SOC Investigation Specialist Talent Network

Mercor is hiring SOC Investigation Specialist on behalf of high-growth technology and enterprise partners building next-generation SOC automation and AI-driven investigation systems. This role is ideal for experienced SOC analysts who can apply real-world investigative judgment to review, validate, and construct high-quality security investigations across SIEM, endpoint, cloud, and identity environments.

Review, monitor, and evaluate SOC alerts and investigation outputs based on predefined scenarios and criteria.

Location Requirements

Mercor is hiring SOC Investigation Specialist

Responsibilities

Requirements

Splunk

Nice to Have

Why Join

Mercor is hiring SOC Investigation Specialist on behalf of high-growth technology and enterprise partners building next-generation SOC automation and AI-driven investigation systems. This role is ideal for experienced SOC analysts who can apply real-world investigative judgment to review, validate, and construct high-quality security investigations across SIEM, endpoint, cloud, and identity environments. Review, monitor, and evaluate SOC alerts and investigation outputs based on predefined scenarios and criteria. Distinguish true positives from false positives by validating investigative evidence and alert context. Perform end-to-end security investigations when required, including log analysis, entity pivoting, timeline reconstruction, and evidence correlation. Assess the correctness, completeness, and quality of SOC investigations produced by automated or human workflows. Apply consistent investigative judgment while recognizing that multiple valid investigation paths may exist for the same alert. Make clear binary determinations (e.g., ACCEPT / PASS) while also producing detailed ground-truth investigations when required. Use Splunk extensively to pivot across logs, entities, and timelines, including reading and reasoning about SPL queries. Maintain clear and accurate documentation of investigative steps, assumptions, evidence, and conclusions. Collaborate with program leads and other expert annotators to uphold high-quality investigation and annotation standards. Mentor or support other analysts where applicable, particularly in long-term or lead annotator roles. 3+ years of hands-on experience as a SOC analyst in a production SOC environment (Tier 2 or above strongly preferred). Strong understanding of alert triage, incident investigation workflows, and evidence-based decision-making under time constraints. Mandatory hands-on experience with Splunk, including: Conducting investigations using Splunk Reading, understanding, and reasoning about SPL queries Pivoting between logs, entities, and timelines Proven ability to evaluate SOC investigations and determine whether conclusions are valid, incomplete, or incorrect. Strong investigative judgment and comfort making decisive evaluations. Fluent English (written and spoken) with strong documentation and communication skills. Experience with Endpoint Detection & Response (EDR) tools such as CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne. Experience analyzing cloud security logs and signals: AWS (CloudTrail, GuardDuty) Azure (Activity Log, Defender for Cloud) GCP (Cloud Audit Logs) Familiarity with Identity & Access Management platforms such as Okta Identity Cloud or Microsoft Entra ID (Azure AD). Experience with email security tools like Proofpoint or Mimecast. SOC leadership or mentoring experience. Basic scripting experience (Python or similar). Security certifications (optional): GCIA, GCIH, GCED, Splunk certifications, Security+, CCNA, or cloud security certifications. Work on cutting-edge SOC automation and AI-driven investigation systems. Apply real-world SOC expertise to shape how future security teams investigate and respond to threats. Take ownership of high-impact investigative evaluations and ground-truth security cases. Collaborate with experienced SOC practitioners, security engineers, and AI teams. Join Mercor’s global network of vetted security professionals. We consider all qualified applicants without regard to legally protected characteristics and provide reasonable accommodations upon request.

• Review, monitor, and evaluate SOC alerts and investigation outputs based on predefined scenarios and criteria.
• Distinguish true positives from false positives by validating investigative evidence and alert context.
• Perform end-to-end security investigations when required, including log analysis, entity pivoting, timeline reconstruction, and evidence correlation.
• Assess the correctness, completeness, and quality of SOC investigations produced by automated or human workflows.
• Apply consistent investigative judgment while recognizing that multiple valid investigation paths may exist for the same alert.
• Make clear binary determinations (e.g., ACCEPT / PASS) while also producing detailed ground-truth investigations when required.
• Use Splunk extensively to pivot across logs, entities, and timelines, including reading and reasoning about SPL queries.
• Maintain clear and accurate documentation of investigative steps, assumptions, evidence, and conclusions.
• Collaborate with program leads and other expert annotators to uphold high-quality investigation and annotation standards.
• Mentor or support other analysts where applicable, particularly in long-term or lead annotator roles.
• 3+ years of hands-on experience as a SOC analyst in a production SOC environment (Tier 2 or above strongly preferred).
• Strong understanding of alert triage, incident investigation workflows, and evidence-based decision-making under time constraints.
• Mandatory hands-on experience with Splunk, including:

Conducting investigations using Splunk

Reading, understanding, and reasoning about SPL queries

Pivoting between logs, entities, and timelines

• Conducting investigations using Splunk
• Reading, understanding, and reasoning about SPL queries
• Pivoting between logs, entities, and timelines
• Proven ability to evaluate SOC investigations and determine whether conclusions are valid, incomplete, or incorrect.
• Strong investigative judgment and comfort making decisive evaluations.
• Fluent English (written and spoken) with strong documentation and communication skills.
• Conducting investigations using Splunk
• Reading, understanding, and reasoning about SPL queries
• Pivoting between logs, entities, and timelines
• Experience with Endpoint Detection & Response (EDR) tools such as CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne.
• Experience analyzing cloud security logs and signals:

AWS (CloudTrail, GuardDuty)

Azure (Activity Log, Defender for Cloud)

GCP (Cloud Audit Logs)

• AWS (CloudTrail, GuardDuty)
• Azure (Activity Log, Defender for Cloud)
• GCP (Cloud Audit Logs)
• Familiarity with Identity & Access Management platforms such as Okta Identity Cloud or Microsoft Entra ID (Azure AD).
• Experience with email security tools like Proofpoint or Mimecast.
• SOC leadership or mentoring experience.
• Basic scripting experience (Python or similar).
• Security certifications (optional): GCIA, GCIH, GCED, Splunk certifications, Security+, CCNA, or cloud security certifications.
• AWS (CloudTrail, GuardDuty)
• Azure (Activity Log, Defender for Cloud)
• GCP (Cloud Audit Logs)
• Work on cutting-edge SOC automation and AI-driven investigation systems.
• Apply real-world SOC expertise to shape how future security teams investigate and respond to threats.
• Take ownership of high-impact investigative evaluations and ground-truth security cases.
• Collaborate with experienced SOC practitioners, security engineers, and AI teams.
• Join Mercor’s global network of vetted security professionals.