Insider Threat Operations Center; ITOC Analyst

Sentar is an employee‑owned company fostering a culture of empowerment, collaboration, and innovation.

Sentar is seeking an Insider Threat Operations Center (ITOC) Analyst!

The Insider Threat Operations Center (ITOC) Analyst / Technical Lead supports enterprise Insider Threat programs by conducting technical analysis of user activity data and alerts to identify indicators of malicious, negligent, or risky insider behavior. This role supports civil, workplace, counterintelligence, and law enforcement inquiries and investigations while ensuring protection of legal rights, civil liberties, and privacy. At the Analyst level, the role focuses on alert triage, behavioral analysis, reporting, and investigative support.

At the Technical Lead level, the role provides operational leadership, quality control, prioritization, stakeholder coordination, and strategic oversight of Insider Threat operations. This position works closely with Defensive Cyber Operations (DCO) teams, Operations Watch Officers, subscriber Insider Threat Program Managers, and U.S. Government partners to ensure effective, compliant, and mission‑aligned Insider Threat detection and response.

Common Responsibilities (All Levels)

• Conduct technical analysis of user activity data and alerts to identify potential insider threat indicators
• Triage alerts by correlating insider threat data with additional data sources to assess risk and intent
• Develop hypotheses and perform behavioral analysis using available tools and datasets
• Support directed requests in support of civil, workplace, counterintelligence, or law enforcement investigations
• Incorporate complex data flows and contextual information into analysis and investigative assessments
• Produce concise, accurate, and timely analytical reports for Insider Threat stakeholders and leadership
• Present analytical findings to team members and management in a clear, actionable manner
• Refine alerts based on triage results, current threat activity, and operational feedback
• Contribute to development and improvement of Insider Threat processes, procedures, and documentation
• Collaborate with Operations Watch Officers and analysts to support investigations, campaigns, and events

• Strong understanding of insider threat analysis and user activity monitoring
• Experience analyzing host‑based data and behavioral indicators
• Ability to synthesize complex data into clear analytical conclusions
• Strong written and verbal communication skills
• Ability to operate with discretion and sound judgment in sensitive investigative environments
• Ability to work independently and collaboratively in a team environment

• Bachelor’s degree from an accredited institution
• One (1) or more years of scripting or programming experience within the last three (3) years, including languages such as Power Shell, Python, Ruby, Shell/Bash, Java, C/C++, C#, Perl, or PL/SQL
• Knowledge of data science techniques such as anomaly detection and machine learning
• Expert‑level understanding of insider threat indicators, user activity data, and behavioral analysis
• Familiarity with foreign intelligence entity tactics, techniques, and procedures
• Experience working in multi‑tenant or service provider environments
• Experience supporting Department of Defense or Intelligence Community Insider Threat programs

• Minimum of a Secret Clearance, with ability to obtain Top Secret/Sensitive Compartmented Information (TS/SCI)

• Analyst:
  Minimum of three (3) years of experience supporting Department of Defense or Intelligence Community Insider Threat programs
• Subject‑matter expertise with Executive Order 13587, Director of National Intelligence National Counterintelligence and Security Center Insider Threat Task Force standards, and Department of Defense Insider Threat regulations and guidance (Technical Lead level)

• Department of Defense (DoD) 8570 Information Assurance Technical Level II
• Demonstrated experience leading or overseeing insider threat operations.
• Knowledge of user activity monitoring, host‑based data analysis, and…