Submitting more applications increases your chances of landing a job.

Here’s how busy the average job seeker was last month:

Opportunities viewed

Applications submitted

Keep exploring and applying to maximize your chances!

Looking for employers with a proven track record of hiring women?

Click here to explore opportunities now!
We Value Your Feedback

You are invited to participate in a survey designed to help researchers understand how best to match workers to the types of jobs they are searching for

Would You Be Likely to Participate?

If selected, we will contact you via email with further instructions and details about your participation.

You will receive a $7 payout for answering the survey.


User unblocked successfully
Youssef Kharoufi, SOC Analyst

Youssef Kharoufi

SOC Analyst·RTL Belgium,

Qatar

Master's degree, Cybersecurity

Work experience

Total years of experience: 6 years, 4 months

SOC Analyst

June 2024 - April 2026

RTL Belgium,

Brussels, Belgium Hybrid

June 2024 - April 2026

• Investigated a high-severity alert in Splunk related to abnormal file activity on a user workstation, identifying patterns consistent with ransomware behavior.
• Analyzed Sysmon logs to detect a high volume of file modifications and renaming within a short timeframe, indicating potential mass encryption activity.
• Correlated process creation events to identify a suspicious process responsible for modifying multiple files and generating new file extensions.
• Cross-analyzed alerts from CrowdStrike EDR, identifying a malicious process chain initiated from a user-downloaded file leading to file encryption.
• Detected defense evasion techniques, including attempts to disable security tools and delete shadow copies, commonly associated with ransomware attacks.
• Isolated the compromised endpoint via CrowdStrike to prevent lateral movement and further impact across the network.
• Collected and analyzed indicators of compromise (IOCs) to support incident response and containment efforts.
• Contributed to improving detection capabilities by implementing SIEM rules based on abnormal file modification rates and execution from suspicious paths.

Company industry:
Media Production
Job role:
Information Technology

SOC Analyst

January 2022 - January 2024

Amexio (client Pratt & Whiteney)

Montreal, Canada Hybrid

January 2022 - January 2024

• Performed a SOC investigation using Sysmon logs ingested into Splunk to detect and reconstruct a system compromise.
• Leveraged Sysmon EventCodes to analyze malicious activity, including file creation events (EventCode 11), process execution in memory (EventCode 1), outbound network connections (EventCode 3), and process termination events (EventCode 5).
• Correlated multiple log sources to identify the malicious process responsible for the infection, analyze command-line execution, process paths, parent-child relationships, and cryptographic hashes.
• Validated file hashes using VirusTotal to confirm malicious behavior and identified the cloud-based distribution method.
• Analyzed defense evasion techniques such as timestomping, tracked dropped files on disk, and identified network activity related to an UltraVNC backdoor.

Company industry:
Aviation Support Services
Job role:
Mechanical Engineering

Cybersecurity Analyst

September 2020 - April 2021

Planning and Statistics Authority : PSA

Doha, Qatar

September 2020 - April 2021

Mission 1 :
• Analysis and investigation of alerts generated by Splunk based on Windows Security logs within a critical environment.
• Detection of suspicious activity characterized by multiple failed authentication attempts (Event ID 4625) followed by a successful logon (Event ID 4624 - Logon Type 3) on a sensitive internal server.
• Review of assigned privileges via Event ID 4672 to identify potential privilege escalation.
• Examination of process creation events (Event ID 4688) to detect abnormal behavior.
• Correlation with Sysmon logs enabling the detection of wmic.exe execution followed by remote execution of cmd.exe.
• Analysis of parent-child process relationships revealing unusual PowerShell-initiated execution.
• Identification of a lateral movement pattern originating from a user workstation previously involved in a security alert.
• Performed MITRE ATT&CK mapping.
• Escalated the incident, disabled the compromised account, and contributed to improving SIEM correlation rules.
Mission 2 :
• Performed browser forensic analysis as part of incident response and digital investigations to reconstruct user activity. Analyzed Google Chrome artifacts located in AppData\Local\Google\Chrome\User Data\Default, including browsing history, downloads, extensions, and user preferences.
• Examined Chrome SQLite databases using DB Browser for SQLite, focusing on the urls and visits tables.
• Analyzed visited URLs, visit frequency, timestamps, and page titles to identify browsing behavior.
• Interpreted the transition field to determine how websites were accessed (link clicks, manual URL entry, searches, redirects) and leveraged the visit_duration field to assess time spent on webpages, enabling detailed reconstruction of user navigation during investigations.
• Supported threat hunting activities by identifying attacker techniques that bypassed existing SIEM rules and proposing new detection logic.
• Documented attack scenarios, detection gaps, and recommendations to improve SOC alerting and incident response workflows.

Company industry:
Non-profit Organization
Job role:
Information Technology

SOC Analyst (School Final Project)

February 2020 - August 2020

La Banque Postale,

Toulouse, France

February 2020 - August 2020

• Conducted Windows forensic investigations following simulated attacks using Atomic Red Team (ART) to assess system impact and attacker activity.
• Executed controlled attack scenarios using scripts and executables, then collected forensic artifacts with KAPE (Kroll Artifact Parser and Extractor).
• Configured Target Options for artifact acquisition (file system, registry hives, event logs, execution artifacts) and used Modules for parsing and analysis.
• Performed in-depth NTFS analysis focusing on $MFT (Master File Table) and USN Journal ($J) artifacts to reconstruct event timelines using MACB timestamps (Modified, Accessed, Changed, Birth).
• Leveraged MFTECmd and Timeline Explorer (Eric Zimmerman) to identify file creation, modification, deletion events, and file overwriting behavior linked to ART attack activity.
• Supported threat hunting activities by identifying attacker techniques that bypassed existing SIEM rules and proposing new detection logic.
• Documented attack scenarios, detection gaps, and recommendations to improve SOC alerting and incident response workflows.

Company industry:
Banking
Job role:
Banking

Cybersecurity Analyst Intern

January 2017 - January 2018

National Telecommunications Regulatory Agency (ANRT),

Rabat, Morocco

January 2017 - January 2018

• Conducted in-depth Windows Registry forensic analysis to identify user
activity, persistence mechanisms, and evidence of execution.
• Loaded and analyzed primary registry hives (SAM, SECURITY, SOFTWARE,
SYSTEM, NTUSER.dat, UsrClass.dat) collected via KAPE using Registry
Explorer.
• Used RegRipper to automate the extraction and parsing of registry
artifacts, performing targeted keyword-based analysis (TaskCache, Run
keys, Services). Investigated persistence keys such as Run Keys, Windows
Services, and Scheduled Tasks to detect automatic execution of malicious
scripts or programs.
• Analyzed additional artifacts including Prefetch, UserAssist, RecentDocs,
ShellBags, BAM (Background Activity Monitor), and ShimCache to
reconstruct execution history, user activity, and interactions with the file
system and external devices.
• Correlated forensic findings with SIEM alerts and endpoint telemetry to
validate indicators of compromise (IOCs).
• Contributed to threat hunting activities by identifying persistence
techniques often missed by automated detections.

Company industry:
Corporate Management Office

Cybersecurity Analyst Intern

January 2017 - January 2017

Libération Journal,

Casablanca, Morocco

January 2017 - January 2017

• Performed comprehensive analysis of suspicious emails to identify
phishing campaigns and impersonation attempts. Conducted detailed
examination of email headers (.eml) to trace message routing via SMTP,
IMAP, and POP3 protocols, and analyzed interactions between MUA and
MTA.
• Verified SPF, DKIM, and DMARC authentication mechanisms using DNS
queries (nslookup) to detect inconsistencies, spoofed domains,
unauthorized IP addresses, and invalid DKIM signatures.
• Identified advanced techniques such as domain spoofing, lookalike
domains, and compromised accounts. Analyzed malicious attachments by
calculating SHA-256 hashes and submitting them to threat intelligence
platforms such as VirusTotal, ANY.RUN, and tri.age to assess file behavior
and risk level.
• Cybersecurity awareness initiatives:
◦ Implemented a cybersecurity awareness platform
◦ Conducted phishing simulation campaigns
◦ Performed USB drop attack simulations

Company industry:
Journalism

Education

IMT Nord Europe

August 2020

August 2020

Master's degree, Cybersecurity

France

Lycée René Descartes

July 2014

July 2014

Bachelor's degree, Applied Mathematics

Morocco

Skills

SOAR
Expert
SOAR
Expert
Crowdstrike
Expert
Crowdstrike
Expert
Incident response
Expert
Incident response
Expert
CYBER THREAT HUNTING
Expert
CYBER THREAT HUNTING
Expert
SECURITY INFORMATION AND EVENT MANAGEMENT SIEM
Expert
SECURITY INFORMATION AND EVENT MANAGEMENT SIEM
Expert
SNORT INTRUSION DETECTION SYSTEM
Expert
SNORT INTRUSION DETECTION SYSTEM
Expert
SPLUNK
Expert
SPLUNK
Expert
Microsoft Defender for Endpoint
Intermediate
Microsoft Defender for Endpoint
Intermediate

Languages

French

Native Speaker

English

Expert

Spanish

Intermediate

Arabic

Native Speaker

Training and Certifications

Certifications
CompTIA Security

Hobbies and interests

One Piece…
Attack On Titan,
Mangas and animés from Japan (Naruto, Dragon Ball,
Drawing.
Soccer (Real Madrid, Toulouse FC).
Karting.