documenting artifacts that support ongoing cybersecurity compliance.
• Experience working within enterprise cybersecurity operations supporting classified and unclassified environments.