SC2023-002718 Senior Incident Detection Analyst Cloud Security (NS) - WED 1 Mar

Deadline Date: Wednesday 1 March 2023

Requirement: Senior Incident Detection Analyst - Cloud Security

Location: Mons, BE

Full time on-site: Yes

NATO Grade: A/106

Total Scope of the request (hours): 1254

Required Start Date: 3 April 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Specific Working Conditions: Secure environment with standard working hours, with the exception of working in non-standard working hours up to 360 hours annually.

In addition it may exceptionally be required to work non-standard hours in support of a major Cyber Incident, or on a shift system for a limited period of time due to urgent operational needs.

Duties & Role:

As a Senior Incident Detection Analyst (Cloud Security), the service provider will provide detailed analysis of logs and network traffic with a focus on cloud infrastructure. The successful candidate will be responsible for managing and maintaining the organisation's cloud security operations, including monitoring for and responding to security incidents.


  • Provide subject matter expertise in the area of cyber security monitoring and detection within cloud infrastructure environments.
  • Triage, analyse and respond to alerts originating from complex cloud infrastructure deployments and on-premise networks and security devices.
  • Identify security gaps in NATO cloud security infrastructure, in addition to developing and maintaining new and existing use cases, using our on-premise SIEM solution (i.e., Splunk Enterprise Security).
  • Develop processes for cloud security monitoring, including documentation of all use cases.
  • Review current log collection state for NATO cloud environments, identify gaps and suggest improvements.
  • Analyse threat intelligence pertinent to cloud environments to identify any new and developing security risks.
  • Propose and work towards automating repetitive tasks related to cloud security monitoring and detection.
  • Provide training and support to other members of the organisation on the subject of cloud security best practices and incident response procedures.
  • Be flexible and support your colleagues in securing NATO networks through ad hoc tasks.
  • Ensure that the organisation's cloud infrastructure and security practices comply with applicable laws, regulations, and industry standards.


  • Provide an average of 139 hours/month working on-site, embedded in the NCSC Ops Branch located in SHAPE, Casteau, Belgium.
  • Develop new alerts, searches, reports and dashboards for security monitoring and detection specific to cloud environments. Each use case must reference the MITRE attack framework.
  • Triage, analyse and respond to alerts. All critical alerts will be responded to within three hours.
  • The service provider is expected to take the initiative to identify detection gaps, monitor the latest threats and offer suggestions for new content to the management team. Where possible full coverage of the MITRE attack framework is required. In some cases, it may be necessary to leverage solutions provided within the cloud environment itself.
  • Provide and maintain full documentation for all cloud use cases, detailing the purpose of the use cases, how the logic functions and the actions that should be taken during an investigation.
  • Develop dashboards that can provide situational awareness related to the security of the organisation's cloud security infrastructure. Including service KPIs and incident response metrics.
  • Respond to ad hoc tasks given by the service delivery manager and cell head.
  • Propose at least five security content optimisations and enhancements per week within cloud environment.
  • The service provider is expected to provide accurate and complete deliverables in accordance with internal processes.
  • The service provider shall be responsible for complying will all applicable local employment laws, in addition to following all SHAPE & NCIA on-boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.
  • Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will follow a brief familiarisation period.
  • For each individual delivering the service, the provider shall allocate 10 working days to the initial NCSC Ops familiarization and assessment process. Delivery of the service cannot begin until this is complete.


Skill, Knowledge & Experience:

  • The candidate must have a currently active NATO SECRET security clearance
  • Comprehensive knowledge of the principles of computer and communications security including knowledge of TCP/IP networking, Windows and Linux operating systems.
  • Broad understanding of common network security threats and mitigation techniques.
  • Experience in Security information and event management products (SIEM) – e.g. Splunk.
  • Experience in Analysis of network based intrusion detection systems (NIDS) events– e.g. FirePower, Palo Alto Network Threat Prevention.
  • Experience in Analysis of logs from a variety of sources (e.g. firewalls, proxies, routers, DNS and other security appliances).
  • Experience in Network traffic capture analysis using Wireshark.
  • Logical approach to analysis and ability to perform structured security investigations using large, complex datasets.
  • Knowledge of endpoint detection and analysis techniques.
  • Strong written and spoken communication skills.
  • Ability to work independently and as part of a team.


  • Holding industry leading certifications in the area of cyber security such as GCIA, GNFA, GCIH.
  • Experience working in a security operations centre (SOC), Computer Incident Response Team (CIRT) or Computer Emergency Response Team (CERT).
  • Hands on experience with Splunk Enterprise Security and/or Splunk SOAR.
  • Experience in Full packet capture systems – e.g. Niksun, RSA/NetWitness.
  • Experience in Host based intrusion detection systems (HIDS).

Cyber Security Jobs by Category

Cyber Security Salaries