Everforth ECS is seeking a Security Operations Center Analyst to work in the National Capital Region covering the Pentagon, Falls Church, and Fairfax. Please Note: This position is contingent upon contract award.
The War Data Platform (WDP) is a key initiative within the U.S. Department of War's (DoW) AI-First strategy introduced in early 2026. The WDP separates business and financial data from operational warfighting data, aiming to accelerate the deployment of artificial intelligence (AI) on the battlefield. The WDP extends to Unclassified, Secret, and Top Secret environments, and supports collaboration between Combatant Commands, Joint Staff directorates, Senior Executive Service leaders, and operational analysts.
The Security Operations Center Analyst supports WDP's 24/7 continuous monitoring mission by performing structured threat detection, incident investigation, and response operations across NIPRNet, SIPRNet, and JWICS. This role operates within an integrated SOC environment leveraging Splunk SIEM, SOAR-driven automation, and AI-assisted triage capabilities to identify adversary behavior, contain incidents, and sustain cyber defense resilience across WDP's classified and unclassified mission enclaves.
• Executes continuous security monitoring operations across classified and unclassified DoW networks, supporting mission systems operating on NIPRNet, SIPRNet, and JWICS.
• Analyzes security events generated by enterprise Security Information and Event Management platforms including Splunk and Elastic, correlating host, network, and application telemetry to identify anomalous activity and potential adversary behavior.
• Conducts structured incident investigations using established incident response playbooks aligned to DoW Cyber Incident Handling Program guidance, documenting findings within ServiceNow and SharePoint tracking repositories.
• Performs proactive threat hunting activities leveraging MITRE ATT&CK mappings, endpoint telemetry, network flow data, and log analytics to detect previously unidentified threats.
• Coordinates containment and remediation actions with system administrators, ISSOs, and vulnerability management teams, supporting rapid mitigation of malware, unauthorized access, and policy violations.
• Maintains detailed incident records, forensic timelines, and evidentiary artifacts supporting after-action reporting and continuous monitoring requirements under the Risk Management Framework.
• Tunes detection logic, refines correlation rules, and contributes to improvement of SOC use cases to reduce false positives and increase detection fidelity.
• Provides technical mentorship to junior analysts through peer review of investigations and collaborative shift handovers.
• Delivers operational reporting products including incident summaries, alert trend analysis, and threat activity assessments supporting operational readiness, cyber defense resilience, and mission assurance across combat support and intelligence environments.
• Performs other duties as assigned.
• Current Secret security clearance with the ability to obtain and maintain a Top Secret (TS) security clearance.
• A minimum of 3 years of experience in security operations, cyber threat analysis, or incident response within a federal, defense, or intelligence community environment, with demonstrated hands-on proficiency performing continuous monitoring and structured incident investigations using enterprise SIEM platforms such as Splunk or Elastic across multi-enclave network environments.
• Active IAM Level I certification, satisfied by one of the following: CompTIA Security+ CE, ISC² CAP, ISC² SSCP, or GIAC GSLC.
• Strong problem-solving and decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate solution.
• Highly developed interpersonal and oral/written communication skills, with the ability to effectively and professionally interact with a diverse set of stakeholders (from peers to end-users to executive management).
