Position Summary

ECS is seeking a SOC Technician (Shift 3 Lead) - Senior to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. In this role, the selected candidate supports Task 3 - Cybersecurity Operations Support by serving as a senior incident analyst within the Security Operations Center (SOC), leading investigation of high-severity alerts, reconstructing telemetry to determine scope and impact, validating containment actions prior to escalation, and mentoring junior analysts. This position contributes directly to ENOCS deliverables for 24x7x365 monitoring and analysis, incident handling, and continuous cyber defense across the DoDIN-Army-NG area of responsibility, while coordinating with broader cybersecurity operations, engineering, and response teams.

This role helps defend ARNG classified and unclassified environments that support more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories. The SOC Technician (Shift 3 Lead) - Senior operates within a mission environment that supports Title 10 and Title 32 operations, mobilization readiness, domestic emergency response, and classified SIPRNet operations. The position works within the ENOCS cyber defense ecosystem that includes USIEM analytics, EDR, IDS/IPS, DLP, MITRE ATT&CK-based detections, and coordination with NETCOM Global Cyber Center, DISA DCDC, RCC-ARNG, and other operational stakeholders to strengthen ARNG's Defensive Cyberspace Operations - Internal Defensive Measures (DCO-IDM).

Please Note: This position is contingent upon contract award.

Responsibilities

• Lead analysis of high-severity cybersecurity alerts and incidents, performing detailed telemetry reconstruction to determine scope, impact, and recommended next actions.
• Validate containment and response actions before escalation to incident, problem, or change processes to support disciplined SOC operations and reduce operational risk.
• Support ENOCS Task 3 monitoring and analysis activities by helping maintain effective 24x7x365 SOC operations across ARNG classified and unclassified network environments.
• Mentor junior analysts on alert triage, incident documentation, escalation quality, and investigative techniques to improve consistency and execution across the SOC.
• Refine and improve SOC playbooks, workflows, and investigative procedures based on operational findings, lessons learned, and recurring incident trends.
• Contribute to performance quality reviews by assessing analyst outputs, identifying process gaps, and recommending operational improvements to strengthen continuous monitoring execution.
• Correlate and analyze security data from USIEM, EDR, IDS/IPS, and DLP sources to support threat-informed defense and improve detection fidelity.
• Apply MITRE ATT&CK-based analytic thinking during incident investigation and coordinate with SOC leadership, service owners, and supporting teams as required to support enterprise cyber defense.
• Coordinate as needed with NETCOM Global Cyber Center, DISA DCDC, RCC-ARNG, and related cyber operations stakeholders to support incident awareness, escalation, and response alignment.

Required Qualifications

U.S. Citizenship is required

Security Clearance: TS//SCI Eligible

Required Certifications: DCWF Work Role 511-Cyber Defense Analyst - Intermediate proficiency; must hold ONE OR MORE of the following: CEH(P),GMON,GRID,Cloud+,FITSP-O,GCED,GDSA,GSEC,PenTest+,Security+

Experience: 7+ years of experience in cybersecurity

Education: Bachelors degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering

• Experience leading or performing investigation of high-severity cybersecurity alerts and incident activity in a SOC or comparable monitoring environment.
• Experience reconstructing event telemetry and analyzing multiple security data sources to determine incident scope, affected assets, and recommended containment actions.
• Experience mentoring junior analysts and improving analyst performance through review, coaching, and operational guidance.
• Experience supporting ticket and incident escalation processes in coordination with incident, problem, and change management workflows.
• Experience producing clear incident documentation, operational findings, and recommendations suitable for leadership review and follow-on action.
• Experience supporting continuous monitoring and analysis for enterprise environments with large user, endpoint, and geographically distributed site populations.
• Experience working with MITRE ATT&CK-based analytics or ATT&CK-informed detection and investigation approaches.
• Experience identifying operational gaps and contributing to updates of SOC playbooks, procedures, or monitoring processes.