Security Operations Centre Analyst
Job Location:
Cape Town - South Africa
Monthly Salary:
Not Disclosed
Posted on:
30+ days ago
Vacancies:
1 Vacancy
Job Summary
At Sabio Group we build and operate AI-powered customer experience platforms for some of the worlds most demanding enterprise brands. Our environment spans our own internal corporate estate the SaaS products we build and the live production solutions we run on behalf of customers across multiple clouds identity domains and AI services. Keeping that surface safe is a 24/7 discipline and were investing in the people and automation to do it well.
Were hiring a Security Operations Centre (SOC) Analyst to join our Information Security & Cyber Security team in South Africa. Youll be the defensive heartbeat of our operation triaging alerts hunting for threats running incidents to ground and partnering with platform and engineering teams to make sure the same issue doesnt bite us twice. Youll work across both our internal platforms and the customer environments we operate with visibility across cloud identity endpoint application and AI workloads.
This is a hands-on role for someone who is genuinely curious about how attackers operate comfortable writing code and scripts to amplify their own impact and excited about using AI as a force multiplier not just another tool in the stack. We dont need you to be a contact centre expert; we do need you to be a strong defender who can learn our environments quickly and automate relentlessly.
Key Responsibilities
Reactive Event Handling & Incident Response
- Monitor triage and investigate security alerts across our internal estate and customer-operated solutions covering cloud identity endpoint network application and AI workloads.
- Drive incidents end-to-end: scoping containment eradication recovery and post-incident review working to clearly defined SLAs and rules of engagement.
- Produce high-quality incident write-ups and lessons-learned for both technical and executive audiences and feed findings back into detections runbooks and engineering backlogs.
- Act as an escalation point for first-line alerts and partner with on-call engineering when an incident crosses into platform reliability or customer impact.
Proactive Threat Hunting
- Develop and execute hypothesis-driven threat hunts across cloud telemetry identity signals endpoint data and application logs looking for what alerts wont catch.
- Map adversary behaviour to frameworks such as MITRE ATT&CK and turn confirmed findings into durable detections dashboards and automated playbooks.
- Track emerging threats CVEs and threat-actor TTPs relevant to our stack and customer base and translate them into concrete hunts and detections.
- Partner with our Red Team and AI Ethics functions on purple-team exercises to validate and improve coverage.
Detection Engineering & Automation
- Treat automation as a core part of the role use code scripts and AI to remove repetitive toil and free up time for the work only humans should do.
- Build tune and maintain detections in our SIEM and XDR tooling (e.g. Microsoft Sentinel Defender XDR) keeping a tight handle on signal-to-noise.
- Develop SOAR playbooks and enrichment pipelines that turn one-off investigations into repeatable measured workflows.
- Contribute to internal tooling log normalisation alert enrichment case-management integrations threat-intel feeds in Python or similar.
AI-Augmented Operations
- Use AI and agentic workflows as a force amplifier on day-to-day SOC work triage summarisation log analysis hypothesis generation drafting reports and playbooks.
- Help shape how we monitor and defend the AI services we operate LLM workloads RAG pipelines agent integrations alongside our AI Ethics and engineering teams.
- Stay close to evolving guidance on AI security (e.g. OWASP Top 10 for LLMs NIST AI RMF) and translate it into practical monitoring detection and response patterns.
Cloud & Platform Security Monitoring
- Operate detections and investigations across cloud workloads primarily Microsoft 365 and Azure with meaningful coverage of AWS and GCP and the wider enterprise IT stack.
- Understand the security signals that matter in IAM network container serverless and data-layer services and how attackers actually move through them.
- Work closely with platform engineering and SRE teams on misconfiguration exposure and identity hygiene not just incidents.
Collaboration & Continuous Improvement
- Work alongside the Head of Information Security Red Team AI Ethics leads platform engineering and product teams to embed defensive thinking early.
- Partner with customer-facing teams when incidents or hunts touch the solutions we operate on behalf of customers with care for production stability customer data and contractual obligations.
- Contribute to runbooks detection libraries threat-intel notes and post-incident reviews so the whole team gets better with every engagement.
- Operate within strict rules of engagement and a strong ethical compass around evidence handling privacy and disclosure.
Skills Knowledge and Expertise
Required
- Demonstrable hands-on experience in a SOC CSIRT MDR or equivalent defensive security role triage investigation incident response and threat hunting against modern cloud-based environments.
- Strong understanding of common attacker techniques (MITRE ATT&CK) modern intrusion patterns and the telemetry needed to detect and investigate them.
- Solid grasp of cloud security and operations in at least one major provider ideally Microsoft 365 and Azure including IAM networking logging/telemetry common misconfigurations and attack paths.
- Working knowledge of SIEM EDR/XDR and SOAR tooling (e.g. Microsoft Sentinel Defender XDR or equivalents) writing and tuning detections building playbooks managing signal quality.
- Coding capability in at least one of Python PowerShell Go JavaScript/TypeScript or similar comfortable writing scripts automations and integrations not just running other peoples tools.
- Practical understanding of AI/LLM systems how they work where they fail and the new risks they introduce (prompt injection insecure tool use training/RAG data exposure) and an interest in defending them.
- An automation-first mindset: you instinctively look for the repeatable pattern the script the playbook and you measure improvement not effort.
- Comfort with agentic development workflows using AI coding assistants and AI co-work / pair-development models (Claude Code Copilot Cursor or equivalent) as part of your day-to-day delivery.
- Awareness of the wider AI ecosystem major model providers agent frameworks vector stores MCP-style tool integrations and an instinct for where defenders need to pay attention.
- Clear written and verbal communication in English: able to brief engineers executives and (where relevant) customers on incidents hunts and risk.
- A strong ethical compass and discipline around scope evidence handling customer data and responsible disclosure.
Desirable
- Industry certifications such as GCIA GCIH GCFA GCDA GNFA BTL1/BTL2 CySA AZ-500/SC-200 AWS/Azure/GCP security specialties or equivalent.
- Hands-on experience defending or monitoring AI / LLM workloads in production detections for prompt injection tool abuse data exfiltration via agents or anomalous model usage.
- Meaningful exposure to AWS and/or GCP security operations alongside Microsoft 365 / Azure.
- Experience with identity-centric detections across Entra ID / Azure AD Active Directory OAuth/OIDC and federated environments.
- Detection engineering experience: writing and maintaining content in KQL Sigma YARA or equivalent with version control and test coverage.
- Familiarity with CI/CD containers and IaC (Docker Kubernetes Terraform or equivalent) and how to monitor and defend them.
- Purple-teaming experience: working with offensive colleagues to validate and improve detections from real attacker behaviour.
- Familiarity with regulatory and standards contexts relevant to enterprise customers ISO 27001 SOC 2 PCI DSS GDPR POPIA.
- Threat-intel experience: consuming producing or operationalising CTI in a way that actually changes what the SOC does day-to-day.
Nice to Have
- Prior experience in a SaaS cloud platform or AI/ML company where production systems were the thing being defended useful context but not required.
- Public research conference talks blog posts or community contributions in detection engineering threat hunting or AI security.
- Experience contributing to or running CTFs blue-team exercises or open-source defensive tooling.
- Exposure to emerging agent interoperability and security standards (e.g. MCP A2A) and their defensive implications.
Benefits
This is your chance to join and friendly and passionate team that will motivate you to learn and develop your career in the company.
Benefits may include:
Benefits may include:
- Remote/Flexible work
- Discovery Medical Aid
- Connectivity Allowance
- 15 days paid holiday a year- (this includes three Sabio days)
- Momentum EAP
The Small Print
Strictly No Agencies; any submission of resumes without prior request from Sabio Group will not be deemed as an introduction and therefore will not warrant an introduction fee. All applicants must have the right to work in the territory to which the role relates (UK & EU). Sabio Group are unable to offer sponsorship on any roles advertised.
Required Experience:
IC
About Company
Flexible customer experience solutions through innovative technology that enables businesses to build relationships that last.