Cloud Security Analyst II

Cloud Security Analyst II is the mid-career inflection point in cloud security operations — the level where practitioners transition from working through defined procedures to handling novel situations independently and contributing to the team's collective capability.

At the core, the Analyst II is still doing threat detection and incident response. They monitor alerts, investigate events, and contain threats. The difference is the complexity of what they're expected to handle independently. A Level II analyst leads the investigation on a sophisticated incident — an IAM credential compromise that spans multiple accounts and involves lateral movement across cloud services — rather than handing it off when the playbook runs out. They make containment decisions under time pressure, manage the stakeholder communication, and produce the post-incident report.

Threat hunting is where Analyst II practitioners distinguish themselves. Automated detection catches known attack patterns; hunters look for attacker behavior that doesn't match existing rules. At this level, analysts should be able to form hypotheses about what attacker activity might look like in their environment, translate those hypotheses into log queries, and pursue findings that are ambiguous enough that a junior analyst wouldn't know whether they were significant. The ability to find things that weren't being looked for is what advances practitioners from mid-level to senior.

Detection engineering is the other growth area. Writing detection rules — not just deploying ones that came with the SIEM — requires understanding both the attack technique being detected and the characteristics of normal behavior that the rule needs to avoid flagging. Tuning an existing rule to reduce false positives without reducing true positive coverage is harder than it looks and represents a skill that Analyst II practitioners are expected to develop.

Mentorship rounds out the role. Level II analysts are typically a resource for Level I analysts on difficult investigations, and the experience of explaining security concepts and investigative approaches to less experienced colleagues deepens the Analyst II's own understanding.

Education:

• Bachelor's degree in computer science, information security, or related field
• Equivalent experience accepted at most employers if certifications and portfolio of work are strong

Certifications:

• AWS Certified Security Specialty — standard expectation at this level for AWS environments
• Azure Security Engineer Associate (AZ-500) — equivalent for Azure-focused roles
• SANS GIAC GCIH or GCIA — respected in the incident response community
• CompTIA CySA+ — useful if still working toward GIAC or cloud-specific certs

Experience:

• 3–6 years in security operations or cloud security roles
• Demonstrated independent incident response — cases where the analyst led the investigation without a playbook
• Evidence of detection engineering work: custom rules written, false positive rates improved, new detection categories built

Technical skills:

• Log analysis: CloudTrail, Azure Activity Logs, GCP Audit Logs — complex multi-hop query patterns
• SIEM proficiency: Splunk SPL, KQL for Sentinel, or equivalent — intermediate to advanced query construction
• Cloud attack techniques: MITRE ATT&CK for Cloud — at least 20–30 techniques at working knowledge level
• Forensic skills: container snapshot analysis, log-based timeline reconstruction, IAM policy path analysis
• Detection rule development: Sigma, KQL, Splunk SPL, YARA-L — writes and validates new rules
• Programming: Python for log processing, custom detections, and tooling automation at intermediate level

Soft skills:

• Clear incident communication to technical and non-technical stakeholders under pressure
• Patience and structure for mentoring less experienced analysts
• Ability to write clear, evidence-based investigation reports

The Cloud Security Analyst II level is the first rung where practitioners have enough specialized knowledge to command meaningful compensation premiums and enough independence to be genuinely productive without close supervision. It's also the level where retention becomes a challenge for employers — Analyst II practitioners are experienced enough to be attractive to competing organizations, and turnover at this level is expensive.

Demand at the mid-level is strong. Organizations that are investing in cloud security programs need analysts who can operate independently and who don't require months of development before contributing. The pipeline from Analyst I to Analyst II is long — 3–4 years of development — which constrains supply and keeps compensation above what the title alone might suggest.

Specialization is becoming more valuable at this career stage. Cloud security is broad enough that practitioners who develop deep expertise in a specific area — IAM security, container security, detection engineering, cloud forensics — command higher compensation than generalists. The specialization also differentiates candidates in competitive hiring processes.

The threat landscape continues to evolve, which keeps the work technically challenging. Cloud credential theft, supply chain attacks on cloud-deployed applications, and AI model abuse are all emerging attack categories that require analysts to continuously develop new skills. Practitioners who approach this requirement as an opportunity rather than a burden tend to advance faster.

From Analyst II, the typical progressions are Senior Cloud Security Analyst, Detection Engineer, Threat Hunter, or Cloud Security Architect. Management tracks open at the senior level for those who develop the organizational skills to complement their technical depth. At large financial services and technology companies, senior and principal individual contributors reach $160K–$190K before accounting for bonuses — making the technical track financially competitive with management alternatives.

Dear Hiring Manager,

I'm applying for the Cloud Security Analyst II position at [Company]. I've been a cloud security analyst at [Current Company] for three and a half years — the first year focused on getting comfortable with the environment and our tooling, and the last two and a half years taking ownership of our more complex investigations and contributing to our detection improvement program.

The investigation I'm most proud of was a credential compromise that started as a single GuardDuty finding and expanded into a two-week investigation across four AWS accounts. I traced the initial credential exposure to an overly permissive CI/CD pipeline permission, followed the lateral movement through CloudTrail across three accounts, identified two instances where the attacker had staged data for exfiltration without actually exfiltrating it, and documented the full attack path in a 15-page investigation report. The CISO presented the report to the board's audit committee as an example of our security program's detection capability.

On the detection side, I've written 11 custom detection rules over the last year — eight for CloudTrail anomaly patterns and three for container runtime behavior. The most impactful was a rule that detects IMDS credential access followed within 60 seconds by cross-account STS assume-role calls — a pattern that indicates automated exploitation rather than legitimate infrastructure behavior. It caught two incidents in its first three months.

I'm looking for a role where I can deepen my Azure security skills — currently about 80% of my experience is AWS — and work alongside senior practitioners who are doing advanced threat hunting work.

I'd welcome a conversation.

[Your Name]