IT Security Analyst II

An IT Security Analyst II sits at the operational core of an enterprise security program. They're past the entry-level phase of learning what normal traffic looks like and executing someone else's playbook — and not yet in the senior-level role of designing the detection architecture. The II designation means they own the investigation, not just the triage.

A typical day in a corporate SOC starts with a queue review: which overnight alerts were closed by the Analyst I crew, which were escalated, and which have aged without resolution. From there, the Analyst II takes ownership of anything that requires judgment — a suspicious OAuth token refresh chain that looks like credential theft, a user account exfiltrating data to an unusual cloud storage endpoint, or an EDR alert on a PowerShell invocation that the automated triage didn't close with confidence.

Vulnerability management is the other major workload thread. Scan results from Nessus or Qualys land weekly, and someone has to turn a CSV of 4,000 findings into a prioritized remediation list with business context. That's the Analyst II's job — matching CVE severity to what actually matters in this environment, talking to the Windows team about why a critical patch has been sitting open for 45 days, and escalating to management when remediation SLAs are being missed.

Rule tuning is less visible but equally important. A SIEM that generates 800 alerts per shift teaches analysts to ignore the queue. The Analyst II is expected to identify noisy, low-fidelity rules, propose threshold adjustments, and work with the security engineering team to get them into production. Over time, this kind of systematic tuning is what makes a SOC function rather than just exist.

The writing requirement is real and underestimated by candidates. After a significant incident, someone has to produce a document explaining what happened, how the attacker moved, what data was exposed, and what the organization is doing about it — in language that a CFO or general counsel can read. Analysts who write clearly move up; analysts who communicate only in technical shorthand plateau.

Education:

• Bachelor's degree in cybersecurity, computer science, information systems, or a related technical field is the standard expectation at most employers
• Candidates without a degree who hold CISSP, GIAC certifications, or equivalent demonstrated experience are increasingly competitive, particularly at security-focused firms
• Military cyber (17C, 25D, Navy CTN) backgrounds translate well and are actively recruited by defense contractors

Experience:

• 2–4 years of hands-on security operations experience, including at least one year performing Tier 2 or higher incident investigations
• Prior exposure to SIEM platforms — Splunk, Microsoft Sentinel, QRadar, or LogRhythm — at an investigation level (not just viewing dashboards)
• Demonstrated experience with at least one EDR platform: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint

Certifications (in priority order for most employers):

• CompTIA Security+ (entry baseline, often required)
• CISSP (strongly preferred for roles with compliance and program scope)
• GIAC GCIH or GCFE (incident handling and forensics — highly valued in investigation-heavy roles)
• OSCP or CEH (valued where penetration testing mindset is part of the analyst's scope)
• Cloud security certs (AWS Security Specialty, Microsoft SC-200) are increasingly relevant as workloads shift

Technical skills:

• SIEM query languages: Splunk SPL, KQL for Sentinel, AQL for QRadar
• Network traffic analysis: Wireshark, Zeek, NetFlow interpretation
• Threat intelligence platforms: MISP, OpenCTI, VirusTotal Enterprise, Recorded Future
• MITRE ATT&CK framework — mapping detections and incidents to tactics and techniques
• Scripting for automation: Python or PowerShell at a functional level (not software engineering, but enough to automate IOC lookups or log parsing)
• Cloud security fundamentals: AWS CloudTrail and GuardDuty, Azure Defender, GCP Security Command Center

Soft skills that matter:

• Clear written and verbal communication — the ability to explain a complex attack chain to a non-technical audience without losing accuracy
• Calm, methodical decision-making during active incidents when pressure to act fast competes with the need to act correctly
• Intellectual curiosity about attacker behavior — analysts who read threat intel and track adversary campaigns outperform those who only react to alerts

Demand for cybersecurity analysts has been growing for a decade and shows no credible sign of reversing. The number of publicly disclosed breaches, ransomware incidents, and regulatory enforcement actions keeps security budget prioritized even in economic downturns when other IT headcount gets frozen.

The Analyst II level specifically is where supply is tightest. Entry-level candidates are plentiful — bootcamp graduates and Security+ holders apply in volume. Senior analysts and architects are expensive and selective. The mid-level practitioner who can independently run an investigation, tune a SIEM, and communicate findings to leadership is genuinely scarce, and employers know it.

Sector-specific demand: Financial services firms under DORA, GLBA, and SEC cybersecurity disclosure rules are expanding SOC headcount to meet documentation and response-time requirements. Healthcare organizations facing HIPAA breach notification timelines need analysts who can scope incidents quickly. Critical infrastructure operators — utilities, water systems, transportation — are hiring under TSA and CISA directives that now mandate 24-hour incident reporting.

AI and automation impact: The honest picture is that AI is compressing the lower end of the analyst function. Alert triage that once consumed 60% of an Analyst I's shift is increasingly handled by automated playbooks and AI-assisted prioritization. This is accelerating the bifurcation of the role: organizations that were staffing three Analyst Is now want one Analyst II who can oversee the automated system and handle what it escalates. For people currently at the Analyst I level, the path to II needs to accelerate.

Remote work: Cybersecurity is one of the more remote-friendly IT disciplines. Many organizations run fully distributed SOC operations with analysts working from home on secured workstations. The exception is cleared work — roles requiring TS/SCI or work with classified systems require on-site presence at SCIFs, which limits geographic flexibility but significantly increases compensation.

Compensation trajectory: An Analyst II who progresses to senior analyst or SOC lead within 3–4 years can expect to push past $130K in most major markets. Threat hunting specialists and cloud security engineers with a SOC foundation consistently land in the $120K–$150K range. The CISO career path from the analyst track is a longer road but remains one of the better-compensated executive trajectories in technology.

Dear Hiring Manager,

I'm applying for the IT Security Analyst II position at [Company]. I've spent three years in the security operations center at [Current Employer], starting as an Analyst I handling Tier 1 triage and advancing to Tier 2 investigation ownership over the past 18 months.

My day-to-day work centers on Splunk-based investigation and incident response. I own roughly 15–20 escalated cases per week — credential-based intrusion attempts, endpoint anomalies from our CrowdStrike deployment, and the occasional confirmed incident that requires a formal post-incident report. Last quarter I led the investigation and response to a business email compromise attempt that had bypassed our email gateway; I traced the OAuth token abuse back to a phishing kit hosted on a compromised vendor domain, coordinated with IT to revoke the affected sessions, and produced the executive summary for the CISO within six hours of initial detection.

On the detection engineering side, I've been responsible for tuning our Splunk correlation rules over the past year. When I took over that responsibility, our SOC was averaging 340 alerts per analyst per shift — most of them low-fidelity noise. I systematically worked through the top 20 rules by alert volume, adjusted thresholds using 90-day baseline data, and retired four rules entirely that had never produced a true positive. Alert volume dropped 38% within 60 days without a single missed incident in the following quarter.

I hold CompTIA Security+ and GIAC GCIH, and I'm currently preparing for the Splunk Core Certified Power User exam. I'm looking for a role with more cloud security exposure — specifically AWS GuardDuty and CloudTrail investigation — and your team's AWS-heavy environment looks like the right fit.

I'd welcome the opportunity to discuss what you're working on.

[Your Name]