GSOC Watch Desk Analyst

The Watch Desk Analyst (focus on Brand & Cyber) is an entry-level role within the GSOC (Global Security Operations Center) to support the Global Security Intelligence function. Its primary focus is Brand Threat Intelligence & Protection — including VIP / executive monitoring — protecting the company’s brand, customers and people from phishing, impersonation, fake apps, fraudulent ads, data-leak claims and reputational attacks. The work is OSINT-led and supported by specialist monitoring vendors that the analyst tasks and triages. The main output is fast Level 1–2 intelligence — Flash Reports and Info Reports — that drives immediate decisions and feeds the GSOC Watch Desk in real time through alert triage and escalation.

As secondary scope, the analyst keeps working-level Cyber Threat Intelligence — connecting leaked credentials, exposed data and phishing infrastructure to customer harm — plus the basics of Security Risk Intelligence when needed. It suits someone with an investigative mindset and solid OSINT/SOCMINT instincts who can separate signal from noise and communicate clearly under pressure.

Tasks and responsibilities

Brand Threat Intelligence & Protection

• Continuously monitor open sources — social media, app stores, paid-ad networks, search results and domains/DNS — and triage alerts from brand-protection / monitoring vendors for abuse of the company's brand, logos, domains and products.
• Detect and triage phishing sites, fake apps, fraudulent ads, impersonation profiles (including executive and customer-support impersonation), spoofed domains and counterfeit or scam campaigns targeting customers.
• Work the detection queue from brand-protection vendors (e.g. AXUR): validate suspicious assets using the company's identity, decide takedown vs. legitimate, and record decisions in the tracking workflow — keeping the queue clean and critical items escalated.
• Own the takedown lifecycle end to end: evidence capture, classification, submission to registrars, hosts, app stores and platforms, follow-up and confirmation — tracking time-to-takedown and recurrence.
• Monitor for and assess brand-reputation threats: coordinated disinformation, smear campaigns, viral complaints with security implications, and narrative attacks against the company or its leadership.
• Track fraud and social-engineering trends affecting customers (e.g. golpe do falso funcionário, Pix scams, fake support lines) and surface them to fraud, comms and product stakeholders.
• Conduct VIP / executive monitoring: track exposure of executives and high-profile employees through open-source research and vendor feeds — impersonation, doxxing, leaked personal data, threats and hostile chatter — and surface protective intelligence to Executive Protection.
• Maintain watchlists of malicious domains, impersonation accounts, recurring threat actors and abuse patterns targeting the brand and its executives.

Cyber Threat Intelligence — supporting literacy

• Triage and act on alerts from threat-intelligence / DRP vendors covering mentions of the company, leaked credentials, exposed data and chatter targeting the company, its customers or its executives — validating, prioritising and enriching vendor findings.
• Recognize common attack vectors and indicators of compromise (phishing kits, malicious domains/IPs, credential dumps, ATO and carding activity) and route them to the relevant SOC / cyber teams with enriched context.
• Correlate cyber signals with brand and physical threats to surface cross-domain risk — e.g. leaked data fuelling targeted phishing, or a credential leak preceding an impersonation wave.
• Maintain working fluency with the threat-intelligence lifecycle and frameworks (e.g. MITRE ATT&CK, the cyber kill chain) to engage credibly with cyber counterparts.

Monitoring, Triage & Reporting

• Perform initial triage of incoming signals: assess relevance and severity, enrich with context, and route or escalate accordingly.
• Keep alert queues clean and route alerts between GS Intelligence (Core) and the Watch Desk, ensuring critical occurrences reach the right stakeholders quickly.
• Primary deliverable — produce Level 1–2 intelligence at speed: Flash Reports and Info Reports (plus FYIs and short-form notes) that enable rapid decision-making, with clear, actionable framing and consistent format.
• Use AI-enabled workflows (LLMs and lightweight automation) to accelerate enrichment, translation, entity extraction, summarization and triage — always with prompt validation, cross-source verification and human judgment retained over the final output.
• Analyse patterns across incidents to identify trends, recurring actors and systemic risks; contribute to threat profiles and scenario assessments.
• Georeference incidents and threats where relevant to evaluate impact on people, operations, travel and executive movements.

Operational Support

• Support crisis and incident response, and draft timely communications to stakeholders.
• Respond to Requests for Information (RFIs) from security leadership, executive protection, fraud, legal, HR, comms and investigative teams.
• Provide intelligence support for executive exposure, high-profile events and corporate communications with brand- or security-sensitive components.
• Provide on demand coverage for Security Risk Intelligence, maintaining a working knowledge of its basics to keep the function running when needed.

Governance & Continuous Improvement

• Maintain documentation hygiene and structured knowledge transfer to ensure continuity across the 12×36 shift model.
• Contribute to After Action Reports (AARs) and lessons-learned following incidents or drills.
• Help refine SOPs, takedown playbooks, detection rules and source coverage.

Minimum Requirements

• Bachelor's degree completed or in progress (Computer Science or International Relations, Social Sciences or related), or equivalent practical experience.
• Genuine interest in security, threat intelligence, brand protection or fraud — internships, academic work, certifications or personal projects all count.
• Strong research and analytical instincts: curious, detail-oriented, and able to separate relevant information from noise. A foundation in OSINT/SOCMINT tradecraft — structured research, source verification, operational-security hygiene — is a strong plus and is where stronger candidates stand out.
• Demonstrated fluency in AI-enabled intelligence workflows, including the use of LLMs and automation for enrichment, translation, entity extraction, summarization and triage acceleration — applied with critical judgment, prompt validation and cross-source verification. Human judgment is retained over all intelligence outputs.
• Comfort designing lightweight automations to reduce analyst toil.
• Working familiarity with cyber signal recognition (threat-actor categories, attack-vector vocabulary, common IOCs) sufficient to flag and correlate across domains.
• Comfortable online and quick to learn new tools and platforms; basic computer/data literacy.
• Clear written communication, with the discipline to document findings consistently.
• Fluency in Portuguese and good working English; Spanish a plus.
• Able to stay calm and prioritise under pressure, and willing to work a 12×36 shift schedule.
• Discretion handling sensitive information and a collaborative, team-first attitude.

Preferred, but not required

• Advanced OSINT/SOCMINT tradecraft — sock-puppet and operational-security practices, cross-source correlation, structured analytic techniques.
• A track record of building AI-assisted or automated workflows (prompt pipelines, scripts, enrichment tooling) that measurably reduced analyst toil.
• Any experience with brand-protection, DRP or threat-intelligence platforms or takedown workflows.
• Working knowledge of frameworks like MITRE ATT&CK or the cyber kill chain.
• Familiarity with the fraud landscape facing fintech in Brazil/LatAm (Pix scams, social engineering, fake support lines).
• Scripting or automation skills (e.g. Python) for collecting and enriching data.