{"id":72737,"date":"2026-04-13T03:52:39","date_gmt":"2026-04-13T03:52:39","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/senior-detection-analyst-role-blueprint-responsibilities-skills-kpis-and-career-path\/"},"modified":"2026-04-13T03:52:39","modified_gmt":"2026-04-13T03:52:39","slug":"senior-detection-analyst-role-blueprint-responsibilities-skills-kpis-and-career-path","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/senior-detection-analyst-role-blueprint-responsibilities-skills-kpis-and-career-path\/","title":{"rendered":"Senior Detection Analyst: Role Blueprint, Responsibilities, Skills, KPIs, and Career Path"},"content":{"rendered":"\n

1) Role Summary<\/h2>\n\n\n\n

The Senior Detection Analyst<\/strong> designs, validates, and continuously improves security detections that identify malicious behavior across endpoints, identities, networks, cloud platforms, and applications. This role sits at the intersection of SOC operations, threat intelligence, incident response, and security engineering\u2014turning real-world attacker behaviors into high-fidelity alerts, investigations, and automated response playbooks.<\/p>\n\n\n\n

In a software company or IT organization, this role exists because modern environments generate vast telemetry and attackers change tactics quickly; without dedicated detection capability, the organization experiences delayed detection, high false-positive alert fatigue, and inconsistent investigative quality. The Senior Detection Analyst creates business value by reducing time-to-detect, increasing confidence in alerts, improving incident outcomes, and enabling scalable operations through detection-as-code and workflow automation.<\/p>\n\n\n\n

This is a Current<\/strong> (not speculative) role commonly found in SOCs, Detection & Response teams, and Security Operations Engineering functions. Typical interaction points include: SOC analysts, incident responders, threat intel, security engineers, cloud platform teams, IT operations, IAM, application engineering, and compliance\/risk teams.<\/p>\n\n\n\n

\n\n\n\n

2) Role Mission<\/h2>\n\n\n\n

Core mission:<\/strong>\nBuild and maintain a detection capability that reliably identifies high-risk attacker behaviors with minimal noise, enabling fast, consistent, and evidence-based response across the enterprise.<\/p>\n\n\n\n

Strategic importance:<\/strong>\nSecurity programs increasingly succeed or fail based on detection quality\u2014how quickly and accurately the organization can recognize compromise, contain it, and learn from it. The Senior Detection Analyst operationalizes threat knowledge into defensible, measurable detection coverage aligned to business-critical assets and current adversary behaviors.<\/p>\n\n\n\n

Primary business outcomes expected:<\/strong>\n– Reduce exposure time by improving mean time to detect (MTTD)<\/strong> and time-to-triage<\/strong>.\n– Improve SOC efficiency by reducing false positives<\/strong>, duplicate alerts, and unclear investigations.\n– Increase enterprise resilience by ensuring detections cover prioritized threats (mapped to MITRE ATT&CK<\/strong> or equivalent).\n– Improve incident outcomes by feeding back post-incident learnings into detection content and response workflows.\n– Enable audit-ready security operations through documented logic, change control, and measurable coverage.<\/p>\n\n\n\n

\n\n\n\n

3) Core Responsibilities<\/h2>\n\n\n\n

Strategic responsibilities<\/h3>\n\n\n\n
    \n
  1. Detection strategy and coverage planning:<\/strong> Define a detection roadmap aligned to business risks, crown jewels, and current threat landscape; prioritize based on likelihood, impact, and telemetry availability.<\/li>\n
  2. Threat-informed defense mapping:<\/strong> Maintain detection coverage mapped to ATT&CK techniques, identity attack paths, cloud threats, and software supply chain risks relevant to the organization.<\/li>\n
  3. Detection lifecycle ownership (content program):<\/strong> Establish and run a lifecycle for detection ideation, development, testing, deployment, tuning, deprecation, and documentation.<\/li>\n
  4. Telemetry readiness and gaps:<\/strong> Partner with engineering and platform teams to identify logging\/telemetry gaps and define requirements for new data sources and retention.<\/li>\n<\/ol>\n\n\n\n

    Operational responsibilities<\/h3>\n\n\n\n
      \n
    1. Alert triage escalation quality:<\/strong> Act as a senior escalation point for ambiguous or high-impact alerts; ensure investigations are consistent, evidence-based, and defensible.<\/li>\n
    2. Tuning and noise reduction:<\/strong> Continuously refine detections to reduce false positives and improve precision without sacrificing meaningful coverage.<\/li>\n
    3. Threat hunting support:<\/strong> Lead or significantly contribute to hunts based on hypotheses, intel, and anomalous patterns; convert hunt findings into detections.<\/li>\n
    4. Post-incident detection improvements:<\/strong> Perform detection retrospectives after incidents and near misses; implement detection and response improvements with measurable outcomes.<\/li>\n<\/ol>\n\n\n\n

      Technical responsibilities<\/h3>\n\n\n\n
        \n
      1. Detection engineering (query development):<\/strong> Write and maintain detection logic in SIEM\/EDR query languages (e.g., SPL\/KQL), Sigma-like abstractions, and rule formats for relevant platforms.<\/li>\n
      2. Behavior analytics and correlation:<\/strong> Develop multi-signal detections that correlate identity, endpoint, network, and cloud telemetry to reduce false positives and increase confidence.<\/li>\n
      3. SOAR\/workflow enhancement:<\/strong> Collaborate on automation steps (enrichment, containment suggestions, ticket creation) and ensure playbooks support consistent investigations.<\/li>\n
      4. Data validation and QA:<\/strong> Test detection logic against representative datasets; validate fields, parsing, normalization, and edge cases before production deployment.<\/li>\n
      5. Detection documentation and runbooks:<\/strong> Create investigation steps, expected evidence, triage criteria, containment suggestions, and response handoffs for each detection.<\/li>\n<\/ol>\n\n\n\n

        Cross-functional or stakeholder responsibilities<\/h3>\n\n\n\n
          \n
        1. Collaboration with Incident Response (IR):<\/strong> Ensure detections align with IR needs, support rapid scoping, and generate actionable artifacts (queries, timelines, IoCs, affected assets).<\/li>\n
        2. Partnership with platform\/app teams:<\/strong> Coordinate logging changes, agent deployments, cloud audit enablement, and parser\/normalization improvements.<\/li>\n
        3. Threat intelligence operationalization:<\/strong> Turn strategic and tactical intel (campaigns, TTPs, actor profiles) into concrete detection content and hunt plans.<\/li>\n
        4. Security awareness and IT operations alignment:<\/strong> Provide feedback loops for recurring issues (e.g., misconfigurations causing alerts, risky admin behaviors) and help remediate root causes.<\/li>\n<\/ol>\n\n\n\n

          Governance, compliance, or quality responsibilities<\/h3>\n\n\n\n
            \n
          1. Change control and auditability:<\/strong> Maintain versioning, approvals, and documentation for detection content; support evidence requests for audits (SOC2\/ISO 27001 or similar where applicable).<\/li>\n
          2. Metrics and reporting:<\/strong> Produce regular reporting on detection efficacy, coverage, alert quality, and operational impact.<\/li>\n<\/ol>\n\n\n\n

            Leadership responsibilities (Senior IC scope)<\/h3>\n\n\n\n
              \n
            1. Mentorship and standards:<\/strong> Mentor analysts and junior detection engineers on investigation quality, query writing, ATT&CK mapping, and documentation standards; drive consistent best practices across the program.<\/li>\n<\/ol>\n\n\n\n
              \n\n\n\n

              4) Day-to-Day Activities<\/h2>\n\n\n\n

              Daily activities<\/h3>\n\n\n\n
                \n
              • Review high-severity alerts and escalations; validate whether detections behaved as intended.<\/li>\n
              • Perform alert tuning: adjust thresholds, add allowlists\/suppressions with justification, refine correlation logic.<\/li>\n
              • Write or refine SIEM\/EDR queries; validate parsing\/field extraction; confirm expected results.<\/li>\n
              • Investigate emerging threat intel items and assess detection opportunities (e.g., new credential theft or cloud persistence methods).<\/li>\n
              • Respond to SOC questions on alert meaning, triage steps, and evidence collection.<\/li>\n<\/ul>\n\n\n\n

                Weekly activities<\/h3>\n\n\n\n
                  \n
                • Conduct detection backlog grooming and prioritization with SOC\/IR leadership.<\/li>\n
                • Run one or more focused threat hunts aligned to current risks (identity abuse, cloud control plane, endpoint persistence).<\/li>\n
                • Hold working sessions with engineering\/platform teams to address logging gaps or telemetry quality issues.<\/li>\n
                • Review false-positive\/false-negative examples; incorporate learnings into detection improvements.<\/li>\n
                • Publish detection program updates (new detections, tuned detections, deprecations, and impact metrics).<\/li>\n<\/ul>\n\n\n\n

                  Monthly or quarterly activities<\/h3>\n\n\n\n
                    \n
                  • Complete a formal detection coverage review mapped to ATT&CK and top risks; identify gaps and create initiatives.<\/li>\n
                  • Execute tabletop or purple-team exercises; validate detections against simulated attacker behaviors.<\/li>\n
                  • Conduct quarterly detection rule audits (ownership, documentation completeness, performance, cost impact, and efficacy).<\/li>\n
                  • Refresh runbooks and playbooks based on recent incidents and operational feedback.<\/li>\n
                  • Deliver a metrics review to security leadership (coverage, alert quality, MTTD trends, improvement ROI).<\/li>\n<\/ul>\n\n\n\n

                    Recurring meetings or rituals<\/h3>\n\n\n\n
                      \n
                    • SOC daily\/shift handoff (as an escalation resource rather than primary owner).<\/li>\n
                    • Weekly Detection Program Standup (priorities, blockers, deployments).<\/li>\n
                    • Incident Review \/ Postmortem (focus on detection and telemetry learnings).<\/li>\n
                    • Threat Intel Sync (translate intel into action items).<\/li>\n
                    • Platform Logging Council (data onboarding, schema\/normalization decisions).<\/li>\n<\/ul>\n\n\n\n

                      Incident, escalation, or emergency work<\/h3>\n\n\n\n
                        \n
                      • Participate in major incident bridges as the detection\/telemetry subject matter expert:<\/li>\n
                      • Provide scoping queries, pivot paths, and event timelines.<\/li>\n
                      • Rapidly create \u201chotfix\u201d detections for active threats (with controlled risk and follow-up QA).<\/li>\n
                      • Support emergency telemetry enablement (e.g., cloud audit log activation, EDR policy pushes) coordinated with platform owners.<\/li>\n<\/ul>\n\n\n\n
                        \n\n\n\n

                        5) Key Deliverables<\/h2>\n\n\n\n

                        Concrete outputs expected from a Senior Detection Analyst include:<\/p>\n\n\n\n

                          \n
                        • Detection Catalog \/ Library<\/strong><\/li>\n
                        • Inventory of detections with IDs, owners, severity, data sources, ATT&CK mapping, and last-reviewed date.<\/li>\n
                        • Detection Rules and Queries<\/strong><\/li>\n
                        • SIEM correlation searches, scheduled analytics, EDR detections, cloud-native detections.<\/li>\n
                        • Detection-as-Code Artifacts (where applicable)<\/strong><\/li>\n
                        • Version-controlled rule definitions, tests, CI checks, release notes (common in mature orgs).<\/li>\n
                        • Alert Runbooks<\/strong><\/li>\n
                        • Step-by-step investigation guides, evidence collection, pivot queries, and escalation criteria.<\/li>\n
                        • SOAR Playbook Requirements and Enhancements<\/strong><\/li>\n
                        • Enrichment steps, ticket routing, auto-tagging, and response recommendations.<\/li>\n
                        • Tuning Reports<\/strong><\/li>\n
                        • False-positive analysis, suppressions with rationale, threshold changes, and measured outcomes.<\/li>\n
                        • Telemetry Gap Assessments<\/strong><\/li>\n
                        • Requirements for new logs, schema changes, parsing improvements, and retention adjustments.<\/li>\n
                        • Hunt Plans and Hunt Reports<\/strong><\/li>\n
                        • Hypotheses, data sources, queries used, findings, and follow-up detection actions.<\/li>\n
                        • Post-Incident Detection Improvement Plans<\/strong><\/li>\n
                        • Action items from incidents: new detections, modifications, additional logging, and verification steps.<\/li>\n
                        • Dashboards and Metrics Packs<\/strong><\/li>\n
                        • Coverage metrics, efficacy trends, alert volumes, triage times, and high-noise sources.<\/li>\n
                        • Knowledge Base Articles<\/strong><\/li>\n
                        • Common investigation patterns, attacker tradecraft notes, and internal detection standards.<\/li>\n
                        • Training Artifacts<\/strong><\/li>\n
                        • Query-writing guides, ATT&CK mapping patterns, investigation walkthroughs for SOC analysts.<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          6) Goals, Objectives, and Milestones<\/h2>\n\n\n\n

                          30-day goals (initial immersion and baseline)<\/h3>\n\n\n\n
                            \n
                          • Understand business context: core products\/services, crown-jewel systems, and most critical threat scenarios.<\/li>\n
                          • Gain access to SIEM\/EDR\/cloud logging platforms; validate working knowledge of data schemas and key log sources.<\/li>\n
                          • Review top 20 noisy alerts and top 20 highest-impact alerts; propose initial tuning plan.<\/li>\n
                          • Establish relationships with SOC, IR, threat intel, IAM, cloud\/platform teams.<\/li>\n
                          • Deliver a \u201ccurrent state\u201d assessment:<\/li>\n
                          • Detection lifecycle maturity<\/li>\n
                          • Coverage gaps (high-level)<\/li>\n
                          • Top telemetry quality issues<\/li>\n<\/ul>\n\n\n\n

                            60-day goals (measurable improvements and program traction)<\/h3>\n\n\n\n
                              \n
                            • Deploy improvements to high-noise detections with documented before\/after metrics.<\/li>\n
                            • Deliver 3\u20136 new or significantly improved detections aligned to current risks (identity abuse, cloud persistence, endpoint credential theft\u2014tailored to the org).<\/li>\n
                            • Produce standardized runbook templates and update documentation for priority detections.<\/li>\n
                            • Implement a basic QA\/checklist process for new detection deployments (testing, peer review, approval, rollback plan).<\/li>\n<\/ul>\n\n\n\n

                              90-day goals (repeatable operating model)<\/h3>\n\n\n\n
                                \n
                              • Establish a functioning detection lifecycle with:<\/li>\n
                              • intake \u2192 prioritization \u2192 development \u2192 testing \u2192 deployment \u2192 tuning \u2192 review cadence<\/li>\n
                              • Demonstrate coverage mapping to ATT&CK for top threat scenarios and create a prioritized gap-remediation backlog.<\/li>\n
                              • Reduce measurable noise in the SOC (example: reduce top-5 alert sources by 20\u201340% without loss of true positives).<\/li>\n
                              • Deliver a quarterly detection effectiveness report with trends and recommendations.<\/li>\n<\/ul>\n\n\n\n

                                6-month milestones (scale and resilience)<\/h3>\n\n\n\n
                                  \n
                                • Mature detection engineering practices:<\/li>\n
                                • version control for detections (where feasible)<\/li>\n
                                • consistent naming, tagging, and ownership<\/li>\n
                                • minimum documentation standards met for \u226590% of high\/critical detections<\/li>\n
                                • Implement correlation detections combining identity + endpoint + cloud signals for top attack paths.<\/li>\n
                                • Establish purple-team validation for a recurring subset of detections (e.g., monthly simulations).<\/li>\n
                                • Improve response readiness by integrating SOAR enrichments for high-volume alerts.<\/li>\n<\/ul>\n\n\n\n

                                  12-month objectives (program-level outcomes)<\/h3>\n\n\n\n
                                    \n
                                  • Demonstrably improve detection efficacy and operational outcomes:<\/li>\n
                                  • Reduced MTTD for key incident types<\/li>\n
                                  • Improved true-positive rate for critical detections<\/li>\n
                                  • Reduced repeat incidents due to \u201clessons learned\u201d being codified into detections and telemetry<\/li>\n
                                  • Build a sustained detection roadmap aligned to evolving threats and business changes (new cloud migrations, new products, acquisitions).<\/li>\n
                                  • Enable audit-ready detection governance (ownership, review cycles, change history) for regulated or customer-assured contexts.<\/li>\n<\/ul>\n\n\n\n

                                    Long-term impact goals (enterprise value creation)<\/h3>\n\n\n\n
                                      \n
                                    • Create a detection capability that is:<\/li>\n
                                    • Threat-informed<\/strong> (grounded in real attacker behaviors)<\/li>\n
                                    • Measurable<\/strong> (coverage and efficacy tracked)<\/li>\n
                                    • Scalable<\/strong> (automation and documentation reduce reliance on heroics)<\/li>\n
                                    • Adaptive<\/strong> (fast iteration during active threats)<\/li>\n<\/ul>\n\n\n\n

                                      Role success definition<\/h3>\n\n\n\n

                                      Success is measured by the organization\u2019s ability to detect and respond to threats quickly and confidently, with fewer wasted cycles. The Senior Detection Analyst is successful when detections are trusted, well-documented, validated, and continuously improved based on evidence.<\/p>\n\n\n\n

                                      What high performance looks like<\/h3>\n\n\n\n
                                        \n
                                      • Produces high-signal detections that materially reduce risk and improve response outcomes.<\/li>\n
                                      • Creates clarity and repeatability: runbooks, standardized logic, and measurable performance.<\/li>\n
                                      • Acts as a force multiplier: mentoring others, improving telemetry quality, and improving cross-team collaboration.<\/li>\n
                                      • Balances speed with rigor: can ship emergency detections responsibly and follow up with robust testing and tuning.<\/li>\n<\/ul>\n\n\n\n
                                        \n\n\n\n

                                        7) KPIs and Productivity Metrics<\/h2>\n\n\n\n

                                        The metrics below are designed to be measurable, operationally meaningful, and adaptable across SIEM\/EDR\/SOAR implementations.<\/p>\n\n\n\n

                                        \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                        Metric name<\/th>\nWhat it measures<\/th>\nWhy it matters<\/th>\nExample target \/ benchmark<\/th>\nFrequency<\/th>\n<\/tr>\n<\/thead>\n
                                        Detection True Positive Rate (TPR)<\/td>\n% of alerts that represent confirmed malicious or policy-violating activity<\/td>\nIndicates detection precision and SOC trust<\/td>\nVaries by use case; critical detections often target >30\u201360% confirmed signal (context-dependent)<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        False Positive Rate (FPR)<\/td>\n% of alerts closed as benign\/no action<\/td>\nQuantifies noise and wasted effort<\/td>\nReduce top noisy detections by 20\u201340% in 90 days; long-term stable downward trend<\/td>\nWeekly\/Monthly<\/td>\n<\/tr>\n
                                        Alert-to-Incident Conversion Rate<\/td>\n% of alerts that become incidents<\/td>\nHelps calibrate severity and triage quality<\/td>\nNot \u201cmaximize\u201d; aim for consistent mapping and appropriate severity<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Mean Time to Triage (MTTT)<\/td>\nTime from alert firing to initial analyst disposition<\/td>\nIndicates SOC responsiveness and clarity of alert\/runbook<\/td>\nCritical alerts: minutes to <1 hour (org-dependent)<\/td>\nWeekly<\/td>\n<\/tr>\n
                                        Mean Time to Detect (MTTD) by incident type<\/td>\nTime from attacker activity start (estimated) to detection<\/td>\nCore security outcome metric<\/td>\nContinuous improvement; target reductions quarter over quarter<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Detection Coverage (ATT&CK mapped)<\/td>\n% of prioritized techniques with at least one validated detection<\/td>\nMeasures completeness against threat model<\/td>\nExample: 70% coverage for prioritized technique set within 12 months<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Detection Validation Rate<\/td>\n% of critical\/high detections tested via simulation\/purple-team in a period<\/td>\nEnsures detections actually work<\/td>\nExample: validate top 25 detections quarterly<\/td>\nMonthly\/Quarterly<\/td>\n<\/tr>\n
                                        Rule Review Compliance<\/td>\n% of detections reviewed within defined SLA (e.g., 180 days)<\/td>\nPrevents stale detections and documentation drift<\/td>\n\u226590% on-time reviews<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Detection Deployment Lead Time<\/td>\nTime from request\/idea to production deployment<\/td>\nMeasures agility of detection program<\/td>\nExample: <2\u20134 weeks for standard detections; <24\u201372 hours for urgent threats<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Detection Rollback \/ Defect Rate<\/td>\n% of detection releases needing rollback or major fix<\/td>\nMeasures quality of testing and change control<\/td>\nKeep low; e.g., <5% needing rollback<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        SOC Analyst Satisfaction (Detection Content)<\/td>\nAnalyst feedback on usefulness\/clarity of alerts and runbooks<\/td>\nEnsures deliverables are usable<\/td>\nExample: >4\/5 average satisfaction for priority detections<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Investigation Consistency Score<\/td>\n% of sampled cases meeting documentation\/evidence standards<\/td>\nImproves defensibility and learning<\/td>\nExample: \u226585% for sampled critical alerts<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Telemetry Completeness for Priority Sources<\/td>\nCoverage\/availability of key logs (identity, cloud audit, endpoint)<\/td>\nDetections fail without reliable data<\/td>\nExample: \u226599% ingestion health for critical sources<\/td>\nWeekly<\/td>\n<\/tr>\n
                                        Cost Efficiency (SIEM query cost \/ ingestion impact)<\/td>\nImpact of detections on platform performance\/cost<\/td>\nPrevents \u201cexpensive detections\u201d from harming operations<\/td>\nOptimize top costly queries quarterly<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Automation Enablement Rate<\/td>\n% of priority alerts with enrichment\/automation steps defined<\/td>\nImproves speed and reduces toil<\/td>\nExample: 60% of high-volume alerts enriched via SOAR<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Knowledge Artifact Velocity<\/td>\nNumber\/quality of runbooks, docs, and reusable queries created<\/td>\nMeasures scalable enablement<\/td>\nTarget: steady pipeline; quality > quantity<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Cross-team Delivery Reliability<\/td>\nOn-time completion of detection roadmap commitments<\/td>\nDemonstrates program predictability<\/td>\nExample: 80\u201390% of committed items delivered per quarter<\/td>\nQuarterly<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n

                                        Notes on variability:<\/strong> Targets vary significantly by maturity, industry, alert volumes, and telemetry. For example, early-stage SOCs prioritize foundational telemetry and triage; mature SOCs prioritize validation coverage, correlation detections, and automation.<\/p>\n\n\n\n

                                        \n\n\n\n

                                        8) Technical Skills Required<\/h2>\n\n\n\n

                                        Must-have technical skills<\/h3>\n\n\n\n
                                          \n
                                        • SIEM query development (Critical)<\/strong> <\/li>\n
                                        • Description: Write, optimize, and troubleshoot detection logic in at least one major SIEM query language (e.g., Splunk SPL, Microsoft Sentinel KQL). <\/li>\n
                                        • Use: Building detections, scoping incidents, building dashboards, tuning. <\/li>\n
                                        • Endpoint and identity telemetry interpretation (Critical)<\/strong> <\/li>\n
                                        • Description: Understand process trees, authentication flows, token usage, privilege escalation indicators. <\/li>\n
                                        • Use: Detecting credential theft, lateral movement, persistence, and admin abuse. <\/li>\n
                                        • Detection tuning and alert quality management (Critical)<\/strong> <\/li>\n
                                        • Description: Reduce false positives through thresholds, context enrichment, allowlisting strategy, and improved logic. <\/li>\n
                                        • Use: Keeping SOC workable and alerts trustworthy. <\/li>\n
                                        • MITRE ATT&CK mapping and threat behavior understanding (Critical)<\/strong> <\/li>\n
                                        • Description: Translate adversary techniques into detection hypotheses and coverage metrics. <\/li>\n
                                        • Use: Roadmapping and communicating detection gaps. <\/li>\n
                                        • Incident investigation fundamentals (Important)<\/strong> <\/li>\n
                                        • Description: Evidence collection, timeline creation, scoping, and containment recommendations. <\/li>\n
                                        • Use: Supporting IR and validating detection outcomes. <\/li>\n
                                        • Log source knowledge and data quality validation (Important)<\/strong> <\/li>\n
                                        • Description: Understand common log sources (EDR, IdP, cloud audit, DNS, proxy) and typical failure modes. <\/li>\n
                                        • Use: Ensuring detections rely on reliable data.<\/li>\n<\/ul>\n\n\n\n

                                          Good-to-have technical skills<\/h3>\n\n\n\n
                                            \n
                                          • SOAR concepts and playbook design (Important)<\/strong> <\/li>\n
                                          • Use: Enrichment, routing, and standardized responses for repeatable operations. <\/li>\n
                                          • Cloud security telemetry (AWS\/Azure\/GCP) (Important)<\/strong> <\/li>\n
                                          • Use: Detecting cloud control plane abuse, risky IAM changes, and suspicious workload behavior. <\/li>\n
                                          • Network security analytics basics (Optional to Important depending on org)<\/strong> <\/li>\n
                                          • Use: Lateral movement detection, DNS anomalies, proxy patterns, C2 indicators. <\/li>\n
                                          • Threat intelligence operationalization (Important)<\/strong> <\/li>\n
                                          • Use: Turning intel into detections\/hunts and validating relevance to environment. <\/li>\n
                                          • Basic scripting (Python\/PowerShell) (Optional to Important)<\/strong> <\/li>\n
                                          • Use: Parsing artifacts, enrichment, testing, small automation helpers.<\/li>\n<\/ul>\n\n\n\n

                                            Advanced or expert-level technical skills<\/h3>\n\n\n\n
                                              \n
                                            • Behavioral detections and multi-signal correlation (Critical for senior performance)<\/strong> <\/li>\n
                                            • Description: Combine identity + endpoint + cloud + network signals to reduce noise and improve confidence. <\/li>\n
                                            • Use: Building durable detections resilient to simple IoC evasion. <\/li>\n
                                            • Detection-as-code and version control workflows (Important in mature orgs)<\/strong> <\/li>\n
                                            • Description: PR-based changes, code review, unit tests, CI checks for detection content. <\/li>\n
                                            • Use: Scaling detection development with quality and auditability. <\/li>\n
                                            • Adversary emulation \/ purple-team validation (Important)<\/strong> <\/li>\n
                                            • Description: Use simulation frameworks and controlled testing to validate detections. <\/li>\n
                                            • Use: Ensuring detections work and are not theoretical. <\/li>\n
                                            • Data modeling and normalization (Optional to Important)<\/strong> <\/li>\n
                                            • Description: Common Information Model (CIM), ASIM, ECS patterns; field mapping. <\/li>\n
                                            • Use: Making detections portable and reliable across sources. <\/li>\n
                                            • Advanced hunting and anomaly detection methods (Optional)<\/strong> <\/li>\n
                                            • Description: Statistical baselines, peer-group analysis, outlier detection. <\/li>\n
                                            • Use: Detecting novel behaviors when signatures fail.<\/li>\n<\/ul>\n\n\n\n

                                              Emerging future skills for this role (next 2\u20135 years)<\/h3>\n\n\n\n
                                                \n
                                              • LLM-assisted detection development and triage augmentation (Important)<\/strong> <\/li>\n
                                              • Use: Faster hypothesis generation, query drafting, runbook summarization\u2014paired with strong validation. <\/li>\n
                                              • Security data lake analytics (Important)<\/strong> <\/li>\n
                                              • Use: Detection across high-volume telemetry with flexible schemas and scalable compute. <\/li>\n
                                              • Continuous validation engineering (Important)<\/strong> <\/li>\n
                                              • Use: Automated attack simulation and detection tests tied to CI\/CD-like pipelines. <\/li>\n
                                              • Identity-centric detection specialization (Important)<\/strong> <\/li>\n
                                              • Use: As identity becomes the control plane, detections increasingly focus on token theft, MFA fatigue, OAuth abuse, and privilege pathways.<\/li>\n<\/ul>\n\n\n\n
                                                \n\n\n\n

                                                9) Soft Skills and Behavioral Capabilities<\/h2>\n\n\n\n
                                                  \n
                                                • Analytical rigor and hypothesis-driven thinking<\/strong> <\/li>\n
                                                • Why it matters: Detection quality depends on precise reasoning under uncertainty and noisy data. <\/li>\n
                                                • On the job: Formulates hypotheses, tests against telemetry, and adjusts logic based on evidence. <\/li>\n
                                                • \n

                                                  Strong performance: Produces defensible conclusions and avoids \u201cintuition-only\u201d detections.<\/p>\n<\/li>\n

                                                • \n

                                                  Operational judgment (balancing speed vs. risk)<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: Emergency detections may be needed during active threats, but sloppy rules can overwhelm SOC or miss real attacks. <\/li>\n
                                                • On the job: Ships pragmatic improvements fast, with rollback plans and follow-up QA. <\/li>\n
                                                • \n

                                                  Strong performance: Maintains stability while improving security outcomes.<\/p>\n<\/li>\n

                                                • \n

                                                  Technical communication (clarity for analysts and leaders)<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: Alerts and runbooks are only effective if others can act on them quickly. <\/li>\n
                                                • On the job: Writes concise runbooks, explains tradeoffs, and communicates detection intent. <\/li>\n
                                                • \n

                                                  Strong performance: Others can operate the detection confidently without the author present.<\/p>\n<\/li>\n

                                                • \n

                                                  Stakeholder management and influence without authority<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: Detection depends on telemetry controlled by other teams (cloud, IAM, endpoints). <\/li>\n
                                                • On the job: Negotiates logging changes, prioritizes requests, and aligns on shared outcomes. <\/li>\n
                                                • \n

                                                  Strong performance: Gains commitments and delivers improvements without escalation-heavy approaches.<\/p>\n<\/li>\n

                                                • \n

                                                  Curiosity and continuous learning<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: Adversary tradecraft evolves; detections must evolve too. <\/li>\n
                                                • On the job: Tracks emerging techniques, tests assumptions, and refreshes content. <\/li>\n
                                                • \n

                                                  Strong performance: Keeps detection coverage relevant and avoids stagnation.<\/p>\n<\/li>\n

                                                • \n

                                                  Coaching and mentorship mindset (Senior IC)<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: A strong detection program scales through shared standards and improved analyst capability. <\/li>\n
                                                • On the job: Reviews queries, provides constructive feedback, and creates reusable templates. <\/li>\n
                                                • \n

                                                  Strong performance: The broader team improves measurably (quality, speed, consistency).<\/p>\n<\/li>\n

                                                • \n

                                                  Bias for documentation and repeatability<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: Institutional knowledge must survive staff changes and high-pressure incidents. <\/li>\n
                                                • On the job: Documents logic, assumptions, and expected evidence; keeps artifacts current. <\/li>\n
                                                • \n

                                                  Strong performance: Reduced single points of failure and improved audit readiness.<\/p>\n<\/li>\n

                                                • \n

                                                  Resilience under pressure<\/strong> <\/p>\n<\/li>\n

                                                • Why it matters: Detection work often spikes during incidents and high-profile vulnerabilities. <\/li>\n
                                                • On the job: Maintains focus and prioritization during ambiguous or urgent situations. <\/li>\n
                                                • Strong performance: Calm execution with clear next steps and transparent communication.<\/li>\n<\/ul>\n\n\n\n
                                                  \n\n\n\n

                                                  10) Tools, Platforms, and Software<\/h2>\n\n\n\n
                                                  \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                  Category<\/th>\nTool \/ platform<\/th>\nPrimary use<\/th>\nCommon \/ Optional \/ Context-specific<\/th>\n<\/tr>\n<\/thead>\n
                                                  SIEM<\/td>\nSplunk Enterprise Security<\/td>\nDetection queries, correlation, dashboards, investigations<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  SIEM<\/td>\nMicrosoft Sentinel<\/td>\nAnalytics rules (KQL), incidents, workbooks<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  SIEM<\/td>\nGoogle Chronicle \/ SecOps<\/td>\nLarge-scale detection and search<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  EDR\/XDR<\/td>\nCrowdStrike Falcon<\/td>\nEndpoint telemetry, detections, response actions<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  EDR\/XDR<\/td>\nMicrosoft Defender for Endpoint<\/td>\nEndpoint detection\/response and telemetry<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  EDR\/XDR<\/td>\nSentinelOne<\/td>\nEndpoint detection and response<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Cloud platforms<\/td>\nAWS (CloudTrail, GuardDuty)<\/td>\nCloud audit telemetry and findings<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Cloud platforms<\/td>\nAzure (Activity Logs, Entra ID logs)<\/td>\nIdentity and cloud control-plane telemetry<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Cloud platforms<\/td>\nGCP (Cloud Audit Logs)<\/td>\nCloud audit telemetry<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Identity<\/td>\nOkta<\/td>\nAuth logs, MFA events, risk signals<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Identity<\/td>\nMicrosoft Entra ID (Azure AD)<\/td>\nIdentity telemetry, sign-ins, risky users<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  SOAR<\/td>\nPalo Alto Cortex XSOAR<\/td>\nPlaybooks, enrichment, case management<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  SOAR<\/td>\nSplunk SOAR<\/td>\nAutomation and case workflows<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  ITSM<\/td>\nServiceNow<\/td>\nIncident\/ticket workflow, escalations, audit trail<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Threat intel<\/td>\nMISP<\/td>\nIoC management and sharing<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Threat intel<\/td>\nRecorded Future \/ CrowdStrike Intel<\/td>\nIntel feeds and reports<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Knowledge base<\/td>\nConfluence<\/td>\nRunbooks, documentation, standards<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Collaboration<\/td>\nSlack \/ Microsoft Teams<\/td>\nOperational communications, incident channels<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Source control<\/td>\nGitHub \/ GitLab<\/td>\nDetection-as-code, reviews, versioning<\/td>\nCommon (in mature programs)<\/td>\n<\/tr>\n
                                                  Data analytics<\/td>\nElasticsearch \/ OpenSearch<\/td>\nLog analytics and search<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Data analytics<\/td>\nDatabricks \/ data lake<\/td>\nLarge-scale analytics, hunting datasets<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Observability<\/td>\nDatadog \/ New Relic<\/td>\nSupporting app telemetry correlations<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Scripting<\/td>\nPython<\/td>\nEnrichment scripts, parsing, testing<\/td>\nOptional (often useful)<\/td>\n<\/tr>\n
                                                  Scripting<\/td>\nPowerShell<\/td>\nWindows investigation, artifact gathering<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Adversary simulation<\/td>\nAtomic Red Team<\/td>\nValidating detections against techniques<\/td>\nOptional (maturity-dependent)<\/td>\n<\/tr>\n
                                                  Adversary simulation<\/td>\nCaldera \/ Prelude \/ AttackIQ<\/td>\nContinuous validation and purple teaming<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Rule abstraction<\/td>\nSigma<\/td>\nPortable detection logic patterns<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Vulnerability context<\/td>\nTenable \/ Qualys<\/td>\nEnrichment for asset risk context<\/td>\nOptional<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                  \n\n\n\n

                                                  11) Typical Tech Stack \/ Environment<\/h2>\n\n\n\n

                                                  Infrastructure environment<\/strong>\n– Hybrid environments are common: cloud-first with remaining on-prem components.\n– Cloud workloads in AWS\/Azure (common), sometimes GCP; use of VPC\/VNet flow logs, cloud audit logs, and managed services.\n– Corporate IT endpoints: Windows\/macOS fleets; mobile device management (MDM) in many organizations.<\/p>\n\n\n\n

                                                  Application environment<\/strong>\n– SaaS\/software company context typically includes:\n – Microservices and APIs\n – Containerized workloads (Docker) and orchestration (Kubernetes) in many orgs\n – CI\/CD pipelines and infrastructure-as-code (Terraform\/CloudFormation) owned by platform engineering\n– The detection program consumes application logs selectively (auth events, admin actions, sensitive operations) rather than all observability data.<\/p>\n\n\n\n

                                                  Data environment<\/strong>\n– Centralized logging platform (SIEM) plus specialized telemetry stores (EDR consoles, cloud-native findings).\n– Normalization frameworks may exist (CIM\/ASIM\/ECS) or be partially implemented.\n– Retention varies by cost and compliance; Senior Detection Analyst helps define detection-relevant retention requirements.<\/p>\n\n\n\n

                                                  Security environment<\/strong>\n– SOC operations with tiered triage and IR escalation.\n– Tooling includes SIEM + EDR; often includes IdP logs and cloud audit logs.\n– Mature orgs run SOAR for enrichment and standardized response workflows.\n– Threat intel and vulnerability context may be integrated for alert enrichment.<\/p>\n\n\n\n

                                                  Delivery model<\/strong>\n– Detection content releases often follow a lightweight SDLC:\n – backlog \u2192 development \u2192 peer review \u2192 testing \u2192 release \u2192 monitoring\n– Mature teams implement detection-as-code with pull requests, automated tests, and change approval.<\/p>\n\n\n\n

                                                  Agile \/ SDLC context<\/strong>\n– Many teams operate in Kanban (continuous flow) due to interrupt-driven nature.\n– Some operate with Scrum-like sprints for planned detection work and reserve capacity for incidents and urgent threats.<\/p>\n\n\n\n

                                                  Scale or complexity context<\/strong>\n– Telemetry volume and SIEM cost constraints are often a major design consideration.\n– Multi-region cloud footprints and numerous SaaS services create a complex identity and access threat surface.<\/p>\n\n\n\n

                                                  Team topology<\/strong>\n– Common placements:\n – SOC \/ Security Operations Center (with a detection specialization)\n – Detection Engineering \/ Detection & Response team (preferred for mature programs)\n – Security Operations Engineering (bridging tools and content)\n– The Senior Detection Analyst is typically an IC with program influence and mentorship responsibilities.<\/p>\n\n\n\n

                                                  \n\n\n\n

                                                  12) Stakeholders and Collaboration Map<\/h2>\n\n\n\n

                                                  Internal stakeholders<\/h3>\n\n\n\n
                                                    \n
                                                  • SOC Analysts (Tier 1\/2\/3):<\/strong> Primary consumers of alerts and runbooks; provide feedback on noise and usability.<\/li>\n
                                                  • Incident Response (IR) \/ DFIR:<\/strong> Partners for scoping queries, evidence standards, and post-incident improvements.<\/li>\n
                                                  • Threat Intelligence:<\/strong> Inputs for prioritization and technique selection; validates relevance of actor\/campaign intel.<\/li>\n
                                                  • Security Engineering:<\/strong> Works jointly on integrations, parsers, schemas, and SOAR automation.<\/li>\n
                                                  • Cloud Platform Engineering \/ SRE:<\/strong> Enables logging, cloud security controls, and operational access for investigations.<\/li>\n
                                                  • Identity & Access Management (IAM):<\/strong> Critical partner for identity detections, sign-in logs, MFA policies, and privileged access.<\/li>\n
                                                  • IT Operations \/ Endpoint Engineering:<\/strong> EDR deployment and endpoint logging; helps remediate systemic issues.<\/li>\n
                                                  • Application Engineering (selected teams):<\/strong> Provides app telemetry and implements security logging for key events.<\/li>\n
                                                  • GRC \/ Compliance \/ Risk:<\/strong> Ensures detection governance and evidence readiness for audits and customer assurance.<\/li>\n<\/ul>\n\n\n\n

                                                    External stakeholders (as applicable)<\/h3>\n\n\n\n
                                                      \n
                                                    • Managed Detection & Response (MDR) provider:<\/strong> If co-managed SOC exists; coordination on alert ownership and rule changes.<\/li>\n
                                                    • Vendors (SIEM\/EDR\/SOAR):<\/strong> Support cases, product features, tuning guidance.<\/li>\n
                                                    • Auditors \/ customer security assessors:<\/strong> Evidence requests about monitoring and detection coverage (indirect interaction).<\/li>\n<\/ul>\n\n\n\n

                                                      Peer roles<\/h3>\n\n\n\n
                                                        \n
                                                      • Detection Engineer, SOC Engineer, Incident Responder, Threat Hunter, Security Data Analyst, Security Architect (operations).<\/li>\n<\/ul>\n\n\n\n

                                                        Upstream dependencies<\/h3>\n\n\n\n
                                                          \n
                                                        • Reliable telemetry ingestion and normalization (EDR, IdP, cloud audit, DNS\/proxy).<\/li>\n
                                                        • Asset inventory and ownership data (CMDB or asset DB).<\/li>\n
                                                        • Identity governance context (privileged groups, admin roles, service principals).<\/li>\n<\/ul>\n\n\n\n

                                                          Downstream consumers<\/h3>\n\n\n\n
                                                            \n
                                                          • SOC and IR (actions, escalations, case notes).<\/li>\n
                                                          • Security leadership (risk and program metrics).<\/li>\n
                                                          • Engineering teams (remediation tasks and logging changes).<\/li>\n
                                                          • Compliance (evidence and control mapping).<\/li>\n<\/ul>\n\n\n\n

                                                            Nature of collaboration<\/h3>\n\n\n\n
                                                              \n
                                                            • High-frequency operational collaboration with SOC\/IR.<\/li>\n
                                                            • Structured collaboration with platform\/engineering via intake processes and logging councils.<\/li>\n
                                                            • Consultative collaboration with leadership through quarterly reporting and risk alignment.<\/li>\n<\/ul>\n\n\n\n

                                                              Typical decision-making authority and escalation points<\/h3>\n\n\n\n
                                                                \n
                                                              • The Senior Detection Analyst can generally decide on detection logic and tuning within defined guardrails.<\/li>\n
                                                              • Escalate to Detection & Response Manager \/ SOC Manager<\/strong> for:<\/li>\n
                                                              • Major detection changes affecting operations broadly<\/li>\n
                                                              • High-risk suppressions<\/li>\n
                                                              • Conflicts over logging priorities or access<\/li>\n
                                                              • Escalate to Director of Security Operations<\/strong> (or equivalent) for:<\/li>\n
                                                              • Budget\/capacity constraints that materially impact detection outcomes<\/li>\n
                                                              • Cross-org mandates for telemetry enablement<\/li>\n<\/ul>\n\n\n\n
                                                                \n\n\n\n

                                                                13) Decision Rights and Scope of Authority<\/h2>\n\n\n\n

                                                                Can decide independently<\/h3>\n\n\n\n
                                                                  \n
                                                                • Detection query logic changes and tuning for owned detections, within documented standards.<\/li>\n
                                                                • Severity adjustments and triage guidance for alerts, based on evidence and stakeholder input.<\/li>\n
                                                                • Runbook content, investigation steps, and recommended pivot queries.<\/li>\n
                                                                • Prioritization within assigned detection backlog (day-to-day), balancing incidents and planned work.<\/li>\n
                                                                • Recommendations for telemetry improvements and new data sources (proposal ownership).<\/li>\n<\/ul>\n\n\n\n

                                                                  Requires team approval (peer review \/ change control)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • New high-severity detections that may materially increase paging\/escalations.<\/li>\n
                                                                  • Suppressions or allowlists that reduce coverage for critical techniques (requires documented justification).<\/li>\n
                                                                  • Correlation rules affecting multiple data sources and multiple teams\u2019 workflows.<\/li>\n
                                                                  • Detection-as-code merges (PR approvals) where that operating model exists.<\/li>\n<\/ul>\n\n\n\n

                                                                    Requires manager\/director\/executive approval<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Tooling changes (new SIEM add-ons, major SOAR changes, new data lake adoption).<\/li>\n
                                                                    • Budget-impacting changes (large ingestion increases, significant retention changes).<\/li>\n
                                                                    • Organization-wide monitoring policy changes (e.g., expanding endpoint logging, enabling additional audit logs).<\/li>\n
                                                                    • Hiring decisions, vendor procurement, and contract renewals (role provides input and requirements).<\/li>\n<\/ul>\n\n\n\n

                                                                      Budget, architecture, vendor, delivery, hiring, compliance authority<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Budget:<\/strong> Typically no direct budget ownership; provides cost\/benefit analysis and requirements.<\/li>\n
                                                                      • Architecture:<\/strong> Influences detection architecture and telemetry design; final decisions typically sit with Security Architecture\/SecEng leadership.<\/li>\n
                                                                      • Vendor:<\/strong> Provides evaluation input and technical requirements; procurement owned elsewhere.<\/li>\n
                                                                      • Delivery:<\/strong> Owns delivery for detection content; coordinates delivery dependencies with other teams.<\/li>\n
                                                                      • Hiring:<\/strong> Participates in interviews and skills calibration; may help design exercises.<\/li>\n
                                                                      • Compliance:<\/strong> Supports evidence and control mapping; does not \u201cown\u201d compliance decisions but ensures operational readiness.<\/li>\n<\/ul>\n\n\n\n
                                                                        \n\n\n\n

                                                                        14) Required Experience and Qualifications<\/h2>\n\n\n\n

                                                                        Typical years of experience<\/h3>\n\n\n\n
                                                                          \n
                                                                        • 5\u20138+ years<\/strong> in security operations, detection engineering\/analytics, incident response, or threat hunting.<\/li>\n
                                                                        • Demonstrated senior-level capability: owning detection improvements end-to-end and influencing how others investigate and respond.<\/li>\n<\/ul>\n\n\n\n

                                                                          Education expectations<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Bachelor\u2019s degree in Computer Science, Information Systems, Cybersecurity, or equivalent experience is common.<\/li>\n
                                                                          • Equivalent experience (military, apprenticeships, hands-on SOC\/IR history) is often acceptable in software\/IT organizations.<\/li>\n<\/ul>\n\n\n\n

                                                                            Certifications (Common \/ Optional \/ Context-specific)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Common \/ valued (optional but helpful):<\/strong><\/li>\n
                                                                            • GIAC (e.g., GCIA, GCIH, GCED, GMON, GCFA) \u2013 choose based on role emphasis<\/li>\n
                                                                            • Splunk certifications (Power User\/Admin\/ES) if Splunk-heavy environment<\/li>\n
                                                                            • Microsoft security certifications (for Sentinel\/Defender-heavy environments)<\/li>\n
                                                                            • Context-specific:<\/strong><\/li>\n
                                                                            • Cloud certifications (AWS\/Azure\/GCP security) if cloud-heavy detection scope<\/li>\n
                                                                            • SANS purple-team or threat hunting oriented credentials in mature validation programs<\/li>\n<\/ul>\n\n\n\n

                                                                              Prior role backgrounds commonly seen<\/h3>\n\n\n\n
                                                                                \n
                                                                              • SOC Analyst (Tier 2\/3)<\/li>\n
                                                                              • Incident Responder \/ DFIR Analyst<\/li>\n
                                                                              • Threat Hunter<\/li>\n
                                                                              • Security Engineer (operations-oriented)<\/li>\n
                                                                              • Security Monitoring Analyst \/ SIEM Content Developer<\/li>\n<\/ul>\n\n\n\n

                                                                                Domain knowledge expectations<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Strong understanding of:<\/li>\n
                                                                                • Endpoint attack patterns (credential theft, persistence, execution)<\/li>\n
                                                                                • Identity attacks (MFA bypass, token theft, OAuth abuse, privilege escalation)<\/li>\n
                                                                                • Cloud control plane threats (IAM changes, suspicious API usage, persistence)<\/li>\n
                                                                                • Common attacker tradecraft and how it appears in logs<\/li>\n
                                                                                • Familiarity with secure operations and evidence standards (chain of reasoning, reproducibility of findings).<\/li>\n<\/ul>\n\n\n\n

                                                                                  Leadership experience expectations (Senior IC)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Not necessarily people management.<\/li>\n
                                                                                  • Expected to mentor others, lead initiatives, and operate as an escalation resource.<\/li>\n
                                                                                  • Should demonstrate ownership, accountability, and ability to drive cross-team outcomes.<\/li>\n<\/ul>\n\n\n\n
                                                                                    \n\n\n\n

                                                                                    15) Career Path and Progression<\/h2>\n\n\n\n

                                                                                    Common feeder roles into this role<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • SOC Analyst (Tier 2\/3) with strong investigation and query skills<\/li>\n
                                                                                    • Threat Hunter with proven conversion of findings into detections<\/li>\n
                                                                                    • DFIR analyst who wants to shift left into prevention\/detection content<\/li>\n
                                                                                    • Security Engineer who wants to specialize in monitoring and analytics<\/li>\n<\/ul>\n\n\n\n

                                                                                      Next likely roles after this role<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Lead Detection Analyst \/ Detection Engineering Lead<\/strong> (IC lead or small-team lead)<\/li>\n
                                                                                      • Detection Engineer (Senior\/Staff)<\/strong> (more engineering-heavy, detection-as-code, platform work)<\/li>\n
                                                                                      • Staff Security Analyst (Detection & Response)<\/strong> (broader scope across programs, strategy, validation)<\/li>\n
                                                                                      • Security Operations Manager \/ SOC Manager<\/strong> (people leadership track)<\/li>\n
                                                                                      • Threat Hunting Lead<\/strong> (specialized hunting program leadership)<\/li>\n
                                                                                      • Security Data Engineer (Security Analytics)<\/strong> (data pipeline and schema specialization)<\/li>\n<\/ul>\n\n\n\n

                                                                                        Adjacent career paths<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Cloud Security Engineer<\/strong> (if cloud detections become primary focus)<\/li>\n
                                                                                        • Product Security \/ Application Security<\/strong> (if the analyst becomes focused on app telemetry and abuse detection)<\/li>\n
                                                                                        • Security Architecture<\/strong> (if the analyst shifts toward governance and design across toolchain and telemetry)<\/li>\n
                                                                                        • Fraud\/Abuse Detection (for SaaS products)<\/strong> (behavioral analytics applied to customer-facing misuse; context-specific)<\/li>\n<\/ul>\n\n\n\n

                                                                                          Skills needed for promotion (to Staff\/Lead)<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Demonstrated ownership of a detection program area (identity, cloud, endpoint) with measurable outcome improvements.<\/li>\n
                                                                                          • Consistent delivery of validated detections and reduction of noise at scale.<\/li>\n
                                                                                          • Ability to define standards (documentation, testing, tuning) adopted by the team.<\/li>\n
                                                                                          • Influence across teams to improve telemetry and operational workflows.<\/li>\n
                                                                                          • Strategic planning: roadmap creation tied to risk and measurable coverage.<\/li>\n<\/ul>\n\n\n\n

                                                                                            How this role evolves over time<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Early phase: heavy focus on tuning and improving existing detections, stabilizing signal quality.<\/li>\n
                                                                                            • Mid phase: build correlation and behavior-based detections; formalize validation and governance.<\/li>\n
                                                                                            • Mature phase: detection-as-code, continuous validation, and strong alignment with threat models and business risk metrics.<\/li>\n<\/ul>\n\n\n\n
                                                                                              \n\n\n\n

                                                                                              16) Risks, Challenges, and Failure Modes<\/h2>\n\n\n\n

                                                                                              Common role challenges<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Telemetry gaps and inconsistency:<\/strong> Missing or unreliable logs, schema drift, incomplete endpoint coverage, or insufficient retention.<\/li>\n
                                                                                              • Alert fatigue pressure:<\/strong> Stakeholders demand \u201cmore detections,\u201d but SOC capacity and noise limits require careful design.<\/li>\n
                                                                                              • Ambiguous ground truth:<\/strong> Confirming true positives can be difficult; may require IR support and better enrichment.<\/li>\n
                                                                                              • Tool constraints and cost:<\/strong> SIEM cost\/performance limitations can restrict detection complexity or data onboarding.<\/li>\n
                                                                                              • Cross-team dependency friction:<\/strong> Logging changes require other teams\u2019 time; prioritization can be contentious.<\/li>\n
                                                                                              • Rapidly changing threat landscape:<\/strong> New techniques and platform features can invalidate existing detection assumptions.<\/li>\n<\/ul>\n\n\n\n

                                                                                                Bottlenecks<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Limited IR bandwidth for validation and feedback.<\/li>\n
                                                                                                • Lack of a testing environment or safe simulation tooling.<\/li>\n
                                                                                                • No standardized data model, making detections brittle.<\/li>\n
                                                                                                • Slow change management for logging and agent deployments.<\/li>\n
                                                                                                • Unclear ownership of detections and runbooks.<\/li>\n<\/ul>\n\n\n\n

                                                                                                  Anti-patterns<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Writing detections without clear intent, threat model alignment, or defined response actions.<\/li>\n
                                                                                                  • Over-reliance on IoCs without behavior-based logic (fragile and quickly evaded).<\/li>\n
                                                                                                  • Excessive suppressions\/allowlists without review, silently reducing coverage.<\/li>\n
                                                                                                  • Shipping detections without documentation, leaving SOC unable to act consistently.<\/li>\n
                                                                                                  • Measuring only \u201cnumber of alerts\u201d or \u201cnumber of rules\u201d rather than outcomes and efficacy.<\/li>\n<\/ul>\n\n\n\n

                                                                                                    Common reasons for underperformance<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Weak query skills leading to inefficient, noisy, or incorrect detections.<\/li>\n
                                                                                                    • Poor stakeholder communication causing low adoption and recurring operational friction.<\/li>\n
                                                                                                    • Lack of follow-through on tuning and lifecycle hygiene.<\/li>\n
                                                                                                    • Inability to prioritize effectively; chasing low-value detections while critical gaps remain.<\/li>\n<\/ul>\n\n\n\n

                                                                                                      Business risks if this role is ineffective<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Increased dwell time and larger breach impact due to late detection.<\/li>\n
                                                                                                      • Higher operational costs from alert fatigue and inefficient triage.<\/li>\n
                                                                                                      • Missed detections for identity or cloud control-plane compromise (often high impact).<\/li>\n
                                                                                                      • Reduced customer trust and increased audit risk if monitoring controls are weak or undocumented.<\/li>\n
                                                                                                      • Repeated incidents due to failure to convert lessons learned into detection and telemetry improvements.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        \n\n\n\n

                                                                                                        17) Role Variants<\/h2>\n\n\n\n

                                                                                                        By company size<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Small company \/ early-stage SOC:<\/strong> <\/li>\n
                                                                                                        • More generalist; combines triage, hunts, and detection building. <\/li>\n
                                                                                                        • Focus: establish baseline telemetry, implement high-impact detections quickly, reduce noise.<\/li>\n
                                                                                                        • Mid-size SaaS \/ scaling security org:<\/strong> <\/li>\n
                                                                                                        • Balanced role: tuning + correlation + lifecycle governance. <\/li>\n
                                                                                                        • Focus: detection roadmap, ATT&CK mapping, SOAR enrichment, cross-team logging projects.<\/li>\n
                                                                                                        • Large enterprise:<\/strong> <\/li>\n
                                                                                                        • Specialized domain ownership (identity\/cloud\/endpoint). <\/li>\n
                                                                                                        • Focus: detection-as-code, continuous validation, metrics maturity, integration across many tools and business units.<\/li>\n<\/ul>\n\n\n\n

                                                                                                          By industry<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Highly regulated (finance\/health\/public sector):<\/strong> <\/li>\n
                                                                                                          • Heavier governance, evidence collection, retention requirements, formal change control.<\/li>\n
                                                                                                          • Consumer SaaS:<\/strong> <\/li>\n
                                                                                                          • More identity and SaaS admin abuse focus; may integrate product telemetry for account takeover signals.<\/li>\n
                                                                                                          • B2B enterprise software:<\/strong> <\/li>\n
                                                                                                          • Greater emphasis on protecting internal engineering systems (CI\/CD, source control, secrets) and cloud infrastructure.<\/li>\n<\/ul>\n\n\n\n

                                                                                                            By geography<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Core competencies are globally consistent. Variations mainly include:<\/li>\n
                                                                                                            • Data residency constraints affecting telemetry centralization.<\/li>\n
                                                                                                            • Regional compliance expectations affecting retention, monitoring policies, and access.<\/li>\n<\/ul>\n\n\n\n

                                                                                                              Product-led vs service-led company<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Product-led (SaaS):<\/strong> <\/li>\n
                                                                                                              • Detections often include SaaS configuration risks, admin actions, identity, and cloud platform activity.<\/li>\n
                                                                                                              • Service-led \/ IT org:<\/strong> <\/li>\n
                                                                                                              • More traditional enterprise telemetry: network, endpoints, identity, and IT service management workflows.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                Startup vs enterprise<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Startup:<\/strong> speed, pragmatic detections, fewer tools, heavier reliance on cloud-native logs and managed services.<\/li>\n
                                                                                                                • Enterprise:<\/strong> complexity, formal governance, multiple SIEM tenants\/business units, higher emphasis on standardization and auditability.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                  Regulated vs non-regulated environment<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Regulated:<\/strong> formal review cycles, documented control mapping, strict access controls for security data.<\/li>\n
                                                                                                                  • Non-regulated:<\/strong> more flexibility; still benefits from lifecycle discipline to prevent detection drift.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    \n\n\n\n

                                                                                                                    18) AI \/ Automation Impact on the Role<\/h2>\n\n\n\n

                                                                                                                    Tasks that can be automated (increasingly)<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Drafting initial query logic from natural language requirements (requires validation).<\/li>\n
                                                                                                                    • Summarizing alert context and related events into an investigation narrative.<\/li>\n
                                                                                                                    • Enrichment steps: asset context, user context, geolocation, reputation checks, sandbox detonation (where applicable).<\/li>\n
                                                                                                                    • Clustering\/duplicate detection of similar alerts and incident grouping suggestions.<\/li>\n
                                                                                                                    • Baseline modeling for common entities (users, hosts, service principals) to flag anomalies.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                      Tasks that remain human-critical<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Determining detection intent and aligning it to business risk and threat models.<\/li>\n
                                                                                                                      • Making tradeoffs between precision and recall in operational context.<\/li>\n
                                                                                                                      • Validating detections against realistic attacker behavior and environment-specific noise sources.<\/li>\n
                                                                                                                      • Root cause analysis of false positives\/false negatives and designing durable fixes.<\/li>\n
                                                                                                                      • Cross-team influence: negotiating telemetry changes, access, and operational ownership.<\/li>\n
                                                                                                                      • Judgement calls during incidents: what to page, what to suppress, what to escalate.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                        How AI changes the role over the next 2\u20135 years<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • The Senior Detection Analyst becomes more of a detection product owner<\/strong>:<\/li>\n
                                                                                                                        • defining high-quality requirements<\/li>\n
                                                                                                                        • validating AI-assisted detections<\/li>\n
                                                                                                                        • ensuring documentation and governance keep up with faster content production<\/li>\n
                                                                                                                        • Increased expectations for:<\/li>\n
                                                                                                                        • testing and continuous validation<\/strong> (to prevent AI-generated but incorrect logic)<\/li>\n
                                                                                                                        • data literacy<\/strong> (understanding data pipelines and model limitations)<\/li>\n
                                                                                                                        • prompting and review discipline<\/strong> (repeatable patterns, bias awareness, correctness checks)<\/li>\n
                                                                                                                        • AI will likely increase detection throughput; the differentiator will be quality, validation, and operational outcomes<\/strong>, not volume of rules.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                          New expectations caused by AI, automation, or platform shifts<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Standardized evaluation of detection performance (precision\/recall proxies, sampling, validation exercises).<\/li>\n
                                                                                                                          • Faster iteration cycles and tighter integration with CI\/CD-like workflows for detection content.<\/li>\n
                                                                                                                          • Greater emphasis on explainability: detections must be explainable to analysts, auditors, and leadership.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            \n\n\n\n

                                                                                                                            19) Hiring Evaluation Criteria<\/h2>\n\n\n\n

                                                                                                                            What to assess in interviews<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Detection thinking:<\/strong> Ability to translate threat behaviors into detection hypotheses and concrete logic.<\/li>\n
                                                                                                                            • Query proficiency:<\/strong> Comfort writing and explaining SIEM queries, including performance considerations.<\/li>\n
                                                                                                                            • Telemetry literacy:<\/strong> Understanding what specific logs can\/can\u2019t prove; awareness of common gaps and pitfalls.<\/li>\n
                                                                                                                            • Tuning strategy:<\/strong> Practical methods to reduce noise without blinding the organization.<\/li>\n
                                                                                                                            • Investigation depth:<\/strong> Ability to scope, pivot, and create a coherent narrative from data.<\/li>\n
                                                                                                                            • Documentation mindset:<\/strong> Producing runbooks and clear triage instructions.<\/li>\n
                                                                                                                            • Collaboration:<\/strong> Ability to drive telemetry changes and adopt feedback loops with SOC\/IR.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                              Practical exercises or case studies (recommended)<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              1. Detection build exercise (60\u201390 minutes)<\/strong>\n – Input: a short scenario (e.g., suspicious OAuth consent grant; unusual PowerShell execution; AWS access key misuse).\n – Task: write a detection query (SPL\/KQL or pseudo-query), define required fields\/log sources, map to ATT&CK, propose severity, and draft a short runbook.<\/li>\n
                                                                                                                              2. Tuning and triage exercise (45\u201360 minutes)<\/strong>\n – Input: sample alert results showing false positives and true positives.\n – Task: identify noise causes, propose logic refinements, and explain tradeoffs.<\/li>\n
                                                                                                                              3. Incident scoping drill (30\u201345 minutes)<\/strong>\n – Input: initial alert and limited telemetry context.\n – Task: provide 5\u201310 pivot queries\/questions to scope impact and recommend next steps.<\/li>\n
                                                                                                                              4. Detection lifecycle design discussion (30 minutes)<\/strong>\n – Task: describe how they would implement review cycles, QA, ownership, and metrics.<\/li>\n<\/ol>\n\n\n\n

                                                                                                                                Strong candidate signals<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Explains detections in terms of attacker behavior and evidence, not just \u201cthis looks suspicious.\u201d<\/li>\n
                                                                                                                                • Comfortable discussing precision\/recall tradeoffs, suppression risk, and validation approaches.<\/li>\n
                                                                                                                                • Demonstrates structured thinking: hypothesis \u2192 data sources \u2192 detection logic \u2192 expected results \u2192 response actions.<\/li>\n
                                                                                                                                • Writes readable, efficient queries and can explain performance considerations.<\/li>\n
                                                                                                                                • Prior experience improving a detection program with measurable impact (noise reduction, faster triage, better coverage).<\/li>\n
                                                                                                                                • Clear documentation examples (runbooks, investigation guides, detection rationale).<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                  Weak candidate signals<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Focuses on tool names without demonstrating investigative or detection reasoning.<\/li>\n
                                                                                                                                  • Writes detections that are purely IoC-based with no resilience strategy.<\/li>\n
                                                                                                                                  • Cannot articulate how to validate a detection or measure whether it works.<\/li>\n
                                                                                                                                  • Proposes blanket allowlists without governance or review plans.<\/li>\n
                                                                                                                                  • Struggles to explain what telemetry is required and what assumptions are being made.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                    Red flags<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Casual attitude toward suppressing alerts that could hide true compromise, without risk assessment.<\/li>\n
                                                                                                                                    • Inability to distinguish \u201canomalous\u201d from \u201cmalicious\u201d and propose next steps accordingly.<\/li>\n
                                                                                                                                    • Lack of respect for change control, documentation, and operational impact on SOC.<\/li>\n
                                                                                                                                    • Overconfidence in AI-generated detections without validation discipline.<\/li>\n
                                                                                                                                    • Poor collaboration posture (blaming other teams for telemetry gaps without proposing workable solutions).<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                      Scorecard dimensions (example)<\/h3>\n\n\n\n
                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                      Dimension<\/th>\nWhat \u201cmeets bar\u201d looks like<\/th>\nWhat \u201cexcellent\u201d looks like<\/th>\nWeight<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                      Detection design & threat alignment<\/td>\nMaps behaviors to detections and response actions<\/td>\nProduces durable, behavior-based detections with clear scope and assumptions<\/td>\n20%<\/td>\n<\/tr>\n
                                                                                                                                      SIEM\/Query skill<\/td>\nWrites correct queries with basic optimization<\/td>\nWrites efficient, readable queries; explains performance\/cost tradeoffs<\/td>\n20%<\/td>\n<\/tr>\n
                                                                                                                                      Investigation & IR partnership<\/td>\nCan scope and pivot from initial signal<\/td>\nBuilds strong investigation paths and artifacts that speed IR<\/td>\n15%<\/td>\n<\/tr>\n
                                                                                                                                      Tuning & operational judgment<\/td>\nReduces noise responsibly<\/td>\nDemonstrates a systematic tuning program with metrics and governance<\/td>\n15%<\/td>\n<\/tr>\n
                                                                                                                                      Telemetry\/data literacy<\/td>\nUnderstands key log sources and limits<\/td>\nAnticipates gaps; proposes schema\/normalization improvements<\/td>\n10%<\/td>\n<\/tr>\n
                                                                                                                                      Documentation & enablement<\/td>\nWrites usable runbooks<\/td>\nCreates templates\/standards that scale across team<\/td>\n10%<\/td>\n<\/tr>\n
                                                                                                                                      Collaboration & influence<\/td>\nWorks well with SOC\/IR\/engineering<\/td>\nDrives cross-team telemetry improvements and adoption<\/td>\n10%<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                      \n\n\n\n

                                                                                                                                      20) Final Role Scorecard Summary<\/h2>\n\n\n\n
                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                      Category<\/th>\nSummary<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                      Role title<\/td>\nSenior Detection Analyst<\/td>\n<\/tr>\n
                                                                                                                                      Role purpose<\/td>\nBuild, validate, and continuously improve security detections that identify attacker behaviors across endpoint, identity, cloud, and network telemetry\u2014improving MTTD, reducing noise, and enabling consistent response.<\/td>\n<\/tr>\n
                                                                                                                                      Top 10 responsibilities<\/td>\n1) Own detection lifecycle for assigned domains 2) Write and tune SIEM\/EDR detections 3) Reduce false positives and improve alert fidelity 4) Map coverage to MITRE ATT&CK 5) Partner with IR for scoping and post-incident improvements 6) Lead\/support threat hunts and convert findings into detections 7) Validate detections via testing\/purple-team methods 8) Define and improve runbooks\/playbooks 9) Identify telemetry gaps and drive onboarding\/quality improvements 10) Mentor analysts and set detection standards<\/td>\n<\/tr>\n
                                                                                                                                      Top 10 technical skills<\/td>\n1) SPL\/KQL (SIEM query mastery) 2) Endpoint telemetry analysis 3) Identity attack detection (IdP\/Entra\/Okta logs) 4) MITRE ATT&CK mapping 5) Detection tuning methods 6) Incident scoping and investigation pivots 7) Correlation\/behavior analytics 8) Cloud audit log analytics (CloudTrail\/Activity Logs) 9) SOAR concepts and enrichment design 10) Detection-as-code practices (Git, review, testing)<\/td>\n<\/tr>\n
                                                                                                                                      Top 10 soft skills<\/td>\n1) Analytical rigor 2) Operational judgment 3) Clear technical writing 4) Influence without authority 5) Collaboration under pressure 6) Mentorship mindset 7) Curiosity\/learning agility 8) Prioritization and backlog management 9) Stakeholder communication 10) Documentation discipline<\/td>\n<\/tr>\n
                                                                                                                                      Top tools or platforms<\/td>\nSplunk ES or Microsoft Sentinel; CrowdStrike or Defender for Endpoint; Okta\/Entra ID logs; AWS\/Azure audit logs; ServiceNow; GitHub\/GitLab; Confluence; SOAR tooling (XSOAR\/Splunk SOAR) as applicable<\/td>\n<\/tr>\n
                                                                                                                                      Top KPIs<\/td>\nTrue positive rate; false positive rate; MTTT; MTTD (by incident type); ATT&CK coverage for prioritized techniques; validation rate; rule review compliance; deployment lead time; defect\/rollback rate; SOC analyst satisfaction<\/td>\n<\/tr>\n
                                                                                                                                      Main deliverables<\/td>\nDetection catalog; detection rules\/queries; runbooks; tuning reports; hunt reports; post-incident detection improvements; dashboards\/metrics packs; telemetry gap assessments; SOAR enrichment requirements; standards\/templates<\/td>\n<\/tr>\n
                                                                                                                                      Main goals<\/td>\nFirst 90 days: reduce top noise sources, ship priority detections, establish QA and lifecycle hygiene. First 12 months: measurable improvements in MTTD and alert quality, validated coverage mapping, scalable documentation and governance.<\/td>\n<\/tr>\n
                                                                                                                                      Career progression options<\/td>\nLead Detection Analyst; Senior\/Staff Detection Engineer; Staff Security Analyst (Detection & Response); Threat Hunting Lead; SOC Manager (management track); Security Data Engineer (security analytics)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

                                                                                                                                      The **Senior Detection Analyst** designs, validates, and continuously improves security detections that identify malicious behavior across endpoints, identities, networks, cloud platforms, and applications. This role sits at the intersection of SOC operations, threat intelligence, incident response, and security engineering\u2014turning real-world attacker behaviors into high-fidelity alerts, investigations, and automated response playbooks.<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[24453,24460],"tags":[],"class_list":["post-72737","post","type-post","status-publish","format-standard","hentry","category-analyst","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/72737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=72737"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/72737\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=72737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=72737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=72737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}