SOC analyst re-positioning from generalist alert-handler to detection engineering specialist
A SOC analyst with three years of Tier 1/2 work re-wrote a generic 'security' resume into one that surfaces detection authoring, MITRE technique fluency, and operational tier specificity.
Candidate
Security analyst · 3 years SOC · Splunk/CrowdStrike
Positioning outcome
Resume re-positioned from generic 'security analyst' framing to detection-engineering specialist, with named tooling, specific MITRE techniques, and tier-specific operational language.
1. Original resume challenges
Original resume challenges
The candidate had real SOC depth, 24/7 rotation, real incident response, custom detections, but the resume framed it as generic 'cybersecurity experience'. Cyber hiring managers are technically deep and discount surface-level resumes instantly. Generic language reads as junior even when the underlying work is senior.
- 'Cybersecurity' listed as a skill without tooling depth
- No specific SIEM or EDR platforms named
- Incident response described generically; no MTTR/MTTD metrics
- MITRE ATT&CK referenced as a concept, no specific technique IDs
- SOC tier (1 vs 2 vs 3) never made explicit
2. Recruiter simulation findings
How six reviewer types read the same resume
Technical Hiring Manager
Signal caught: 'Familiar with Splunk' and 'familiar with MITRE ATT&CK' read as surface-level. Specific detection content authoring not visible.
What it means: Cybersecurity hiring managers screen for who actually writes detection content vs who consumes it. 'Familiar with' is an instant discount signal.
ATS Scan
Signal caught: Generic security terms present; specific tooling (Splunk SPL, KQL, Sigma) and platform versions absent.
What it means: Modern security ATS pipelines weight specific tooling and detection languages heavily. Generic terms alone don't qualify.
Hiring Manager
Signal caught: No incident metrics. Tier of operational maturity unclear.
What it means: SOC teams operate on metrics, MTTR, MTTD, dwell time, alerts/shift. Absence signals the candidate hasn't owned operational outcomes.
3. ATS intelligence findings
What the ATS analysis surfaced
Tooling specificity
Finding: No SIEM, EDR, or detection language named explicitly.
Recommendation: Name your SIEM (Splunk, Sentinel, Elastic), EDR (CrowdStrike, SentinelOne), and detection languages (SPL, KQL, Sigma, YARA).
MITRE ATT&CK technique IDs
Finding: MITRE ATT&CK named as a framework only, no specific technique IDs.
Recommendation: Cite specific techniques you've engineered detections for (T1078, T1110, T1055). Technique IDs prove operational fluency that generic candidates can't fake.
Operational metrics
Finding: No MTTR, MTTD, alerts-per-shift, or false-positive rate metrics.
Recommendation: Add operational metrics for the most recent role. SOC work is judged on these specifically.
Tier specificity
Finding: SOC tier never made explicit. Reads as generic SOC.
Recommendation: State the tier (1, 2, 3, or shift lead). Promotion path between tiers is a strong signal of trajectory.
4. Resume transformations
Before / after rewrites with recruiter signal analysis
Context
Most recent SOC role, adding operational specificity
Before
Worked in the SOC monitoring alerts and responding to incidents. Familiar with Splunk and MITRE ATT&CK.
After
Operated Tier 2 SOC role on a 24/7 rotation. Triaged 80+ alerts/shift in Splunk; authored 14 detection rules mapped to MITRE ATT&CK (T1078, T1055, T1110); reduced false-positive rate by 38% on critical detections.
Why this is stronger
Replaces 'familiar with' (instantly discounted) with operational specifics. Specific MITRE technique IDs prove depth that generic candidates can't fake.
Recruiter signals added
- Specific tier (Tier 2)
- Operational scale (80+ alerts/shift)
- Detection authoring (14 rules)
- Specific MITRE techniques (T1078, T1055, T1110)
- Tuning outcome (38% FP reduction)
Context
Incident response framing
Before
Responded to security incidents and worked with the IR team to remediate.
After
Led containment for 6 SEV-2 incidents and supported 2 SEV-1 investigations as Tier 2 lead. Average MTTR 47 minutes for SEV-2; co-authored 3 post-incident reports surfaced to the CISO.
Why this is stronger
Reframes generic IR work into measured operational ownership. Severity tier + MTTR + audience seniority hit three primary cyber screening signals.
Recruiter signals added
- Specific incident counts and severity tiers
- Tier 2 lead role on containment
- Quantified MTTR
- Audience seniority (CISO)
5. Startup vs enterprise insights
Startup vs enterprise insights
Cybersecurity startup hiring and enterprise hiring overlap on tooling but diverge on scope expectations. Startups screen for generalist depth, the ability to own detection, IR, and architecture in one head. Enterprises screen for specific tooling depth and operational tier maturity. The candidate built a startup-flavored variant emphasizing breadth (cloud security architecture, IR runbook authoring, compliance navigation) and an enterprise variant emphasizing depth (Tier 2 → Tier 3 progression, specific platform fluency, MITRE technique authoring).
- Startup variant: 'owned detection, IR, and cloud security architecture for the seed-stage security function'
- Enterprise variant: 'Tier 2 SOC analyst on the 24/7 rotation, authored 14 detection rules across MITRE techniques T1078, T1110, T1055'
- Same underlying experience; different framing for different reviewer expectations
6. Final positioning improvements
Final positioning improvements
After the transformation pass, the resume read at the seniority the candidate had actually operated at. Generic security language replaced with specific tooling, technique IDs, and operational metrics. The candidate now read as a detection engineer or Tier 2/3 SOC specialist rather than a generic analyst. Variants for startup and enterprise maintained the same underlying experience while matching the reviewer-specific expectations of each environment.
- Named SIEM, EDR, and detection languages throughout
- Specific MITRE technique IDs cited for detection authoring
- Operational metrics (MTTR, alerts/shift, FP rate) on every SOC bullet
- Tier specificity established for trajectory signal
“Once I started naming the specific techniques I'd written detections for, technical reviewers started treating me like the detection engineer I actually was.”
Security analyst · 3 years SOC · Splunk/CrowdStrike (illustrative)
This case study is illustrative, written to show the TalentFit AI workflow against the kind of resume challenges the product is designed to address. No claims of guaranteed interviews, offers, or hires.