As a senior member of the SOC team supporting the Virginia Information Technology Agency (VITA), the Tier III analyst serves as the primary escalation authority for high-severity security incidents and owns the full escalation chain from initial triage through containment, remediation, and post-incident review. A core function of this role is building and maintaining operational Splunk dashboards, automated detection workflows, and correlation searches that improve SOC efficiency and threat visibility. The Tier III analyst brings deep hands-on experience working in Splunk at an advanced level and provides threat hunting and incident response expertise across the team. The role may also require mentoring junior analysts and operating third-party toolsets within the client environment.

RESPONSIBILITIES:

A day in the life of a Cyber Security Analyst Tier III:

Incident Response & Threat Operations

• Lead complex investigations and incident response (Tier III ownership): pivoting across identity, endpoint, network, email, cloud, and SaaS telemetry to drive containment and remediation
• Provide expertise with Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), threat hunting, and threat intelligence; own customer-facing escalation and remediation activities
• Recognize successful and unsuccessful intrusion attempts; triage security events and accurately prioritize and escalate incidents per established runbooks
• Detect the full spectrum of known cyberattacks (DDoS, malware, phishing, ransomware, and others) and correlate events across capabilities to identify attacks and breaches
• Examine malware analysis reports to correlate similar events across incidents; document and report actions taken by malicious actors in customer networks
• Recommend appropriate methods of system remediation and threat mitigation; prepare incident reports detailing analysis methodology and results

Splunk Operations & Automation

• Build, maintain, and optimize Splunk dashboards and reports that provide operational visibility into threat activity, SOC performance metrics, and incident trends for analysts and leadership
• Develop and maintain automated detection workflows, correlation searches, and alert actions in Splunk to reduce analyst workload, minimize false positives, and accelerate response to high-priority threats
• Write and maintain SPL searches, scheduled reports, and lookup-driven workflows; leverage scripting (Python, PowerShell) to extend Splunk capabilities and support security automation where needed
• Conduct log and system analysis for network and security devices; create and update detection rules and signatures in security tools and applications
• Document emerging threat intelligence and reported IOCs for security tool integrations

Detection Tuning & Compliance Alignment

• Align detections and logging with frameworks and controls: NIST 800-53, NIST CSF, PCI DSS, HIPAA, and SOX as applicable to the customer environment
• Develop and tune detection content including use cases, correlation rules, and alert logic to improve fidelity and reduce noise across the SOC environment
• Analyze and act on intelligence information to secure customer networks and devices

Automation & Scripting

• Working knowledge of scripting (Python, PowerShell, or Bash) for security automation, log parsing, and workflow integration; ability to read and modify scripts to support SOC operations
• Support automation efforts that reduce manual analyst burden, improve detection fidelity, and accelerate incident response timelines.

Leadership & Mentorship

• Document and maintain runbooks and playbooks; mentor Tier I/II analysts as needed and contribute to post-incident retrospectives and continuous detection improvements
• Develop lessons learned documentation, reporting, and SOPs for incident response
• Serve as team/task lead as required; coach less-experienced analysts and model best practices across the escalation chain
• Maintain current understanding of cybersecurity best practices and motivate team members to expand knowledge and capabilities

REQUIRED QUALIFICATIONS:

• Technical Training, Certification(s), or Degree
• 8 or more years of experience in cybersecurity operations
• Splunk experience advanced SPL, dashboard development, automated alerting, and correlation search creation in an operational SOC environment
• CyberArk experience privileged access management in a government or enterprise SOC environment
• Qualifying certification to meet DoW 8140/DCWF CSSP Analyst requirements within 6 months of start: CEH, CFR, CCNA Cyber Ops, CCNA-Security, CySA+, GCIA, GCIH, GICSP, Cloud+, SCYBER, or PenTest+

Location: On-site at GDIT's Integrated Technology Center in Bossier City, LA

GDIT IS YOUR PLACE
At GDIT, the mission is our purpose, and our people are at the center of everything we do.

Growth: AI-powered career tool that identifies career steps and learning opportunities
Support: An internal mobility team focused on helping you achieve your career goals
Rewards: Comprehensive benefits and wellness packages, 401K with company match, and competitive pay and paid time off
Flexibility: Full-flex work week to own your priorities at work and at home
Community: Award-winning culture of innovation and a military-friendly workplace