# GSOC Watch Desk Analyst **Company:** [Control Risks](http://jobs.workable.com/companies/1eXXHxeg9VjpNhhwFSwcCW.md) **Location:** São Paulo, Brazil **Workplace:** on site **Employment type:** Contract **Department:** Operational Security [Apply for this job](http://jobs.workable.com/view/f77f5ac7-af1f-42fe-ba45-7c8b0d71d794) ## Description The Watch Desk Analyst (focus on Brand & Cyber) is an entry-level role within the GSOC (Global Security Operations Center) to support the Global Security Intelligence function. Its primary focus is Brand Threat Intelligence & Protection — including VIP / executive monitoring — protecting the company’s brand, customers and people from phishing, impersonation, fake apps, fraudulent ads, data-leak claims and reputational attacks. The work is OSINT-led and supported by specialist monitoring vendors that the analyst tasks and triages. The main output is fast Level 1–2 intelligence — Flash Reports and Info Reports — that drives immediate decisions and feeds the GSOC Watch Desk in real time through alert triage and escalation. As secondary scope, the analyst keeps working-level Cyber Threat Intelligence — connecting leaked credentials, exposed data and phishing infrastructure to customer harm — plus the basics of Security Risk Intelligence when needed. It suits someone with an investigative mindset and solid OSINT/SOCMINT instincts who can separate signal from noise and communicate clearly under pressure. **Tasks and responsibilities** Brand Threat Intelligence & Protection - Continuously monitor open sources — social media, app stores, paid-ad networks, search results and domains/DNS — and triage alerts from brand-protection / monitoring vendors for abuse of the company's brand, logos, domains and products. - Detect and triage phishing sites, fake apps, fraudulent ads, impersonation profiles (including executive and customer-support impersonation), spoofed domains and counterfeit or scam campaigns targeting customers. - Work the detection queue from brand-protection vendors (e.g. AXUR): validate suspicious assets using the company's identity, decide takedown vs. legitimate, and record decisions in the tracking workflow — keeping the queue clean and critical items escalated. - Own the takedown lifecycle end to end: evidence capture, classification, submission to registrars, hosts, app stores and platforms, follow-up and confirmation — tracking time-to-takedown and recurrence. - Monitor for and assess brand-reputation threats: coordinated disinformation, smear campaigns, viral complaints with security implications, and narrative attacks against the company or its leadership. - Track fraud and social-engineering trends affecting customers (e.g. golpe do falso funcionário, Pix scams, fake support lines) and surface them to fraud, comms and product stakeholders. - Conduct VIP / executive monitoring: track exposure of executives and high-profile employees through open-source research and vendor feeds — impersonation, doxxing, leaked personal data, threats and hostile chatter — and surface protective intelligence to Executive Protection. - Maintain watchlists of malicious domains, impersonation accounts, recurring threat actors and abuse patterns targeting the brand and its executives. Cyber Threat Intelligence — supporting literacy - Triage and act on alerts from threat-intelligence / DRP vendors covering mentions of the company, leaked credentials, exposed data and chatter targeting the company, its customers or its executives — validating, prioritising and enriching vendor findings. - Recognize common attack vectors and indicators of compromise (phishing kits, malicious domains/IPs, credential dumps, ATO and carding activity) and route them to the relevant SOC / cyber teams with enriched context. - Correlate cyber signals with brand and physical threats to surface cross-domain risk — e.g. leaked data fuelling targeted phishing, or a credential leak preceding an impersonation wave. - Maintain working fluency with the threat-intelligence lifecycle and frameworks (e.g. MITRE ATT&CK, the cyber kill chain) to engage credibly with cyber counterparts. Monitoring, Triage & Reporting - Perform initial triage of incoming signals: assess relevance and severity, enrich with context, and route or escalate accordingly. - Keep alert queues clean and route alerts between GS Intelligence (Core) and the Watch Desk, ensuring critical occurrences reach the right stakeholders quickly. - Primary deliverable — produce Level 1–2 intelligence at speed: Flash Reports and Info Reports (plus FYIs and short-form notes) that enable rapid decision-making, with clear, actionable framing and consistent format. - Use AI-enabled workflows (LLMs and lightweight automation) to accelerate enrichment, translation, entity extraction, summarization and triage — always with prompt validation, cross-source verification and human judgment retained over the final output. - Analyse patterns across incidents to identify trends, recurring actors and systemic risks; contribute to threat profiles and scenario assessments. - Georeference incidents and threats where relevant to evaluate impact on people, operations, travel and executive movements. Operational Support - Support crisis and incident response, and draft timely communications to stakeholders. - Respond to Requests for Information (RFIs) from security leadership, executive protection, fraud, legal, HR, comms and investigative teams. - Provide intelligence support for executive exposure, high-profile events and corporate communications with brand- or security-sensitive components. - Provide on demand coverage for Security Risk Intelligence, maintaining a working knowledge of its basics to keep the function running when needed. Governance & Continuous Improvement - Maintain documentation hygiene and structured knowledge transfer to ensure continuity across the 12×36 shift model. - Contribute to After Action Reports (AARs) and lessons-learned following incidents or drills. - Help refine SOPs, takedown playbooks, detection rules and source coverage. ## Requirements Minimum Requirements - Bachelor's degree completed or in progress (Computer Science or International Relations, Social Sciences or related), or equivalent practical experience. - Genuine interest in security, threat intelligence, brand protection or fraud — internships, academic work, certifications or personal projects all count. - Strong research and analytical instincts: curious, detail-oriented, and able to separate relevant information from noise. A foundation in OSINT/SOCMINT tradecraft — structured research, source verification, operational-security hygiene — is a strong plus and is where stronger candidates stand out. - Demonstrated fluency in AI-enabled intelligence workflows, including the use of LLMs and automation for enrichment, translation, entity extraction, summarization and triage acceleration — applied with critical judgment, prompt validation and cross-source verification. Human judgment is retained over all intelligence outputs. - Comfort designing lightweight automations to reduce analyst toil. - Working familiarity with cyber signal recognition (threat-actor categories, attack-vector vocabulary, common IOCs) sufficient to flag and correlate across domains. - Comfortable online and quick to learn new tools and platforms; basic computer/data literacy. - Clear written communication, with the discipline to document findings consistently. - Fluency in Portuguese and good working English; Spanish a plus. - Able to stay calm and prioritise under pressure, and willing to work a 12×36 shift schedule. - Discretion handling sensitive information and a collaborative, team-first attitude. Preferred, but not required - Advanced OSINT/SOCMINT tradecraft — sock-puppet and operational-security practices, cross-source correlation, structured analytic techniques. - A track record of building AI-assisted or automated workflows (prompt pipelines, scripts, enrichment tooling) that measurably reduced analyst toil. - Any experience with brand-protection, DRP or threat-intelligence platforms or takedown workflows. - Working knowledge of frameworks like MITRE ATT&CK or the cyber kill chain. - Familiarity with the fraud landscape facing fintech in Brazil/LatAm (Pix scams, social engineering, fake support lines). - Scripting or automation skills (e.g. Python) for collecting and enriching data.