L1 Expert Security Engineer

About the role

The Incident & Change Management Expert works as an advanced technical layer between the Service Desk/L1 and L2 SOC teams. The role focuses on mid‑to‑advanced technical triage, firewall and network security analysis, policy validation, and secure change implementation within customer environments. You will help improve SLA performance, reduce escalations, and increase technical ownership across network security operations.

Key responsibilities

• Perform advanced validation and analysis of firewall, VPN, proxy and network security alerts.
• Analyze network traffic flows, NAT rules, routing behavior and firewall policy impacts to determine root causes of security events.
• Own end‑to‑end resolution of network security incidents, including investigation, containment and remediation.
• Troubleshoot firewall drops, IPS blocks, VPN tunnel failures and routing issues affecting security operations.
• Implement pre‑approved firewall rule changes following risk validation and change‑management procedures.
• Validate rollback procedures and conduct post‑change verification to ensure service stability.
• Identify risky, unused or redundant firewall rules and recommend optimization.
• Document incidents, investigations and change activities in ServiceNow.
• Support audit, compliance and governance by providing technical evidence when required.
• Act as escalation point for Level 1 engineers, mentor them during investigations and deliver knowledge‑sharing sessions.
• Contribute to SOC runbooks, knowledge‑base articles and drive operational improvements.

Required profile

• Proven experience operating as an advanced technical layer between Service Desk/L1 and L2 SOC experts.
• Ability to mentor and guide Level 1 engineers during incident investigations.
• Strong analytical mindset for root‑cause analysis of complex security events.

Required skills

• Firewall technologies (e.g., Palo Alto, Cisco ASA)
• VPN and proxy configuration and troubleshooting
• Network traffic analysis, NAT and routing
• Intrusion Prevention System (IPS) handling
• Security incident response and containment
• Change‑management processes and risk validation
• ServiceNow for incident and change documentation
• SOC procedures, runbooks and knowledge‑base maintenance