Job Specifications
Methods is a £100M+ IT Services Consultancy who has partnered with a range of central government departments and agencies to transform the way the public sector operates in the UK. Established over 30 years ago and UK-based, we apply our skills in transformation, delivery, and collaboration from across the Methods Group, to create end-to-end business and technical solutions that are people-centred, safe, and designed for the future.
Our human touch sets us apart from other consultancies, system integrators and software houses - with people, technology, and data at the heart of who we are, we believe in creating value and sustainability through everything we do for our clients, staff, communities, and the planet.
We support our clients in the success of their projects while working collaboratively to share skill sets and solve problems. At Methods we have fun while working hard; we are not afraid of making mistakes and learning from them.
Predominantly focused on the public-sector, Methods is now building a significant private sector client portfolio.
Methods was acquired by the Alten Group in early 2022. Alten is a global engineering firm with approximately 57,000 employees specializing in engineering and IT services.
Role summary
As a Level 2 SOC Analyst, you are the senior technical responder within the secure operations team, responsible for owning security incidents end-to-end using the Microsoft security platform.
You will act as the escalation point for Level 1 analysts and as the technical lead during active incidents, conducting deep investigations across Microsoft Sentinel, Microsoft Defender XDR, and Entra ID to validate threats, contain attackers, and coordinate remediation.
Alongside incident response, you will drive continuous improvement of detection quality, playbooks, automation, and analyst capability to ensure the SOC operates at a consistently high standard. You also act as a senior technical leader within the SOC, contributing to the maturity, evolution, and operational effectiveness of SOC, MDR, and XDR services.
Key Responsibilities
Incident investigation & response (primary focus)
Act as a escalation point for all security alerts raised by Level 1 analysts
Validate incidents and determine severity, scope, root cause, and business impact
Lead technical investigations using:
Microsoft Sentinel (KQL, analytics rules, workbooks, hunting)
Microsoft Defender XDR (Endpoint, Identity, Office 365, Cloud Apps)
Entra ID (Azure AD) sign-in and audit logs
Correlate identity, endpoint, email, and cloud activity to reconstruct attack chains and timelines
Own incidents through:
Identification
Containment
Eradication coordination
Recovery validation
Post-incident review and documentation
Execute or coordinate containment actions including:
Device isolation via Defender for Endpoint
Account disablement and credential resets
Revocation of tokens and sessions
Blocking malicious indicators
Email purge/quarantine via Defender for Office 365
Conditional Access policy enforcement
Produce high-quality incident records including:
Evidence and KQL queries used
Actions taken
Root cause analysis
MITRE ATT&CK mapping
Lessons learned and improvement actions
SOC operations & stakeholder communication
Serve as technical incident lead during major security events
Provide accurate, timely updates to IT, security leadership, and affected teams
Maintain clear case management, documentation, and shift handovers within Sentinel/ITSM tooling
Contribute to operational reporting:
Incident volumes
Time to detect / contain
Alert fidelity
Repeat incident drivers
Participate in a business-hours operating model with an on-call rotation for out-of-hours incidents
Act as a trusted technical point of contact for SOC service discussions, supporting leadership in understanding risk, response options, and technical trade offs during live incidents
Detection engineering & continuous improvement (Microsoft-focused)
Tune Sentinel analytics rules to reduce false positives and missed threats
Improve correlation logic, entity mapping, and severity scoring
Develop and maintain:
Sentinel investigation playbooks
Incident response runbooks
Triage guides for Defender alerts
Build and refine SOAR workflows using Logic Apps / Sentinel automation rules
Perform quality assurance on Level 1 investigations and provide structured coaching feedback
Introduce threat-informed detection improvements based on real incidents and Microsoft threat intelligence
Take ownership of defined components of the SOC, MDR, or XDR service, ensuring they are operationally effective, well documented, and aligned to current threat and platform capabilities
Identify gaps in detection coverage, tooling, or process maturity and propose practical, Microsoft aligned improvements
Support service innovation by evaluating and piloting new Microsoft security features, detection approaches, and automation capabilities, assessing their operational value before wider adopt