Cybersecurity Analyst Resume Summary Examples

Tier 1 SOC analyst with 14 months at a managed-services provider, triaging 40-60 daily alerts/shift in Splunk Enterprise Security and CrowdStrike Falcon for two financial-services clients. Investigated and escalated 20+ confirmed incidents in the last quarter (phishing, credential abuse mapped to MITRE T1078, lateral-movement attempts via T1021), authored 6 runbook updates that cut median triage time on the Windows logon-anomaly playbook from 9 to 4 minutes. Security+ and CySA+ certified, currently working on GCIH. Looking for a Tier 1-to-Tier 2 SOC role on an internal team where I can move from triage into investigation ownership.

IT support analyst pivoting into security operations after 4 years at a 600-employee SaaS company, where I owned the helpdesk security-flagged ticket queue (phishing reports, suspicious logins, lost-device IR) and worked alongside the SOC on 30+ confirmed incidents. Authored a Splunk dashboard that surfaced anomalous OAuth grants (mapped to MITRE T1098.001) which the SOC adopted as a standing detection. Security+ certified, completed the TryHackMe SOC Level 1 path and the Blue Team Level 1 (BTL1) cert in 2025. Looking for a Tier 1 SOC analyst role where the helpdesk triage discipline I have already done in a security context can keep growing.

Cybersecurity graduate (BS in Cybersecurity, 2025) with two completed internships at regional MSSPs and a documented home lab running Security Onion + Wazuh on Proxmox, where I have authored 14 custom Sigma rules covering MITRE T1059.001 (PowerShell), T1547.001 (registry run keys), and T1003 (credential dumping) and validated each against Atomic Red Team. Triaged 200+ alerts during my last internship using QRadar and SentinelOne; co-authored the team intern-onboarding runbook. Security+ certified, top-1.5% on TryHackMe with completed SOC Level 1 path. Looking for a Tier 1 SOC analyst role on a team that still does some manual hunting alongside automation.

Junior systems administrator pivoting into security after 3 years managing Active Directory, Windows Server, and Microsoft 365 for a 1,400-employee manufacturing org. Owned the post-incident remediation work after our 2024 ransomware attempt — rebuilt 80+ endpoints, rotated 1,200 service-account credentials, and partnered with the IR firm on the timeline reconstruction (later mapped to MITRE T1486 for impact and T1003.001 for credential access). Security+ certified, in-progress GCIH; comfortable in KQL for Sentinel queries from Defender for Endpoint. Looking for a Tier 1 SOC analyst role at an org where the sysadmin context (AD, Entra ID, M365) is the threat surface I already understand best.

US Army Signal Corps veteran (E-5, 6 years active) transitioning into civilian SOC analyst work after running a tactical network operations center supporting 800 users in deployed environments. Trained on cyber-defense fundamentals through the DoD 8570 baseline (Security+) and the SkillBridge cybersecurity track; completed a 14-week internship at a defense-contractor SOC where I triaged alerts in Splunk, mapped 40+ alerts to MITRE ATT&CK (most often T1110.001 password-guessing and T1190 public-facing exploit), and contributed to the daily threat-intel brief. Active Secret clearance. Looking for a Tier 1 SOC analyst role at a federal contractor or financial-services SOC.

Senior cybersecurity analyst with 8 years across MSSP and internal SOC roles; current Tier 3 / lead analyst at a 6,000-employee fintech with 24x7 coverage. Own the on-call rotation health, the alert-tuning program (cut top-10 alert false-positive rate from 71% to 22% in 14 months), and the relationship with the detection-engineering and IR teams. Authored the SOC MITRE ATT&CK coverage report — currently 64% Enterprise technique coverage with documented justifications for the 36% we deliberately do not cover. Speaker at BSides Charlotte 2024 on "Tuning the noisy DCSync rule before it eats your shift." GCIH, GCFA, GCDA. Looking for a senior or lead SOC analyst role at a similar-scale org.

Senior cybersecurity analyst with 7 years across detection engineering, IR, and threat hunting; team eliminated in late-2025 reduction at a former unicorn after acquisition. Most recently led the Sentinel migration from a previous QRadar deployment, authoring 90+ analytics rules in KQL covering identity (T1078, T1556), execution (T1059.001, T1059.003), and impact (T1486, T1490) techniques. Built the team first SOAR program on Tines — 22 production playbooks reducing analyst-hours on Tier 1 work by an estimated 31%. Comfortable with the modern SOC stack (Sentinel, Defender XDR, Tines, Chronicle for one client) and the detection-engineering-as-code discipline (PRs, code review, test cases on every rule). GCIH and GCDA. Looking for a senior detection or SOC engineering role.

Lead SOC analyst with 9 years; last 4 years setting the technical direction for a 14-person SOC at a top-25 US bank. Authored the SOC detection-engineering charter (governs which alerts fire, what severity, and the FP-rate threshold for tuning vs. retiring), led the Sentinel + Defender XDR consolidation that retired three legacy SIEM contracts and reduced annual platform cost by $1.4M, and chair the cross-functional alert review board where SOC, IR, threat intel, and detection engineering negotiate the active rule set quarterly. Mentored two analysts from Tier 1 to Tier 2 in the past year. GCIH, GCFA, GCDA, GIAC GSE in progress. Looking for a principal or lead SOC role at a regulated-industry org of similar scale.

Senior cybersecurity analyst with 8 years and 2 years of acting team-lead experience covering the swing-shift rotation (8 analysts, no direct reports — they reported to the SOC manager who delegated coverage scheduling to me). Owned the shift handoff documentation, the new-analyst onboarding runbook (cut time-to-first-solo-shift from 9 weeks to 5), and the relationship with on-call IR. Last year led the response on a confirmed business-email-compromise incident across two subsidiaries (mapped to T1566.001 and T1078.004), coordinated communication with finance and legal, and authored the postmortem. GCIH, GCFA. Looking for a SOC team-lead role with a path to manager — explicit about wanting the people-leadership track.

Senior cybersecurity analyst and digital forensics specialist with 7 years; last 4 years as the SOC go-to for host and memory forensics on confirmed incidents. Performed full forensic timeline reconstruction on 30+ compromised endpoints in the last 24 months — Velociraptor for live response, Volatility for memory analysis, Plaso/log2timeline for super-timelines, and Aurora for endpoint-side detection. Authored the SOC forensic-readiness procedure (image acquisition standards, chain-of-custody documentation, retention policy) which is now in use across two affiliated business units. GCFA, GCIH, and GREM certified. Looking for a senior DFIR or forensics-leaning SOC analyst role at an org with real IR volume.

Senior cybersecurity analyst with 7 years; 3 years on cloud-native detection at a SaaS company operating in AWS, GCP, and Azure. Authored 60+ Sentinel analytics rules and Chronicle YARA-L detections covering AWS GuardDuty findings, GCP SCC alerts, and Azure Defender for Cloud signals. Built the alert-routing logic that decides whether a detection goes to SOC-on-call, the cloud-engineering team, or a Slack notification — cut after-hours pages by 44% over 9 months without missing an actual incident. Comfortable with Terraform-deployed detections (detection-as-code on GitHub Actions), KQL, YARA-L, and the trade-off vocabulary of cloud detection (logs cost vs. coverage, false-positive rate vs. severity floor). GCDA and CCSP. Looking for a senior cloud-detection-engineering role.

Senior detection engineer with 6 years; last 3 years as the lead detection author on a 9-person detection-and-response team at a fintech. Authored 200+ production detections across Sentinel, Splunk, and Sigma with measurable FP discipline (median FP rate 8% across the active rule set). Two of my detections were adopted into the upstream SigmaHQ open-source repository (T1574.002 DLL side-loading variant and T1027.005 indicator removal); presented "Detection-as-code at scale: lessons from 18 months of FP-rate budgeting" at SANS DFIR Summit 2025. Comfortable in the engineering practice (Git, CI, test cases) and the analyst practice (alert review, hunt collaboration, IR partnership). GCDA, GCIH, GCFA. Looking for a principal-track detection engineering role.

Principal cybersecurity engineer (analyst-track / detection-and-response architect) with 12 years across SOC, detection engineering, and IR program leadership. Built the detection-and-response function from 3 to 18 engineers/analysts over the last 5 years at a global e-commerce org; set the detection charter (governs alert lifecycle, FP-rate budgets, and ATT&CK coverage targets), authored the cross-team incident-command runbook now in use during all P0/P1 incidents, and chair the quarterly detection review board with SOC, IR, threat intel, and product-security stakeholders. Strongest in the program-vs-platform interface (when do we author a detection vs. push the control upstream into the product), the staffing/hiring side, and the calm communication that incident command requires. GCIH, GCFA, GCDA, GIAC GSE. Looking for a principal-track detection-and-response leadership role at a sufficiently complex security org.