Job description

The SOC Lead (Security Operations Center & Incident Response) is responsible for leading advanced cybersecurity monitoring, detection, and response operations within a Security Operations Center environment in Riyadh, Saudi Arabia. The role involves overseeing security monitoring across SIEM platforms such as Splunk, QRadar, and ArcSight, as well as EDR, Firewalls, Azure environments, Proxy, IPS, DLP, and cloud-native security tools. The position requires developing and fine-tuning detection use cases, correlation rules, and dashboards, and conducting proactive threat hunting using MITRE ATT&CK and threat intelligence sources. The SOC Lead performs deep-dive incident investigations across endpoints, networks, Linux and Windows servers, including malware analysis, digital forensics, reverse engineering, and root cause analysis (RCA) to identify vulnerabilities and recommend remediation actions. The role includes leading containment, eradication, and recovery efforts for high-severity incidents, as well as conducting forensic analysis of compromised systems. Responsibilities extend to correlating threat intelligence with telemetry, producing intelligence reports, and strengthening detection and response capabilities. The SOC Lead mentors SOC analysts (L1/L2), develops playbooks, runbooks, and escalation procedures, and collaborates with IT, Cloud, and GRC teams to ensure compliance with regulatory frameworks such as GDPR, PCI-DSS, HIPAA, and NCA. The role requires expertise in frameworks including MITRE ATT&CK, Cyber Kill Chain, and Diamond Model, as well as scripting and automation using Python, PowerShell, and Bash. The position also supports audit, compliance, and reporting activities while ensuring SOC processes align with industry best practices and regulatory requirements.