SC2023-002717 Cyber Security Analyst 2 (NS) - WED 1 Mar

Deadline Date: Wednesday 1 March 2023

Requirement: Cyber Security Analyst 2

Location: Mons, BE

Full time on-site: Yes

NATO Grade: A/97

Total Scope of the request (hours): 1254

Required Start Date: 3 April 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Specific Working Conditions: The service provider will work as part of a team to provide 24/7

year round coverage in a safe and secure environment on a shift rota basis.

Duties & Role:

As a Cyber Security Analyst, the service provider will work on shifts to perform initial triage and analysis of security alerts. The CSA will collate information about both logs and network traffic in a clear, structured format, providing remediation recommendations and first response actions where applicable. The successful candidate should be capable of working without supervision to assess alert severity and escalate when required.

2.1 Duties

The main duties as CSA will focus on:

  • Triaging and investigating security alerts in Splunk Enterprise Security.
  • Providing in-depth analysis of firewall, IDS, anti-virus and other network sensor events to report findings clearly.
  • Enhancing investigations by leveraging the comprehensive extended toolset (e.g. Splunk, NIDS, FPC and SOAR).
  • Providing analyst expertise in response to ongoing cyber security incidents.
  • Supporting the end-to-end incident handling process.
  • Assisting in the management of internal block lists.
  • Proposing security content optimisations and enhancements that help maintain and improve NATO's Cyber Security posture.
  • Assisting in on boarding and training of new team members.
  • Assuming the role of security analyst shift lead, assisting with team management and prioritisation of analyst workload.

2.2 Deliverables

The main deliverables as CSA will be to:

  • Provide an average of 139 hours/month working in office as part of a predetermined 24/7 shift rota.
  • Triage, analyse and respond to alerts. On average 300 – 500 alerts per day are expected. All critical alerts will be responded to within three hours.
  • Deliver analysis and reports in response to tasks associated with ongoing investigations and incidents.
  • Propose no fewer than five security content optimisations and enhancements per week.
  • Oversee the production and release of bulletins for internal block lists, on average, three times per week.
  • Review existing block lists and add new indicators of compromise to block lists, on average 20 per day.
  • Create an average of two MISP events per week based on provided intelligence reports.
  • Respond to ad-hoc tasks given by the service delivery manager and cell head.
  • The service provider is expected to provide accurate and complete deliverables in accordance with internal processes.
  • The service provider shall be responsible for complying will all applicable local employment laws, in addition to following all SHAPE & NCIA on-boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.
  • Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will follow a brief familiarisation period.
  • For each individual delivering the service, the provider shall allocate 10 working days to the initial NCSC Ops familiarization and assessment process. Delivery of the service cannot begin until this is complete.


Skill, Knowledge & Experience:

  • The candidate must have a currently active NATO SECRET security clearance
  • Comprehensive knowledge of the principles of computer and communications security including knowledge of TCP/IP networking, Windows and Linux operating systems.
  • Broad understanding of common network security threats and mitigation techniques.
  • Experience in Security information and event management products (SIEM) – e.g. Splunk.
  • Experience in Analysis of network based intrusion detection systems (NIDS) events– e.g. FirePower, Palo Alto Network Threat Prevention.
  • Experience in Analysis of logs from a variety of sources (e.g. firewalls, proxies, routers, DNS and other security appliances).
  • Experience in Network traffic capture analysis using Wireshark.
  • Logical approach to analysis and ability to perform structured security investigations using large, complex datasets.
  • Knowledge of endpoint detection and analysis techniques.
  • Strong written and spoken communication skills.
  • Ability to work independently and as part of a team.


  • Holding industry leading certifications in the area of cyber security such as GCIA, GNFA, GCIH.
  • Experience working in a security operations centre (SOC), Computer Incident Response Team (CIRT) or Computer Emergency Response Team (CERT).
  • Hands on experience with Splunk Enterprise Security and/or Splunk SOAR.
  • Experience in Full packet capture systems – e.g. Niksun, RSA/NetWitness.
  • Experience in Host based intrusion detection systems (HIDS).

Cyber Security Jobs by Category

Cyber Security Salaries