Analytic Developer/Insider Threat Analyst - Journeyman

Position Summary

ECS is seeking an Analytic Developer/Insider Threat Analyst - Journeyman to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. In this role, the candidate supports Task 3 — Cybersecurity Operations Support by developing, implementing, and refining analytic rules and detection logic used to identify anomalous user behavior, insider threat indicators, and other high-risk activity across ARNG enterprise environments. The position contributes directly to Defensive Cyberspace Operations – Internal Defensive Measures (DCO-IDM) by correlating security and user activity data, triaging alerts, documenting findings, and coordinating with SOC, CIRT, cyber intelligence, defensive cyber, and security engineering teams to strengthen enterprise detection and response.

Please Note: This position is contingent upon contract award.

This role operates within a mission environment that delivers DoDIN services and cyber defense for more than 120,000 users and approximately 141,000 endpoints across about 2,800 sites in 54 states and territories. ENOCS supports both Title 10 and Title 32 missions, including mobilization readiness, domestic emergency response, and classified as well as unclassified operations across ARNG network environments. The Analytic Developer/Insider Threat Analyst helps improve visibility and threat-informed detection in a technical ecosystem that includes USIEM analytics, EDR, C2C/DLP-integrated monitoring, MITRE ATT&CK-based analytics, Sysmon-informed analysis, and coordination with organizations such as the NETCOM Global Cyber Center and DISA DCDC to help preserve cyber freedom of action for ARNG forces while denying it to adversaries.

Responsibilities

• Develop, implement, and tune analytic rules and detection content to identify anomalous user activity, insider threat behaviors, and high-risk patterns across ARNG enterprise environments.
• Correlate data from multiple security and user activity sources to support alert triage, investigative analysis, and evidence-based findings.
• Perform in-depth analysis of alerts and suspicious activity, document investigative results, and maintain supporting artifacts for case development and reporting.
• Support Task 3 Cybersecurity Operations Support deliverables by contributing analytic content and investigative outputs used in 24x7x365 monitoring, threat detection, and DCO-IDM activities across the DoDIN-A(NG) area of responsibility.
• Coordinate with SOC and CIRT personnel to validate analytic findings, escalate actionable incidents, and improve detection logic based on operational feedback and post-incident analysis.
• Build and refine MITRE ATT&CK-based analytics and support correlation activities aligned with USIEM detection engineering and broader ARNG monitoring and analysis objectives.
• Leverage integrated SIEM/C2C/DLP analytics and available enterprise data sources to improve centralized visibility and machine-speed response for insider threat and anomalous behavior detection.
• Coordinate with cyber intelligence, defensive cyber, and security engineering teams to align analytic development with threat-informed defense priorities and evolving enterprise risk.
• Ensure analytic activities, reporting, and evidence handling align with DoD and ARNG cybersecurity policy, insider threat program requirements, RMF controls, and continuous monitoring objectives.
• Support coordination and information sharing with Task 3 stakeholders and operational partners, including alignment with cybersecurity operations performed in conjunction with the NETCOM Global Cyber Center and DISA DCDC.