About AgileBlue
AgileBlue is an AI-native Security Operations platform that detects, investigates, and auto-responds to cyber threats across cloud, network, and endpoint environments. Our platform combines Sapphire AI for automated detection with 24/7 human-led investigation, built for mid-market organizations and the MSPs that serve them.
Position Overview
AgileBlue is hiring L2 SOC Analysts to handle high severity investigations that go beyond standard playbook scope. You will build incident timelines from raw logs, write your own queries to follow an investigation wherever it leads, and handle complex cases that need a real investigative approach.
You will work alongside L1 analysts on shift, pick up cases they cannot resolve, and hand off the most complex situations to the senior analyst. The job requires independent judgment. Playbooks are a starting point, not a ceiling.
What You Will Do
• Handle cases that exceed L1 scope, including complex and high-severity cases requiring open-ended investigation.
• Build incident timelines from raw logs without relying on a prescriptive playbook. Use playbooks as a reference, not a dependency.
• Investigate suspicious activity by forming hypotheses about attacker behavior based on TTPs, then testing them against available telemetry.
• Write security queries to explore beyond what the alert surface shows. Contain and disrupt threats where the situation calls for it.
• Analyze security breaches to identify root cause. Prioritize and document findings with enough detail for incident reporting and client communication.
• Communicate findings to clients through established channels with clear, accurate documentation. Surface vulnerabilities and patterns identified through daily case review.
• Execute pre-scoped threat hunts assigned by the senior analyst on shift. Document findings and escalate hits.
• Follow customer-specific playbooks and internal SOC procedures. Identify gaps and report them to senior analysts.
What We Are Looking For
• 2 to 4+ years of SOC or security operations experience, or a strong L1 analyst with a demonstrated investigative track record.
• Hands-on experience building incident timelines from raw log sources without being handed a template.
• Active experience writing KQL, EQL, or equivalent query language in a real investigation context.
• Working knowledge of attacker TTPs across the MITRE ATT&CK framework.
• Familiarity with endpoint, network, identity, and cloud log sources and what normal looks like for each.
• Clear written communication under pressure. Clients read your case notes.
Position Details
Job Type:
Full-Time Employment
Shift:
Multiple shifts available across our 24/7 operation
Location:
Cleveland, OH OR remote within the United States
Reporting To:
SOC Manager
Benefits:
Competitive base salary | 401k with company match | Unlimited PTO | Paid training and certification support | Clear, measurable path to advancement
To Apply
Submit your resume and a brief cover letter to HR@agileblue.com with 'SOC Analyst L2' as the subject line. Describe a specific investigation where you had to go beyond the playbook. Tell us what you found and how you found it.
