Key skills
CloudAILLMLeadershipCommunication
About this role
Role Overview
- Monitor and triage security alerts across SIEM, EDR, and CSPM platforms covering both corporate and product environments.
- Investigate alerts to determine scope, severity, and whether escalation is warranted.
- Leverage AI-assisted triage and enrichment tools to accelerate analysis and reduce mean time to detect.
- Classify, document, and track alerts through the full lifecycle using ticketing and case management systems.
- Participate in or lead incident response engagements from detection through remediation, including evidence collection, forensic analysis, root cause determination, and stakeholder communication.
- Conduct investigations across SIEM, EDR, CSPM, and cloud-native log sources including identity provider logs, cloud audit trails, and network flow data—spanning both corporate and product infrastructure.
- Execute established IR runbooks across identity, endpoint, cloud, and email investigation workflows.
- Manage or assist with evidence handling, forensic artifact collection, and chain-of-custody procedures.
- Produce clear, decision-ready incident summaries and post-incident reports for both technical and leadership audiences.
- Contribute to the design, implementation, and tuning of detection rules across SIEM and EDR platforms, with a focus on reducing false positives and closing coverage gaps.
- Translate threat intelligence (CVE advisories, CISA alerts, vendor bulletins, open-source feeds) into actionable detection content, with particular attention to threats targeting privileged access tooling and supply chain attack vectors.
- Help maintain and evolve detection coverage mapped to MITRE ATT&CK.
- Partner with threat hunting peers to validate detection logic through hypothesis-driven hunts.
- Use AI-driven tools for alert triage, enrichment, and investigation as a standard part of daily operations.
- Contribute to the evaluation, integration, and optimization of AI and automation capabilities across the team’s workflows.
- Assist in designing prompts, agent workflows, or LLM-based pipelines that augment analyst capabilities and reduce manual effort.
- Partner with engineering teams to improve log ingestion, data quality, and tool integrations.
- Maintain daily operational notes and shift handoff documentation.
- Contribute to and refine IR runbooks, playbooks, and standard operating procedures.
- Participate in on-call rotation for after-hours incident escalation.
- Track and report on operational metrics (MTTD, MTTR, MTTC, false positive rate) and identify improvement opportunities.
- Participate in tabletop exercises, purple team activities, and post-incident reviews.
Requirements
- 2+ years of experience in a SOC, security operations, or incident response role.
- Understanding of common attack frameworks (MITRE ATT&CK), network protocols, and endpoint behavior.
- Experience with at least one SIEM platform and familiarity with writing search or detection queries.
- Familiarity with EDR platforms and cloud environments (IaaS preferred).
- Comfort using AI systems (e.g., LLM-based assistants, copilots, or AI-driven analysis tools) as part of security workflows.
- Strong written communication skills; able to document findings clearly and concisely for both technical and non-technical audiences.
Tech Stack
- Cloud
Benefits
- Health insurance
- 401(k) matching
- Flexible work hours
- Paid time off
- Professional development opportunities