Entry-Level SOC Analyst (Night Shift) — with Level 1 M365

Ideal Candidate

• Level 1 Microsoft 365 capability with a primary focus on client-initiated support and remediation (user lifecycle, groups/roles, MFA/SSPR, mailbox and basic SharePoint/Teams/OneDrive assistance).
• Secondary, ad hoc M365 evidence collection when triggered by detections from XDR/SIEM/Dark Web tooling (Unified Audit Log, Entra ID/Azure AD Sign-in and Audit logs, Exchange Online message trace, mailbox-rule reviews), following chain-of-custody-aware practices.
• Practical familiarity with XDR (multi-signal correlation across identity/mail/device), SIEM/SOAR (alert triage, enrichment, playbooks), and Dark Web monitoring (credential exposure validation, brand/domain checks, takedown/reset triggers).
• Solid understanding of cyber security principles (threat analysis, vulnerability management, network protocols).
• Strong analytical and problem-solving skills with high attention to detail.
• Good conversational English (clear, concise ticketing and responsive client communications); Romanian is an advantage. Comfortable taking ad hoc phone conversations during major incidents.
• Relevant certifications appreciated (e.g., Microsoft 365 Fundamentals/Administrator/Security, CompTIA Security+, CISSP, CEH, OSCP, Google Cybersecurity Certificate).

Location
Remote-only (Romania). Transport costs covered for in-person team meetings in Bucharest, up to quarterly each year.

Shift & Hours
12-hour night shifts. Fixed 2-week pattern: Mon – Wed – Fri – Sat – Sun – Tue – Thu (12h each), averaging ~42 hours per week.

Selection Criteria (Essential)

• Good conversational English for clear ticket writing and client enquiries; able to handle occasional phone conversations during major incidents.
• Over one year of relevant experience (security operations, helpdesk, or adjacent IT role).
• Level 1 Microsoft 365 administration focused on client-initiated support and remediation (user lifecycle, access & group updates, password/MFA resets, mailbox and basic SharePoint/Teams/OneDrive assistance).
• Ability to perform ad hoc M365 investigative work when alerts/incidents from other platforms require it (Unified Audit Log searches, Entra ID/Azure AD Sign-in & Audit logs, Exchange Online message trace, mailbox-rule audits); competent evidence export and annotation under playbooks.
• Familiarity with at least one of: XDR operations, SIEM/SOAR triage, or Dark Web exposure monitoring (foundational level).

Job Description

• Training for platforms and role responsibilities is delivered via HancoCyber Academy (structured courses with certificates and digital badges).
• Primary M365 remit: handle client-initiated requests and routine daily usage support/remediation.
• Broader platform suite: HancoCyber XDR, SIEM/SOAR, Dark Web monitoring, vulnerability management and network telemetry for detection and response.
• M365 forensic activity is secondary and ad hoc, performed only when alerts/incidents from other platforms require targeted M365 investigation.

Key Responsibilities

• Client-initiated M365 support & remediation: action requests via HancoSupport (and, if required, by phone during major incidents): user lifecycle, access/group changes, password/MFA resets, mailbox and basic SharePoint/Teams/OneDrive troubleshooting; maintain clear client communications.
• Maintain ticket quality and SLAs: triage, prioritise, keep timelines current, and produce clean handover notes.
• Operate SIEM/SOAR playbooks for common alerts (identity anomalies, suspicious inbox rules, geo-impossible sign-ins); propose tuning/improvements.
• Monitor and triage detections in HancoCyber XDR; enrich/document incident timelines across identity, mail and device signals.
• Run Dark Web monitoring checks for credential/brand exposure; validate hits against identity telemetry; raise takedown or reset workflows per runbooks.
• Support patching initiatives and basic vulnerability remediation tasks under playbooks.
• Collaborate on MDR solution operations to maintain optimal client environment performance.
• Execute basic penetration-testing activities and vulnerability assessments (under guidance).
• Produce clear, actionable incident reports with support from HancoGPT; contribute to runbooks/playbooks.
• Participate in shift handovers and periodic incident drills to ensure 24/7 coverage continuity.

Ad hoc M365 Investigations (triggered by other platforms)

• When XDR/SIEM/Dark Web alerts indicate risk, perform targeted M365 user-activity evidence collection: run UAL searches, review Entra ID Sign-in/Audit logs, inspect mailbox rules/risky sign-ins, and pull Exchange Online message traces.
• Export artefacts (CSV/JSON where available) with accurate timestamps (incl. time zone) and case references; follow chain-of-custody guidance.

Required (Must-Have)

• Key requirement: Level 1 M365 administration focused on client-initiated support & remediation, plus competent ad hoc user-activity log inspection (UAL, Entra ID Sign-in/Audit, Exchange message trace, mailbox-rule audits) when investigations require it; clean evidence handling.
• Strong written and spoken English for tickets, handovers and client responses; able to join incident bridge/phone calls when required.
• Basic grasp of authentication concepts (MFA, SSO), mailbox fundamentals and M365 admin portals.
• Some exposure to a SIEM or alerting tool (e.g., Microsoft Sentinel, Splunk, or equivalent).
• Basic scripting (PowerShell preferred) to run/adapt small scripts for user/account tasks and log collection.
• Attention to detail and reliable ticket hygiene.
• Willingness to work the fixed 2-week night pattern above (12-hour shifts; ~42 hrs/week average).
• Right to work in Romania and ability to work the 8pm-8am night shift.

Preferred (Nice-to-Have)

• Microsoft 365 Certified: Modern Desktop Administrator / Security Administrator or similar.
• CompTIA Security+ or equivalent foundational security certification.
• Experience with XDR platforms and EDR agents (e.g., Defender for Endpoint, CrowdStrike, SentinelOne) as signal sources within XDR/SIEM workflows.
• Familiarity with SOAR playbooks and basic incident-response steps.
• Previous security operations or helpdesk experience.

Company Description

• HancoCyber Unit: A service of Hanco Global, delivering the next-generation Hanco CyberShield solution for a changing threat landscape.
• Global Presence: HQ in the UK, office in Bucharest, and operations in India and the Americas; AnyShore 24/7 support model.
• SOC Team in Romania: Based in Bucharest with technicians across other major cities; regular professional training and team-building.
• Support for Bilingual Speakers: Friendly workplace for English- and Romanian-speaking professionals, enabling effective collaboration across the global team.