PbAbout Keyrockbr/bSince our beginnings in 2017, we’ve grown to be a leading change-maker in the digital asset space, renowned for our partnerships and innovation.brToday, we rock with over 200 team members around the world. Our diverse team hails from 42 nationalities, with backgrounds ranging from DeFi natives to PhDs. Predominantly remote, we have hubs in London, Brussels, Singapore and Paris, and host regular online and offline hangouts to keep the crew tight.brWe are trading on more than 80 exchanges, and working with a wide array of asset issuers. As a well-established market maker, our distinctive expertise led us to expand rapidly. Today, our services span market making, options trading, high-frequency trading, OTC, and DeFi trading desks as well as digital asset management. Keyrock is looking to expand and establish itself as a full-service financial institution through both organic innovation and inorganic growth.brBut we’re more than a service provider. We’re an initiator. We’re pioneers in adopting the Rust Development language for our algorithmic trading systems, and champions of its use in the industry. We support the growth of Web3 startups through our Accelerator Program. We upgrade ecosystems by injecting liquidity into promising DeFi, RWA, and NFT protocols. And we push the industry’s progress with our research and governance initiatives.brAt Keyrock, we’re not just envisioning the future of digital assets. We’re actively building it.brbRole Summarybr/bAs a SOC Analyst (Level 2), you are the escalation point for complex investigations and active incidents. You’ll take ownership of high-severity alerts, lead technical triage through containment, and coordinate with Incident Response, Cloud/Platform, Identity, and Engineering teams. You’ll also improve SOC quality by tuning detections, refining playbooks, mentoring Level 1 analysts, and driving post-incident learnings into better controls.brbWhat You’ll Do (Core Responsibilities)br/bbAdvanced detection and investigationbr/b /pulliTake escalations from L1 and independently investigate complex, multi-signal alerts (identity compromise, cloud control-plane abuse, endpoint persistence, lateral movement, suspicious automation, data exfiltration). /liliPerform deep log/telemetry analysis across SIEM, EDR, cloud logs, IAM signals, network telemetry, email security, and SaaS audit trails. /liliBuild and validate hypotheses, pivot across data sources, and produce clear incident timelines and scope assessments.br/li /ulbIncident response and containmentbr/bulliServe as technical incident lead for defined incident types/severities (or co-lead with IR), driving containment and eradication steps within authorized bounds. /liliExecute and improve response playbooks for key scenarios (phishing/BEC, credential theft, token/key compromise, suspicious API activity, ransomware indicators, insider risk signals). /liliCoordinate evidence collection and preservation to support legal/compliance needs and potential third-party investigations.br/li /ulbThreat intelligence and adversary tradecraftbr/bulliEnrich investigations with threat intel (IOCs, TTPs) and map observed behavior to frameworks (e.g., ATTCK) to improve detection fidelity. /liliMaintain watchlists and detection logic for priority threats relevant to cloud-first financial and digital-asset operations.br/li /ulbDetection engineering and SOC improvementbr/bulliTune SIEM correlation rules, EDR policies, and alert thresholds to reduce false positives and increase signal quality. /liliPropose and implement new detections for emerging techniques (identity + cloud abuse, OAuth/app consent attacks, API key leakage, CI/CD pipeline tampering). /liliImprove runbooks and automate repetitive enrichment steps (SOAR workflows, scripts, queries).br/li /ulbOperational leadershipbr/bulliProvide mentorship and real-time guidance to L1 analysts; improve escalation quality through coaching and feedback. /liliManage shift handovers for active investigations and ensure high-quality case documentation. /liliContribute to SOC metrics (MTTD, MTTR, false-positive rate, escalation accuracy) and continuous improvement efforts.br/li /ulbWhat We’re Looking For (Minimum Qualifications)br/bulli2–5+ years of SOC / incident response / security operations experience (or equivalent hands-on experience in a fast-paced production environment). /liliStrong ability to investigate across cloud security operations, endpoint security, identity, and core network fundamentals. /liliProficiency with at least one SIEM and common SOC tooling (e.g., Splunk/Elastic/Sentinel; CrowdStrike/Defender; Jira/ServiceNow). /liliAbility to write clear incident documentation: timelines, scope, impact, containment actions, and recommended remediations. /liliComfort operating in an on-call or shift environment (depending on coverage model).br/li /ulbNice To Have (Preferred)br/bulliDetection engineering experience: correlation rules, Sigma/KQL/SPL, alert pipelines, SOAR automation. /liliDFIR fundamentals: triage acquisition, volatile vs. non-volatile evidence, endpoint artifact analysis. /liliContainer/Kubernetes logging and runtime security exposure. /liliPractical scripting (Python/Bash) for analysis and automation. /liliDigital-asset ecosystem exposure and 24⁄7 trading operations familiarity. /liliCertifications (optional): GCIH, GCIA, GCED, SC-200, AWS Security Specialty, or equivalent.br/li /ulbWhat Success Looks Like (First 90 Days)br/bulliIndependently lead investigations for high-severity alerts with strong scoping, decisive containment, and clean cross-team coordination. /liliReduce recurrence of common incidents by driving tangible improvements (detections, playbooks, IAM hardening recommendations). /liliImprove L1 escalation quality through coaching and better runbooks. /liliDeliver measurable SOC enhancements (e.g., tuned rules reducing false positives, new detection coverage, automation that reduces triage time).br/li /ulbWorking Style We Valuebr/bulliCalm, structured response under pressure. /liliHigh ownership and strong communication across technical and non-technical stakeholders. /liliA continuous-improvement mindset: every incident becomes better detections, better controls, and better resilience. /li /ul