Cybersecurity Senior Analyst

Durham, NC

Full Time

Mid Level

JOB DESCRIPTION OVERVIEW

The Cybersecurity Senior Analyst supports the delivery of cybersecurity consulting services, with a primary focus on Microsoft security technologies (Microsoft 365, Azure, Microsoft Defender, and Microsoft Sentinel). This role is hands-on in client environments and works closely with consulting leads who manage most client communications. The Senior Analyst executes assigned technical tasks, performs analysis, and produces high-quality documentation and deliverables that consultants use in client presentations and recommendations.

This position is ideal for someone who is comfortable operating independently on defined workstreams (e.g., vulnerability management, security monitoring support, identity reviews, configuration assessments) while still collaborating closely with senior consultants/architects for direction and quality assurance.

POSITION RESPONSIBILITIES

1. Engagement Delivery Support (Consultant-led execution)

Execute scoped technical tasks in client environments under direction of the engagement Consultant/Lead (e.g., configuration exports, evidence capture, running approved scripts/queries, validating settings).

Track assigned tasks, dependencies, and blockers; escalate issues early with proposed options.

Coordinate primarily with internal consulting staff; join select client meetings as needed for technical context or note-taking (client communication typically routed through the Consultant/Lead).

2. Microsoft Identity & Access Management Support (Entra ID / Azure AD)

Perform identity posture reviews: privileged role assignments, admin hygiene, MFA coverage, legacy authentication exposure, risky sign-ins context gathering, and guest/external access posture.

Support Conditional Access initiatives by documenting policy intent, performing impact analysis (who/what is affected), validating implementation results, and capturing evidence.

Assist with access governance activities (e.g., access reviews status, group/role hygiene, application registration/service principal inventory support).

3. Microsoft 365 Email & Collaboration Security Support

Support validation of key M365 security controls such as anti-phishing/anti-spam policy posture, Safe Links/Safe Attachments configuration evidence, and tenant security settings.

Assist with basic domain/email authentication, posture checks (SPF/DKIM/DMARC status documentation and recommendations).

Support evidence gathering and documentation for collaboration/data controls (e.g., SharePoint/OneDrive sharing posture, baseline checks) as scoped by the engagement lead.

4. Endpoint & Device Security Support (Defender, SentinelOne, Intune, JAMF)

Validate endpoint security onboarding coverage and basic posture (e.g., sensor health, policy application status, and tamper protection evidence).

Support collection of endpoint investigation context (alert/device timeline exports, event/log context gathering) as permitted by client procedures.

Assist with documenting endpoint hardening gaps and recommended next steps for Consultant review.

5. Security Monitoring Support (Microsoft Sentinel / Microsoft Defender)

Support monitoring operations: incident queue review support, connector health checks, data onboarding validation, and log source verification.

Write, adapt, and run KQL queries to support investigations, reporting, and validation of detections (within defined scope and review processes).

Assist with documentation of analytics rules, triage guidance, escalation criteria, and operational runbooks; propose tuning recommendations based on alert quality/noise.

6. Vulnerability Management & Exposure Support

Coordinate vulnerability scanning (e.g., Tenable/Qualys): scheduling, scope validation, credentialed scan setup (where applicable), and scan quality troubleshooting.

Normalize results, validate false positives, and organize findings into actionable themes for remediation planning.

Maintain remediation trackers, support retesting/closure evidence, and produce executive summaries of metrics and trends.

7. Azure Security Support

Support Azure posture reviews through evidence collection and validation of secure configuration items (e.g., RBAC review inputs, logging/diagnostics settings, resource inventory exports).

Assist with triage/documentation of Microsoft Defender for Cloud recommendations and improvement plans.

Support collection of evidence aligned to secure landing zone principles.

8. Incident Response Support

Support investigations by gathering artifacts/logs, building basic timelines, and documenting actions taken.

Follow defined playbooks and escalation criteria; assist with containment actions only when directed and approved.

Support tabletop exercises and post-incident documentation (lessons learned, playbook updates).

9. Reporting, Deliverables, and Quality Control

Draft findings, evidence narratives, and remediation recommendations for Consultant review.

Build and maintain engagement artifacts (spreadsheets, trackers, diagrams, working papers, dashboards) used in client-ready deliverables.

Perform QA on deliverables and evidence; accuracy checks, consistency, completeness, and professional presentation.

REQUIRED QUALIFICATIONS, SKILLS, AND EXPERIENCE

3-5 years in cybersecurity.

Microsoft 365 administration and security configuration experience.

Experience with PowerShell scripting (module development, Graph API, REST), automation runbooks, and CLI tooling.

Hands-on IAM engineering: Conditional Access, MFA/passwordless, PIM/JIT, RBAC, access reviews, and user lifecycle (joiner/mover/leaver).

Azure and Microsoft security engineering: Sentinel, Defender for Cloud, Microsoft 365 Defender, secure landing zones, logging/monitoring.

Strong analytical and communication skills.

Bachelor’s degree in a relevant field or equivalent experience.

CERTIFICATIONS (Current or within 6 months)

Microsoft Certified: Identity and Access Administrator Associate (SC-300).

Microsoft Certified: Azure Security Engineer Associate (AZ-500).

Strongly preferred: Cybersecurity Architect Expert (SC-100); Security Operations Analyst Associate (SC-200); CompTIA Security+.

ADDITIONAL DESIRED, BUT NOT REQUIRED

Experience integrating CrowdStrike Falcon with Microsoft security tools.

Experience with Infrastructure-as-Code (Bicep/Terraform) and policy (Azure Policy, Defender for Cloud).

Scripting beyond PowerShell (e.g., Python) for data analysis and automation.

Experience with data protection and compliance controls (DLP, Purview).

Priority

This role is open to remote candidates; however, preference will be given to those located in the Durham, NC area

Please note: This application may be reviewed in part by automated systems to help identify qualified candidates.

Apply for this position

Required*

First Name*

Last Name*

Email Address*

Phone*

Address*

Resume*

We've received your resume. Click here to update it.

Attach resume or Paste resume

Attach resume as .pdf, .doc, .docx, .odt, .txt, or .rtf (limit 5MB) or Paste resume

Paste your resume here or Attach resume file

Who referred you to this position? Enter their first and last name here.

LinkedIn Profile URL:*

Desired salary*

Please consider CREO's Core Values which can be viewed here: https://creoconsulting.com/about-us/ . Please pick a Core Value that resonates most with you. Describe how you live this value and how you have applied this value to how you work.*

Are you authorized to work for any employer in the US?*

Will you now or in the future require sponsorship for employment visa status (e.g., H-1B visa status)?*

Investigating security alerts and incidents using Microsoft Defender and Sentinel (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

How confident are you in designing and implementing identity architectures using Microsoft Entra ID (Azure AD), including PIM, JIT, and RBAC? (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Writing KQL queries to support threat hunting and alert tuning (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Assessing email and collaboration security controls (anti-phishing/spam posture, safe link/attachment-style protections, and tenant collaboration/sharing settings) (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Developing robust PowerShell tooling and modules to automate Entra ID, Exchange Online, Defender, Intune, and Graph API workflows. (Rank 0-10) 0 = Little to no knowledge 10 = Deep expertise or author-level proficiency*

Managing Microsoft 365 Defender and Defender for Endpoint policies (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Security monitoring operations support (incident/alert queue review, log source onboarding validation, data ingestion/connector health, and escalation criteria) (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Knowledge of data privacy and security standards (HIPAA, GDPR, etc.) (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Managing multiple client environments as part of a service delivery team (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Use of ticketing systems (e.g., ServiceNow, Jira, etc.) for case management (Rank 0-10) 0 = Little to no knowledge
10 = Deep expertise or author-level proficiency*

Vulnerability scanning coordination and scan operations (scheduling, scope validation, credentialed scans, and troubleshooting scan quality) (Rank 0-10) 0 = Little to no knowledge 10 = Deep expertise or author-level proficiency.*

Producing client-ready security documentation and deliverables (evidence narratives, findings, remediation recommendations, and quality assurance) (Rank 0-10) 0 = Little to no knowledge 10 = Deep expertise or author-level proficiency.*

Performing identity posture reviews (privileged role assignments, admin hygiene, MFA coverage, legacy authentication exposure, risky sign-ins, and guest/external access posture) (Rank 0-10) 0 = Little to no knowledge 10 = Deep expertise or author-level proficiency.*

Developing and maintaining operational runbooks and detection documentation (triage guidance, escalation paths, and tuning recommendations to reduce noise) (Rank 0-10) 0 = Little to no knowledge 10 = Deep expertise or author-level proficiency.*

Human Check*

Submit Application