Lead Consultant – Cyber SOC Operations

Job Title: Lead Consultant - Cyber SOC Operations

Career Level: E

Introduction to role:

Are you ready to lead a high-performing SOC that safeguards the science behind life-changing medicines? Can you turn complex signals into decisive actions that protect our global operations and keep colleagues productive?

In this role, you will set the pace for enterprise-scale threat detection and response, guiding a team that hunts, investigates, and contains advanced attacks while continuously tuning automation to drive faster, more reliable outcomes. Your decisions will ripple across the business: reducing dwell time, minimizing disruption to critical research, and strengthening trust with patients and partners.

Accountabilities:

• Threat Detection and Investigation: Lead investigations using logs, endpoint telemetry, and network traffic to rapidly distinguish signal from noise and surface high-impact threats.

• Rapid Containment and Eradication: Orchestrate decisive containment actions—account isolation, endpoint quarantine, IP blocking—to stop attacker progression and protect business-critical workloads.

• Severity-Based Critical issue: Apply structured triage to intensify incidents by severity, impact, and SLAs, ensuring the right experts engage at the right time.

• IOC and Attack Pattern Analysis: Analyze indicators of compromise and adversary behaviors to anticipate next moves and harden controls against repeat attacks.

• Root Cause and Timeline Reconstruction: Drive root cause analysis and detailed timelines that reveal attack paths, control gaps, and remediation priorities.

• Cross-Tool Correlation: Correlate events across SIEM, EDR, NDR, and other sources to build a unified picture that accelerates decision-making.

• Automated Response via SOAR: Implement response using SOAR playbooks to scale consistent actions and cut time-to-containment.

• Playbook Optimization: Continuously tune playbooks and automation to reduce manual toil, improve precision, and increase coverage of repeatable scenarios.

• Clear Incident Documentation: Document incidents with evidence, actions taken, and outcomes to strengthen learning loops and audit readiness.

• Operational Field and Knowledge Management: Maintain runbooks, SOPs, and response documentation so the team can operate at pace with confidence and clarity.

Essential Skills/Experience:

• Investigate security incidents using logs, endpoint telemetry, and network traffic

• Contain incidents (account isolation, endpoint quarantine, IP blocking, etc.)

• Call out incidents based on severity, impact, and SLAs

• Analyze indicators of compromise (IOCs) and attack patterns

• Perform root cause analysis (RCA) and timeline reconstruction

• Correlate events across multiple tools and data sources

• Implement response actions using SOAR playbooks

• Assist in playbook tuning and automation improvement

• Document incidents clearly with evidence and actions taken

• Maintain runbooks, SOPs, and incident response documentation

Desirable Skills/Experience:

• Leadership experience guiding SOC analysts, setting incident priorities, and improving team performance

• Hands-on expertise with major SIEM/SOAR and EDR platforms (e.g., Splunk, Sentinel, QRadar, Cortex XSOAR, CrowdStrike, Microsoft Defender)

• Proficiency in automation and scripting (e.g., Python, PowerShell) to extend playbooks and streamline workflows

• Cloud incident response experience across AWS, Azure, or GCP, including identity controls and network segmentation

• Threat hunting, purple teaming, and application of frameworks such as MITRE ATT&CK and NIST SP 800-61

• Relevant certifications (e.g., CISSP, GCIH, GCIA, GCFA, CCSP, AWS Security Specialty)

• Good communication under pressure, translating technical risk into clear business impact and action

• Experience operating in a global enterprise environment with follow-the-sun coverage and on-call leadership

When we put unexpected teams in the same room, we unleash bold thinking with the power to inspire life-changing medicines. In-person working gives us the platform we need to connect, work at pace and challenge perceptions. That's why we work, on average, a minimum of three days per week from the office. But that doesn't mean we're not flexible. We balance the expectation of being in the office while respecting individual flexibility. Join us in our unique and ambitious world.

Why AstraZeneca:

Here, your craft in cyber defense directly protects the digital backbone that fuels the discovery and delivery of new medicines. You’ll collaborate with diverse experts across science and technology, experiment with modern tooling and data-driven approaches, and see tangible impact from your decisions at global scale. Backed by meaningful investment and a culture that values kindness alongside ambition, we bring unconventional teams together to spark bold ideas, then move at pace to make them real—so you can grow, shape the future of security, and help safeguard outcomes that matter to patients.

Call to Action:

Step forward to lead a SOC built for speed and impact, and create the resilient defenses that keep breakthrough science moving!

Date Posted

29-Jan-2026

Closing Date

AstraZeneca embraces diversity and equality of opportunity.  We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills.  We believe that the more inclusive we are, the better our work will be.  We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics.  We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.