Key skills
AWSAzureCloudSplunkEntra IDSaaSJiraLeadershipCommunicationWAF
About this role
Role Overview
- Own the log ingestion pipeline end-to-end: identify gaps, build feeds, validate parsing, maintain coverage dashboards
- Close the federal logging gap and stand up commercial logging across AWS, Azure, Entra ID, and SaaS
- Activate and configure SecOps SOAR capabilities including Domain-Wide Delegation, marketplace integrations, and bidirectional response actions
- Build and maintain SOAR playbooks for major incident types such as phishing, malware, account compromise, lateral movement, and cloud-specific threats
- Develop and maintain operational dashboards for SOC metrics, alert volumes, MTTA/MTTR, and coverage status
- Manage Google SecOps RBAC
- Build and deploy production detection rules mapped to MITRE ATT&CK within the first year
- Develop custom parsers for AWS-native security services including GuardDuty, Security Hub, Inspector, WAF, CloudTrail, and VPC Flow Logs
- Establish a detection lifecycle including proposal, testing, deployment, tuning, and retirement
- Conduct quarterly detection quality reviews to measure false positive rates, coverage gaps, and rule health
- Develop alert threshold optimization to reduce noise and analyst fatigue
- Drive SentinelOne deployment across Azure VMs in commercial environments and all federal endpoints
- Configure and operationalize Cloud Funnel for log export into Google SecOps
- Build correlation rules between EDR alerts and SIEM detections
- Manage SentinelOne RBAC groups and policy configuration
- Coordinate with IT on agent deployment, health monitoring, and version management
- Serve as senior escalation point for SOC incidents, ensuring investigations are thorough and reports include root cause, remediation actions, credential rotation plans, and follow-up timelines
- Improve MTTA and MTTR through process optimization, better tooling, and analyst development
- Lead quarterly tabletop exercises and after-action reviews
- Maintain and improve incident response runbooks for all major incident categories
- Integrate incident response workflows with Jira Service Management for tracking and escalation
- Operationalize monthly scanning cadence across all environments using tools such as Nessus, AWS Inspector, and Azure Defender
- Define and enforce remediation SLAs by severity: Critical within 72 hours, High within 7 days, Medium within 30 days
- Build consolidated vulnerability dashboards in Google SecOps
- Track SLA compliance and report metrics to the CISO
- Coordinate remediation with engineering and infrastructure teams
- Serve as primary technical interface with MSSP partner for 24/7 SOC coverage
- Define and hold the MSSP accountable to SLAs, alert quality, and escalation procedures
- Review MSSP deliverables such as dashboards, reports, and playbooks for quality and completeness
- Manage the transition from the previous MSSP and ensure no coverage gaps
- Provide day-to-day technical direction to SOC analysts by setting priorities, assigning tasks, and reviewing work products
- Ensure incident response reports, playbooks, and dashboards meet quality standards before delivery to leadership or external stakeholders
- Drive OKR execution for SOC-related objectives including logging coverage, detection counts, incident response metrics, and vulnerability SLA compliance
- Identify skill gaps and development opportunities for junior analysts
- Establish and enforce SOC processes that are documented, repeatable, and auditable
Requirements
- 6+ years of experience in security operations, detection engineering, or SIEM/SOAR engineering
- Hands-on experience with Google SecOps (Chronicle) or equivalent enterprise SIEM such as Splunk, Sentinel, or QRadar, with Chronicle strongly preferred
- Production experience with SentinelOne, CrowdStrike, or a comparable EDR platform
- Deep knowledge of AWS security services including GuardDuty, Security Hub, Inspector, CloudTrail, WAF, and Config
- Experience building detection rules mapped to the MITRE ATT&CK framework
- SOAR playbook development and automation experience
- Demonstrated ability to lead without formal authority by setting direction for peers or junior analysts
- Strong incident response skills with experience writing complete reports for executive and external audiences
- Understanding of NIST 800-53 controls, particularly Audit, System Integrity, and Incident Response families
- Excellent written communication skills
Tech Stack
- AWS
- Azure
- Cloud
- Splunk
Benefits
- 136K-155K base + equity and performance bonus eligible, depending on experience and location
- Full medical, vision, and dental insurance
- Generous PTO
- Remote-first culture with flexible hours
- Opportunity to protect critical infrastructure at scale
- Work with patented, cutting-edge security technology
- Direct ownership of SOC maturation
- Collaborative team with military, federal, and private sector expertise