Job TitleLevel 3 Security Analyst – Incident Response & Vulnerability Management
DepartmentService Delivery / Security
Reporting ToSecurity Lead / Service Delivery Manager
Operates under the direction of the Incident Manager during security incidents
LocationUK (Hybrid) Office in Cardiff 1-2 days per week, regular client site travel.
Working PatternMonday to Friday with participation in the on-call Security and Major Incident rota as required
Role Purpose
The Level 3 Security Analyst is responsible for the technical investigation, containment, remediation, and resolution of IT security incidents and vulnerabilities across a complex, multi-site customer estate supported by “the MSP”.
The role acts as a senior technical authority for security incidents, working alongside Incident Management, Infrastructure, Network, and Application teams to ensure security issues are resolved end-to-end, correctly documented, and do not reoccur.
Key Accountabilities – Security Incident Investigation & Response
Act as the technical lead for the investigation of security incidents across supported platforms.
Investigate malware, ransomware, account compromise, unauthorised access, suspicious activity, and security misconfiguration.
Perform detailed root cause analysis across endpoint, identity, network, and application layers.
Advise the Incident Manager on incident scope, impact, containment, eradication strategy, and recovery validation.
Drive incidents through to full technical resolution, not temporary mitigation.
Key Accountabilities – Vulnerability Management
Investigate vulnerabilities identified via scanning platforms, endpoint and cloud tooling, supplier disclosures, and audit activity.
Assess risk based on exploitability, exposure, and operational impact.
Own remediation actions end-to-end, coordinating with Infrastructure, Network, and third-party suppliers.
Validate remediation and ensure appropriate evidence is captured for assurance and audit.
Platforms & Technology Scope
End-user devices including Windows, macOS, tablets, and peripherals.
Microsoft 365 including Entra ID, Exchange, SharePoint, Defender, and endpoint protection.
Identity and Access Management including privileged and service accounts.
On-premises and cloud-hosted servers.
Network infrastructure including firewalls, switches, wireless, and WAN connectivity.
Cloud-hosted and supplier-managed applications.
Documentation, Audit & Continuous Improvement
Produce clear, technically accurate documentation covering incidents, root cause analysis, and corrective actions.
Support governance, customer assurance, and audit requirements.
Contribute to post-incident reviews and lessons learned.
Identify recurring issues and recommend long-term improvements.
Ensure incidents and vulnerabilities are correctly logged and tracked within ITSM systems.
Collaboration & Escalation
Work closely with Incident Managers, Security specialists, and Level 3 Infrastructure and Network teams.
Act as a senior escalation point for Level 1 and Level 2 teams.
Engage third-party suppliers to progress investigation and remediation.
Participate in out-of-hours response as required.
Knowledge, Skills & Experience – Essential
Proven experience in a Level 3 or Senior Security Analyst or Incident Response role.
Hands-on experience investigating and resolving incidents across endpoints, identity platforms, networks, and cloud services.
Strong understanding of malware and ransomware response, identity compromise, and vulnerability remediation.
Experience working within formal Security Incident and Major Incident processes.
Strong written documentation and stakeholder communication skills.
Knowledge, Skills & Experience – Desirable
Experience supporting multi-site or operationally sensitive environments.
Familiarity with Defender, SIEM, EDR, and vulnerability management tools.
Understanding of regulated or PCI-adjacent environments.
Relevant security certifications or equivalent experience.
Behavioural Competencies
Takes ownership from detection through to resolution.
Investigates thoroughly and challenges incomplete fixes.
Calm, methodical, and decisive during live incidents.
Understands operational and business impact.
Professional and confident when engaging customers and suppliers.
Decision Making & Authority
Makes technical decisions relating to investigation, containment, and remediation of security incidents.
Escalates risk and decision points appropriately to Incident Management and Service Delivery leadership.
Key Interfaces
Incident Management
Security Operations
Infrastructure and Network Services
Third-party suppliers
Customer stakeholders via structured incident communications
:quality(80))
:quality(80))
:quality(80))