Level 2 Cybersecurity Analyst (JHB)

As cyber threats continue to grow in sophistication and scale, Level 2 Cybersecurity Analysts act as elite responders and investigators, leading tactical responses to incidents, shaping detection strategies, and mentoring frontline analysts. You are not only a digital detective but also a strategic defender, ensuring that both internal and client systems remain resilient against evolving attack vectors.

Working closely with SIEM, EDR, and threat intelligence tools, you proactively hunt for threats, lead containment efforts, and perform in-depth root cause analyses. This role demands a strong analytical mindset, hands-on technical ability, and the confidence to make decisions that mitigate business and operational risk.

While Level 1 Cybersecurity Analysts serve as the initial barrier to threats, it’s the Level 2 Cybersecurity Analyst who steps in when the stakes are highest, handling complex incidents, advanced persistent threats, and gaps in detection coverage. You provide depth to the team’s expertise, guide investigations, fine-tune tooling, and ensure incidents are not just resolved but understood. Without Level 2 expertise, response efforts may falter in high-pressure scenarios, and critical vulnerabilities may go unpatched, leaving systems exposed.

Advanced Threat Monitoring and Detection

• Proactively monitor security events across multiple data sources, including SIEM platforms, EDR systems, firewall logs, VPNs, authentication platforms, and email gateways.
• Detect and validate emerging threats by analyzing behavioral patterns, anomalous logins, endpoint activity, and unusual file access or data movements.
• Identify subtle threat signals (low-and-slow attacks, living-off-the-land techniques) that are typically missed by automated detection mechanisms.
• Develop and fine-tune detection rules, alert thresholds, and dashboards in SIEM to improve precision and reduce false positives.

Incident Response and Management

• Lead the end-to-end response to high-priority or complex security incidents, including containment, eradication, recovery, and post-incident analysis.
• Coordinate incident triage efforts by validating alerts, correlating data, and assigning severity ratings based on impact and scope.
• Manage incident communications with internal stakeholders, clients, and external vendors as needed during active threats.
• Ensure each incident is fully documented in a standardized and compliant manner, with lessons learned captured in post-mortem reviews.
• Drive continuous improvements to incident response procedures by updating playbooks, automating common tasks, and integrating new threat intelligence.

Root Cause Analysis and Forensics

• Conduct in-depth investigations to uncover the source and method of attacks, including user behavior, malicious scripts, or third-party tool compromise.
• Perform forensic analysis on infected systems, memory dumps, and file systems to extract IOCs, persistence mechanisms, and attacker footprints.
• Determine how threats entered the environment (e.g., phishing, credential stuffing, RDP exploitation), and identify lateral movement techniques used.
• Recommend compensating controls to prevent recurrence, including hardening, patching, or segmentation strategies.

Threat Hunting and Intelligence Application

• Initiate threat hunting campaigns using hypotheses based on threat intelligence, environmental changes, or behavioral baselining.
• Leverage frameworks like MITRE ATT&CK to guide detection coverage assessments and hunting exercises.
• Enrich investigations using open-source and commercial threat intelligence platforms to correlate observed IOCs with global campaigns.
• Translate global threat data into actionable alerts, detection rules, or preventive recommendations tailored to client environments.

Endpoint and Network Defense

• Monitor and respond to endpoint security alerts generated by EDR, and other EPP solutions.
• Identify and stop active malware infections, command-and-control connections, ransomware execution, or policy violations in real-time.
• Configure and manage endpoint protection policies (e.g., blocking known TTPs, applying tamper protection, enabling rollback features).
• Collaborate with network teams to block malicious IPs/domains, isolate infected segments, and monitor traffic for exfiltration attempts.

Security Technology Optimization

• Administer and continuously improve the security stack, including SIEM, EDR, SOAR, phishing platforms, and log pipelines.
• Tune existing detection rules and build new ones based on observed trends, attack surface changes, or client-specific risks.
• Evaluate and test new security technologies (sandboxing, DLP, DNS filtering, deception tools) for potential integration into the SOC stack.
• Identify and fix telemetry gaps by improving agent deployment, log forwarding coverage, and data normalization.

Email Security and Social Engineering Defense

• Investigate advanced email-based threats such as BEC (Business Email Compromise), spear-phishing, and payload-less campaigns.
• Correlate email IOCs with endpoint or authentication anomalies to identify credential theft or initial access.
• Work with users to gather additional context about suspicious communications and provide tailored security education.
• Drive phishing simulation programs for clients and internal teams, analyzing results to improve resilience and training content.

Case Management and Escalation Handling

• Own and manage cases through their full lifecycle, ensuring SLA adherence, proper documentation, and timely resolution.
• Serve as the escalation point for Level 1 Cybersecurity Analysts, validating their findings, providing guidance, and ensuring accurate classification.
• Write and review detailed case notes, including timelines, TTP mapping, evidence attachments, and resolution paths.
• Ensure all escalations are based on objective criteria and accompanied by sufficient context and triage data.

Collaboration and Communication

• Liaise with infrastructure, networking, application, and compliance teams to ensure coordinated responses to cross-domain incidents.
• Serve as a cybersecurity representative in change control boards and architecture planning where risk assessments are needed.
• Communicate investigative findings clearly in both technical and executive formats, tailoring language to audience expertise.
• Participate in client meetings to explain incident impact, threat posture, and long-term security strategy recommendations.

Training, Mentorship, and Knowledge Sharing

• Mentor junior analysts on investigative techniques, threat modeling, and tool usage through regular shadowing, walkthroughs, and feedback loops.
• Contribute to the development and refinement of internal knowledge bases, response templates, and decision trees.
• Deliver internal briefings on significant incidents, emerging threats, or new tooling integrations.
• Support upskilling by designing or facilitating training sessions and lab simulations for the SOC team.

Process Development and Continuous Improvement

• Identify process gaps in the SOC’s detection, response, and escalation workflows and propose remediation.
• Lead initiatives to automate repetitive tasks using scripting, playbooks, or SOAR integrations.
• Track and report on key SOC metrics (MTTD, MTTR, false positive rates, escalation rates) and use them to refine team performance.
• Contribute to tabletop exercises and red/blue team exercises to validate processes and readiness.

Compliance, Audit, and Documentation

• Ensure security events and responses are documented in alignment with client requirements and regulatory standards (e.g., GDPR, ISO 27001, POPIA).
• Support audit efforts by collecting relevant evidence, preparing compliance artifacts, and contributing to policy updates.
• Maintain documentation on detection rules, escalation thresholds, and tool configurations for SOC transparency and continuity.

• Understanding of attacker TTPs, digital forensics, threat intelligence, and lateral movement detection.
• Skilled in building correlation rules, dashboards, and custom alert logic within tools like Splunk.
• Ability to dissect malware behavior, persistence techniques, and network traffic patterns.
• Skilled in hypothesis-driven investigation and behavior-based detection models.
• Understand CVE/CVSS scoring, patch cycles, and prioritization of risk mitigation.
• Knowledge of secure network design, segmentation, and access control strategies.
• Familiarity with securing Microsoft 365, Azure, and common SaaS platforms.
• Working knowledge of GDPR, ISO 27001, NIST CSF, and other relevant standards.

• Strong analytical skills with the ability to correlate events and distinguish noise from true threats.
• Proficiency in scripting (e.g., Python, PowerShell) for automation, data parsing, or IOC enrichment.
• Ability to build threat models and advise on security control enhancements.
• Excellent written and verbal communication—able to explain complex issues clearly to both technical and non-technical audiences.
• Strong decision-making under pressure, especially in critical response scenarios.
• Skilled in ticket and incident lifecycle management in platforms such as Jira, ServiceNow, or ConnectWise.

• 3–5 years in a security operations, SOC, or cybersecurity-focused role.
• Prior experience leading investigations and handling high-priority incidents independently.
• Demonstrated experience working with SIEM and EDR tools in production environments.
• Experience working with managed services clients (MSP/MSSP experience is highly advantageous).

• Ability to think like an attacker, understanding how threat actors infiltrate, persist, and evade detection.
• Demonstrated ability to collaborate cross-functionally under tight timelines.
• Deep knowledge of MITRE ATT&CK, threat intelligence platforms, and security automation practices.
• Strong sense of ownership and accountability for decisions, escalations, and remediation outcomes.

• Capable of mentoring junior analysts and leading incident response teams.
• Maintains calm and objectivity in high-pressure environments.
• Maintains confidentiality and ethical handling of sensitive data.
• Constantly learning and staying ahead of evolving threats.
• Perseveres through complex investigations and uncertain threat scenarios.

Required or Equivalent Experience:

• CompTIA Security+
• CompTIA CySA+
• Microsoft SC-200 or SC-900

Advantageous:

• GIAC Certified Incident Handler (GCIH)
• Certified SOC Analyst (CSA)
• CompTIA CASP+
• Azure Security Engineer Associate (AZ-500)
• Any practical threat hunting or malware analysis training

At Numata, we’re not just a global IT services company, we are the #1 Business Technology Strategists for SMEs, and a people-first business that believes in the power of growth, support, and shared success. Our mission is to create a dynamic, empowering workplace where innovation meets integrity, and where every individual can thrive personally and professionally.

We believe your growth is our growth. That’s why we fund training and development programs, helping you gain certifications and build new skills without the financial burden. With career pathways and opportunities to promote from within, your potential at Numata knows no limits. As part of a globally recognized and rapidly scaling business, you’ll gain exposure to cutting-edge experiences. This isn’t just a job; it’s your gateway to a world of opportunity.

We equip our team with world-class tools and infrastructure, whether you're working remotely or from our offices. With premium IT support and the latest tech, we make it easy for you to do your best work, every day. Our offices are more than just places to work; they’re environments designed to energize and inspire. Enjoy fresh fruit, premium coffee, popcorn, vending machine, secure parking, and a space built around people’s needs and comfort. It’s truly a home away from home!

At Numata, integrity, honesty, respect, and trust are more than just words, they’re values we live by. We foster a collaborative, team-first environment with open-door leadership and real opportunities to connect, including regular initiatives like Lunch with the CEO. Got ideas? We’re listening. Innovation is everyone’s responsibility here. You’ll be empowered to share your voice, drive change, and shape the future of our business, no matter your role.

We care for our people beyond the workplace. Enjoy comprehensive benefits including fair compensation structures, medical insurance, disability cover, annual bonuses, and access to a dedicated counselling psychologist through our Employee Assistance Programme. From a healthy social calendar, monthly team meetings, celebrations of birthdays and milestones to leadership coaching and recognition programs, we make it a priority to celebrate achievements, big and small.

We’re growing the next generation of leaders. With access to mentorship, leadership development programs, and executive coaching, we help you step confidently into every stage of your professional journey.

Why Join, and Stay, with Numata?

Because at Numata, you’re not just doing a job. You’re building a career, doing whatever it takes, making an impact, and becoming part of a supportive, ambitious community that grows together.

Numata is where your potential meets purpose. Let’s grow together!

Visit our website for more information about us:

Business Technology Strategists for SMEs | Numata

We’re excited to meet passionate individuals who are ready to make a real impact and grow with us. If this sounds like the opportunity you’ve been looking for, we’d love to hear from you! Apply today and let’s start the conversation!