State of Maryland

DoIT Cyber Defense Analyst I (#004721)

- Hourly / - BiWeekly /
- Monthly / $64,828.00-$108,780.00 Yearly


STD 0018




A Department of Information Technology (DoIT) Cyber Defense Analyst I is the intermediate level of work in the Office of Security Management (OSM) and is tasked with first contact handling of security logs, incidents, and events. Additional responsibilities include the monitoring of the infrastructure that supports service delivery and replacing failed components, making system configuration changes, and applying patches and other updates. Employees in this classification do not supervise lower-level positions. Employees may be required to work evenings, weekends and holidays and may be subject to call-in.

Employees in this classification receive moderate supervision from an Information Systems Security Manager or other designated administrator. This position does not supervise.

Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.

The DoIT Cyber Defense Analyst I and DoIT Cyber Defense Analyst II and are differentiated on the basis of degree of supervisory control exercised by the supervisor over these employees. The DoIT Cyber Defense Analyst I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT Cyber Defense Analyst II performs the full range of duties under general supervision. The DoIT Cyber Defense Analyst II differs from the DoIT Cyber Defense Analyst Ld/Adv in that the DoIT Cyber Defense Analyst Ld/Adv handles cases of a more complex nature or leads lower-level DoIT Cyber Defense Analysts.


Develops content for cyber defense tools;

Characterizes and analyzes network traffic to identify anomalous activity and potential threats to network resources;

Coordinates with enterprise-wide cyber defense staff to validate network alerts;

Ensures that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level;

Documents and escalates incidents (including event's history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment;

Performs cyber defense trend analysis and reporting;

Performs event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack;

Performs security reviews and identifies security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy;

Plans and recommends modifications or adjustments based on exercise results or system environment;

Provide daily summary reports of network events and activity relevant to cyber defense practices;

Receives and analyzes network alerts from various sources within the enterprise and determine possible causes of such alerts;

Provides timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities;

Uses cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity;

Analyzes identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information;

Determines tactics, techniques, and procedures (TTPs) for intrusion sets;

Examines network topologies to understand data flows through the network;

Recommends computing environment vulnerability corrections;

Identifies and analyzes anomalies in network traffic using metadata (e.g., CENTAUR);

Conducts research, analysis, and correlation across a wide variety of all source data sets (indications and warnings);

Validates intrusion detection system (IDS) alerts against network traffic using packet analysis tools;

Isolates and removes malware;

Identifies applications and operating systems of a network device based on network traffic;

Reconstructs a malicious attack or activity based off network traffic;

Identifies network mapping and operating system (OS) fingerprinting activities;

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the network environment or enclave;

Notifies designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan;

Analyzes and reports organizational security posture trends;

Analyzes and reports system security posture trends;

Assesses adequate access controls based on principles of least privilege and need-to-know;

Monitors external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determines which security issues may have an impact on the enterprise;

Assesses and monitors cybersecurity related to system implementation and testing practices;

Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities;

Works with stakeholders to resolve computer security incidents and vulnerability compliance;

Provides advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans;

Performs other related duties.


Knowledge of computer networking concepts and protocols, and network security methodologies; 

Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); 

Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; 

Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities;

 Knowledge of specific operational impacts of cybersecurity lapses; 

Knowledge of authentication, authorization, and access control methods; 

Knowledge of cyber defense and vulnerability assessment tools and their capabilities; Knowledge of computer algorithms; 

Knowledge of encryption algorithms; 

Knowledge of cryptography and cryptographic key management concepts; 

Knowledge of database systems;

Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists);

Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins);

 Knowledge of incident response and handling methodologies; 

Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); 

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions; 

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption); 

Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML); 

Knowledge of network traffic analysis methods; 

Knowledge of new and emerging information technology (IT) and cybersecurity technologies; 

Knowledge of operating systems; 

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]); Knowledge of policy-based and risk adaptive access controls; Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code); Knowledge of key concepts in security management (e.g., Release Management, Patch Management); Knowledge of security system design tools, methods, and techniques; Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing); Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization; Knowledge of Virtual Private Network (VPN) security; Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities; Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations; Knowledge of adversarial tactics, techniques, and procedures; Knowledge of network tools (e.g., ping, traceroute, nslookup); Knowledge of defense-in-depth principles and network security architecture; Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN); Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip); Knowledge of interpreted and compiled computer languages; Knowledge of collection management processes, capabilities, and limitations; Knowledge of front-end collection systems, including traffic collection, filtering, and selection; Knowledge of cyber defense and information security policies, procedures, and regulations; Knowledge of the common attack vectors on the network layer; Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks); Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored); Knowledge of system administration, network, and operating system hardening techniques; Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures; Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks); Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth); Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools; Knowledge of encryption methodologies; Knowledge of signature implementation impact for viruses, malware, and attacks; Knowledge of Windows/Unix ports and services; Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model); Knowledge of OSI model and underlying network protocols (e.g., TCP/IP); Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities; Knowledge of Personally Identifiable Information (PII) data security standards; Knowledge of Payment Card Industry (PCI) data security standards; Knowledge of Personal Health Information (PHI) data security standards; Knowledge of systems security testing and evaluation methods; Knowledge of countermeasure design for identified security risks; Knowledge of network mapping and recreating network topologies; Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump); Knowledge of the use of sub-netting tools; Knowledge of operating system command-line tools; Knowledge of embedded systems; Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications; Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services; Knowledge of how to use network analysis tools to identify vulnerabilities; Knowledge of penetration testing principles, tools, and techniques; Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list).

Skill in developing and deploying signatures; Skill in detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort); Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes; Skill in evaluating the adequacy of security designs; Skill in using incident handling methodologies; Skill in using protocol analyzers; Skill in collecting data from a variety of cyber defense resources; Skill in recognizing and categorizing types of vulnerabilities and associated attacks; Skill in reading and interpreting signatures (e.g., snort); Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.); Skill in performing packet-level analysis; Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning); Skill in conducting trend analysis; Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); Skill in using cyber defense Service Provider reporting structure and processes within one’s own organization.

Ability to analyze malware; Ability to conduct vulnerability scans and recognize vulnerabilities in security systems; Ability to accurately and completely source all data used in intelligence, assessment and/or planning products; Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies; Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute).


Experience:  Six years of experience in threat hunting network security analysis, network traffic analysis, information security, information systems, information assurance, trouble shooting, security operations, cryptography, and cyber threat modeling. 


1. Candidates may substitute a bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

2. Candidates may substitute the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.



1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

2. Applicants for this classification may handle sensitive data.  This will require a full scope background investigation prior to appointment.  A criminal conviction may be grounds for rejection of the applicant.

3.  Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.


Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.


This classification is one level in a Non-Competitive Promotion (NCP) series.  NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series.  In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.

Date Established

July 1, 2021

Approved By

Director, Division of Classification and Salary

CLASS: 004721; EST: 7/1/2021; REV: 1/3/2022;

Powered by JobAps