The Watch Desk Analyst (focus on Brand & Cyber) is an entry-level role within the GSOC (Global Security Operations Center) to support the Global Security Intelligence function. Its primary focus is Brand Threat Intelligence & Protection — including VIP / executive monitoring — protecting the company’s brand, customers and people from phishing, impersonation, fake apps, fraudulent ads, data-leak claims and reputational attacks. The work is OSINT-led and supported by specialist monitoring vendors that the analyst tasks and triages. The main output is fast Level 1–2 intelligence — Flash Reports and Info Reports — that drives immediate decisions and feeds the GSOC Watch Desk in real time through alert triage and escalation.
As secondary scope, the analyst keeps working-level Cyber Threat Intelligence — connecting leaked credentials, exposed data and phishing infrastructure to customer harm — plus the basics of Security Risk Intelligence when needed. It suits someone with an investigative mindset and solid OSINT/SOCMINT instincts who can separate signal from noise and communicate clearly under pressure.
Tasks and responsibilities
Brand Threat Intelligence & Protection
-
Continuously monitor open sources — social media, app stores, paid-ad networks, search results and domains/DNS — and triage alerts from brand-protection / monitoring vendors for abuse of the company's brand, logos, domains and products.
-
Detect and triage phishing sites, fake apps, fraudulent ads, impersonation profiles (including executive and customer-support impersonation), spoofed domains and counterfeit or scam campaigns targeting customers.
-
Work the detection queue from brand-protection vendors (e.g. AXUR): validate suspicious assets using the company's identity, decide takedown vs. legitimate, and record decisions in the tracking workflow — keeping the queue clean and critical items escalated.
-
Own the takedown lifecycle end to end: evidence capture, classification, submission to registrars, hosts, app stores and platforms, follow-up and confirmation — tracking time-to-takedown and recurrence.
-
Monitor for and assess brand-reputation threats: coordinated disinformation, smear campaigns, viral complaints with security implications, and narrative attacks against the company or its leadership.
-
Track fraud and social-engineering trends affecting customers (e.g. golpe do falso funcionário, Pix scams, fake support lines) and surface them to fraud, comms and product stakeholders.
-
Conduct VIP / executive monitoring: track exposure of executives and high-profile employees through open-source research and vendor feeds — impersonation, doxxing, leaked personal data, threats and hostile chatter — and surface protective intelligence to Executive Protection.
-
Maintain watchlists of malicious domains, impersonation accounts, recurring threat actors and abuse patterns targeting the brand and its executives.
Cyber Threat Intelligence — supporting literacy
-
Triage and act on alerts from threat-intelligence / DRP vendors covering mentions of the company, leaked credentials, exposed data and chatter targeting the company, its customers or its executives — validating, prioritising and enriching vendor findings.
-
Recognize common attack vectors and indicators of compromise (phishing kits, malicious domains/IPs, credential dumps, ATO and carding activity) and route them to the relevant SOC / cyber teams with enriched context.
-
Correlate cyber signals with brand and physical threats to surface cross-domain risk — e.g. leaked data fuelling targeted phishing, or a credential leak preceding an impersonation wave.
-
Maintain working fluency with the threat-intelligence lifecycle and frameworks (e.g. MITRE ATT&CK, the cyber kill chain) to engage credibly with cyber counterparts.
Monitoring, Triage & Reporting
-
Perform initial triage of incoming signals: assess relevance and severity, enrich with context, and route or escalate accordingly.
-
Keep alert queues clean and route alerts between GS Intelligence (Core) and the Watch Desk, ensuring critical occurrences reach the right stakeholders quickly.
-
Primary deliverable — produce Level 1–2 intelligence at speed: Flash Reports and Info Reports (plus FYIs and short-form notes) that enable rapid decision-making, with clear, actionable framing and consistent format.
-
Use AI-enabled workflows (LLMs and lightweight automation) to accelerate enrichment, translation, entity extraction, summarization and triage — always with prompt validation, cross-source verification and human judgment retained over the final output.
-
Analyse patterns across incidents to identify trends, recurring actors and systemic risks; contribute to threat profiles and scenario assessments.
-
Georeference incidents and threats where relevant to evaluate impact on people, operations, travel and executive movements.
Operational Support
-
Support crisis and incident response, and draft timely communications to stakeholders.
-
Respond to Requests for Information (RFIs) from security leadership, executive protection, fraud, legal, HR, comms and investigative teams.
-
Provide intelligence support for executive exposure, high-profile events and corporate communications with brand- or security-sensitive components.
-
Provide on demand coverage for Security Risk Intelligence, maintaining a working knowledge of its basics to keep the function running when needed.
Governance & Continuous Improvement
-
Maintain documentation hygiene and structured knowledge transfer to ensure continuity across the 12×36 shift model.
-
Contribute to After Action Reports (AARs) and lessons-learned following incidents or drills.
-
Help refine SOPs, takedown playbooks, detection rules and source coverage.
Requirements
Minimum Requirements
-
Bachelor's degree completed or in progress (Computer Science or International Relations, Social Sciences or related), or equivalent practical experience.
-
Genuine interest in security, threat intelligence, brand protection or fraud — internships, academic work, certifications or personal projects all count.
-
Strong research and analytical instincts: curious, detail-oriented, and able to separate relevant information from noise. A foundation in OSINT/SOCMINT tradecraft — structured research, source verification, operational-security hygiene — is a strong plus and is where stronger candidates stand out.
-
Demonstrated fluency in AI-enabled intelligence workflows, including the use of LLMs and automation for enrichment, translation, entity extraction, summarization and triage acceleration — applied with critical judgment, prompt validation and cross-source verification. Human judgment is retained over all intelligence outputs.
-
Comfort designing lightweight automations to reduce analyst toil.
-
Working familiarity with cyber signal recognition (threat-actor categories, attack-vector vocabulary, common IOCs) sufficient to flag and correlate across domains.
-
Comfortable online and quick to learn new tools and platforms; basic computer/data literacy.
-
Clear written communication, with the discipline to document findings consistently.
-
Fluency in Portuguese and good working English; Spanish a plus.
-
Able to stay calm and prioritise under pressure, and willing to work a 12×36 shift schedule.
-
Discretion handling sensitive information and a collaborative, team-first attitude.
Preferred, but not required
-
Advanced OSINT/SOCMINT tradecraft — sock-puppet and operational-security practices, cross-source correlation, structured analytic techniques.
-
A track record of building AI-assisted or automated workflows (prompt pipelines, scripts, enrichment tooling) that measurably reduced analyst toil.
-
Any experience with brand-protection, DRP or threat-intelligence platforms or takedown workflows.
-
Working knowledge of frameworks like MITRE ATT&CK or the cyber kill chain.
-
Familiarity with the fraud landscape facing fintech in Brazil/LatAm (Pix scams, social engineering, fake support lines).
-
Scripting or automation skills (e.g. Python) for collecting and enriching data.
