SOC Analyst - Lv2

Methods is a £100M+ IT Services Consultancy who has partnered with a range of central government departments and agencies to transform the way the public sector operates in the UK. Established over 30 years ago and UK-based, we apply our skills in transformation, delivery, and collaboration from across the Methods Group, to create end-to-end business and technical solutions that are people-centred, safe, and designed for the future.

Our human touch sets us apart from other consultancies, system integrators and software houses - with people, technology, and data at the heart of who we are, we believe in creating value and sustainability through everything we do for our clients, staff, communities, and the planet.

We support our clients in the success of their projects while working collaboratively to share skill sets and solve problems. At Methods we have fun while working hard; we are not afraid of making mistakes and learning from them.

Predominantly focused on the public-sector, Methods is now building a significant private sector client portfolio.

Methods was acquired by the Alten Group in early 2022. Alten is a global engineering firm with approximately 57,000 employees specializing in engineering and IT services.

Role summary

As a Level 2 SOC Analyst, you are the senior technical responder within the secure operations team, responsible for owning security incidents end-to-end using the Microsoft security platform.

You will act as the escalation point for Level 1 analysts and as the technical lead during active incidents, conducting deep investigations across Microsoft Sentinel, Microsoft Defender XDR, and Entra ID to validate threats, contain attackers, and coordinate remediation.

Alongside incident response, you will drive continuous improvement of detection quality, playbooks, automation, and analyst capability to ensure the SOC operates at a consistently high standard. You also act as a senior technical leader within the SOC, contributing to the maturity, evolution, and operational effectiveness of SOC, MDR, and XDR services.

Key responsibilities Incident investigation & response (primary focus)

• Act as a escalation point for all security alerts raised by Level 1 analysts.
• Validate incidents and determine severity, scope, root cause, and business impact.
• Lead technical investigations using:
  • Microsoft Sentinel (KQL, analytics rules, workbooks, hunting)
  • Microsoft Defender XDR (Endpoint, Identity, Office 365, Cloud Apps)
  • Entra ID (Azure AD) sign-in and audit logs
• Correlate identity, endpoint, email, and cloud activity to reconstruct attack chains and timelines.
• Own incidents through:
  • Identification
  • Containment
  • Eradication coordination
  • Recovery validation
  • Post-incident review and documentation
• Execute or coordinate containment actions including:
  • Device isolation via Defender for Endpoint
  • Account disablement and credential resets
  • Revocation of tokens and sessions
  • Blocking malicious indicators
  • Email purge/quarantine via Defender for Office 365
  • Conditional Access policy enforcement
• Produce high-quality incident records including:
  • Evidence and KQL queries used
  • Actions taken
  • Root cause analysis
  • MITRE ATT&CK mapping
  • Lessons learned and improvement actions

SOC operations & stakeholder communication

• Serve as technical incident lead during major security events.
• Provide accurate, timely updates to IT, security leadership, and affected teams.
• Maintain clear case management, documentation, and shift handovers within Sentinel/ITSM tooling.
• Contribute to operational reporting:
  • Incident volumes
  • Time to detect / contain
  • Alert fidelity
  • Repeat incident drivers
• Participate in a business-hours operating model with an on-call rotation for out-of-hours incidents.
• Act as a trusted technical point of contact for SOC service discussions, supporting leadership in understanding risk, response options, and technical trade offs during live incidents.

Detection engineering & continuous improvement (Microsoft-focused)

• Tune Sentinel analytics rules to reduce false positives and missed threats.
• Improve correlation logic, entity mapping, and severity scoring.
• Develop and maintain:
  • Sentinel investigation playbooks
  • Incident response runbooks
  • Triage guides for Defender alerts
• Build and refine SOAR workflows using Logic Apps / Sentinel automation rules.
• Perform quality assurance on Level 1 investigations and provide structured coaching feedback.
• Introduce threat-informed detection improvements based on real incidents and Microsoft threat intelligence.
• Take ownership of defined components of the SOC, MDR, or XDR service, ensuring they are operationally effective, well documented, and aligned to current threat and platform capabilities.
• Identify gaps in detection coverage, tooling, or process maturity and propose practical, Microsoft aligned improvements.
• Support service innovation by evaluating and piloting new Microsoft security features, detection approaches, and automation capabilities, assessing their operational value before wider adoption.
• Translate incident learnings into service improvements, updated playbooks, enhanced automation, and refined escalation models.

Leadership, Collaboration & Platform Maturity

• Provide informal technical leadership to Level 1 analysts through mentoring, coaching, and example, raising investigation quality and analyst confidence.
• Set and reinforce expectations for investigative rigour, documentation quality, and decision making within the SOC.
• Work closely with:
  • Microsoft 365 administrators
  • Identity and access management teams
  • Endpoint engineering
  • Cloud platform teams
• Support onboarding of new Microsoft data connectors and Defender features.
• Advise on security telemetry requirements for new services or architectural changes.

What success looks like

• Incidents are accurately classified and contained quickly.
• Sentinel alert quality continuously improves.
• Stakeholders trust SOC technical judgement and communication.
• Level 1 analysts steadily increase investigation quality and independence.
• Playbooks and automation remain current and operationally useful.
• The service is viewed as proactive, technically credible, and continuously improving.

Required experience & skills

• 2+ years' experience in a SOC or security operations role with ownership of complex investigations.
• Strong hands on experience with:
  • Microsoft Sentinel (KQL querying, investigations, analytics rules)
  • Microsoft Defender for Endpoint
  • Defender for Office 365
  • Defender for Identity
  • Defender for Cloud Apps
  • Entra ID (Azure AD) logs and Conditional Access
• Solid understanding of:
  • Windows internals and endpoint telemetry
  • Identity-based attacks and token abuse
  • Email threat techniques
  • Common attacker TTPs and kill chains
• Confident writing technical incident reports and stakeholder updates.
• Demonstrated ability to influence service quality and operational maturity without formal line management responsibility.

Certifications (desirable)

• Microsoft SC-200 (Security Operations Analyst)
• Microsoft SC-100 / SC-300
• CompTIA CySA+ / Security+
• GIAC certifications (GCIH, GCIA, GMON)
• Security Blue Team Level 2

Working pattern

• Monday to Friday, business hours
• Participation in a rotating on call schedule for evenings/weekends to support major security incidents

Methods is passionate about its people; we want our colleagues to develop the things they are good at and enjoy.

By joining us you can expect

• Autonomy to develop and grow your skills and experience
• Be part of exciting project work that is making a difference in society
• Strong, inspiring and thought provoking leadership
• A supportive and collaborative environment

Development - access to LinkedIn Learning, a management development programme, and training

Wellness - 24/7 confidential employee assistance programme

Flexible Working - including home working and part time

Social - office parties, breakfast Tuesdays, monthly pizza Thursdays, Thirsty Thursdays, and commitment to charitable causes

Time Off - 25 days of annual leave a year, plus bank holidays, with the option to buy 5 extra days each year

Volunteering - 2 paid days per year to volunteer in our local communities or within a charity organisation

Pension - Salary Exchange Scheme with 4% employer contribution and 5% employee contribution

Life Assurance - of 4 times base salary

Private Medical Insurance - which is non contributory (spouse and dependants included)

Worldwide Travel Insurance - which is non contributory (spouse and dependants included)

Enhanced Maternity and Paternity Pay

Travel - season ticket loan, cycle to work scheme

For a full list of benefits please visit our website