Security Analyst – Tier 2

“Can you investigate, contain, and respond to cyber threats with precision – using the Microsoft Security stack, automation, and AI to protect both our business and the customers who trust us?” 

As a frontier partner, we grow through great people, smart tech, and teamwork between humans and AI.

Cloud Direct is building a modern, AI-enabled Security team to defend our organisation from evolving cyber threats. As a Tier 2 Security Analyst based in our Cape Town Centre of Excellence, you will be at the operational heart of this capability — investigating and responding to security alerts, developing detection content, and helping improve security outcomes through automation, insight, and disciplined response. 

Working alongside the Senior Security Lead and the wider Security team, you will support detection and response using Microsoft Sentinel, Microsoft Defender, and adjacent Microsoft Security capabilities. As the function matures, you will also contribute to the development of repeatable customer-facing security services grounded in the Microsoft ecosystem.

What You’ll Do:

Alert Triage & Incident Management:

• Perform in-depth analysis of escalated alerts to confirm, classify, and prioritise security incidents. 
• Investigate suspicious activity across endpoints (Defender for Endpoint), identity (Entra ID), email (Defender for Office 365), and cloud workloads (Azure/M365). 
• Correlate data from multiple sources using KQL queries in Microsoft Sentinel to determine scope and impact. 
• Escalate confirmed P1/P2 incidents to the Senior Security Lead with clear, evidence-based assessments. 

Incident Response & Containment: 

• Execute containment and remediation actions following established runbooks — isolating hosts, revoking credentials, blocking indicators of compromise. 

• Coordinate with IT operations and service desk teams to ensure rapid recovery from security events. 

• Document all investigation steps and outcomes within ServiceNow for case management and post-incident review. 

• Contribute to post-incident reports with root-cause analysis, lessons learned, and improvement recommendations. 

Detection Content & Runbook Development: 

• Develop and refine Sentinel analytics rules, hunting queries, and automated playbooks under the guidance of the Senior Security Lead. 

• Author and maintain investigation runbooks and standard operating procedures for common alert types. 

• Assist with the deployment, configuration, and optimisation of Microsoft Security capabilities across the estate. 

• Tune alert thresholds and suppression rules to reduce false positives and improve signal-to-noise ratio. 

Mentoring & Knowledge Sharing: 

• Provide day-to-day guidance and mentoring to the Level 1 engineer on triage techniques, investigation methodology, and tool usage. 

• Contribute to internal knowledge-base articles, detection-engineering documentation, and training materials. 

• Participate in tabletop exercises, purple-team drills, and continuous-improvement initiatives. 

Operational Reporting: 

• Contribute to regular security performance reporting, tracking operational trends, incident themes, and opportunities for improvement. 

• Maintain accurate and up-to-date records in ServiceNow and Sentinel workbooks. 

What We’re Looking For:

• Experience within a security operations, incident response, detection-focused, or security engineering role. 
• Solid working knowledge of Microsoft Sentinel, including KQL query writing and analytics rule configuration. 
• Hands-on experience with Microsoft Defender for Endpoint, Defender for Office 365, and Entra ID. 
• Understanding of common attack techniques (credential theft, lateral movement, ransomware, BEC) and the MITRE ATT&CK framework. 
• Excellent analytical and problem-solving skills with the ability to investigate complex, multi-stage incidents. 
• Strong written and verbal communication skills for documentation and cross-team collaboration. 
• Relevant certification: CompTIA CySA+, Microsoft SC-200, or Blue Team Level 1 (BTLO).

Highly Desirable:

• Experience working within an MSP, MSSP, or multi-tenant security environment. 
• Familiarity with Microsoft’s extended detection, response, automation, and investigation capabilities. 
• Working knowledge of ServiceNow (incident/case management) and Intune for endpoint management. 
• Exposure to SOAR playbook development and automation (Logic Apps, Power Automate). 
• Additional certifications: GIAC GCIH, CompTIA Security+, SC-100, or equivalent. 
• Understanding of UK GDPR and South Africa POPIA regulatory requirements. 

What We Offer:

• Responsible Time off (uncapped annual leave)
• Group Life Cover /Disability Income Cover/ Trauma Insurance Cover (Injury / Disability)
• Fitness Cash Contribution
• Pension Fund Contribution
• Medical Insurance Contribution
• Employee Assistance Programme
• Enhanced Maternity & Paternity Leave
• Endless Growth Opportunities: We provide ample opportunities for professional development, mentoring, and advancement.
• Culture of Excellence: We foster a high-performance culture that recognizes and rewards exceptional talent.

At Cloud Direct, we believe that diversity, equity, and inclusion are essential to our success. We are committed to creating a workplace where everyone feels valued, respected, and empowered. We welcome applicants from all backgrounds and strive to build a team that reflects the diverse communities we serve. We encourage candidates of all races, ethnicities, genders, sexual orientations, ages, abilities, and socioeconomic statuses to apply.