Real Time Detection Analyst – San Antonio


The Real-Time Detection Analyst provides around the clock, real-time network security monitoring and analysis of the Air Force network and systems Defensive Cyber Operations (DCO) events.


*Review all Near Real-Time IDS/IPS alerts per AFCERT Operating Instruction (OI)

*Conduct near real-time security monitoring and intrusion detection analysis for all systems

*Monitor security sensors to analyze Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) and review logs to identify intrusions for remediation.

*Analyze traffic/logs/events to determine the necessity for higher level analysis and conduct an initial assessment of type and extent of intruder activities.

*Utilize tools and techniques to perform initial analysis, de-obfuscation, or other manipulation of malware related data.

*Conduct Incident intake and record suspicious events into the operational database for suspicious traffic.

*Perform initial analysis of security events, network traffic.

*Enter event data into mission support systems IAW AFCERT operational procedures and reports.

*Compile suspicious events records and other artifacts as part of its Monthly Operational Report.

*Escalate security incidents using established policies and procedures.

*Generate end-of- reports (MISREPS) and provide pass-on information to subsequent /crews of analysts on duty.

*Provide computer security-related support to AF field units in countering vulnerabilities, minimizing risk, and improving the security posture of AF networks and systems.

*Provide focused DCO tailored analysis and monitoring operations of specified sensor locations during contingency operations and in support of named DCO operations and exercises.

*Provide OJT to other contractor employees, military, and/or civilian personnel, and ensure continuity folders/working aids are updated.

*Create and document metrics for reporting and analysis to improve weapon system processes and mission execution.

*Provide requested information to operational flight commander as it relates to the Host Detection processes and procedures.


Knowledge of adversary behaviors, tactics, techniques, and procedures from cyber knowledge portals such as MITRE ATT&CK, Security Information and Event Management/Security Orchestration Automation and Response (SIEM/SOAR) visual analytics, search, and alerting, Intrusion Detection System/Intrusion Prevention System (IDS/IPS), network security monitoring (NSM), and endpoint protection and detection software currently in use by Department of Defense and Federal Government Agencies; intermediate experience with network communication function standards in the Open Systems Interconnection (OSI) model such as data link layer, network layer, addressing, subnetting, protocols, ports, services, and applications associated with the Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Domain Name Service (DNS), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and the Hypertext Transfer Protocol (HTTP).


*Must meet IAT Level I certification (GSEC, Security +, SSCP, CCNA-Security, or CYSA+)

*Required GIAC certifications:  GCIA, GNFA, or GCDA


*Must have active TS/SCI

*Must be available for shift work