Sword HealthRemote
Security Operations Lead – SecOps
Portugal
Full Time
3 hours ago
$50,400 - $79,200 EUR
No Sponsorship
Key skills
AWSCloudCyber SecurityGoogle Cloud PlatformPythonSplunkGoBashAIMLLLMAgenticGCPGoogle CloudMentoringCollaborationRemote Work
About this role
Role Overview
- Set the strategy and technical direction for Sword’s Security Operations Center — defining the operating model, SIEM and detection architecture, incident response capability, and the roadmap to scale them as the company grows.
- Drive an AI
- and automation-first transformation of security operations: design SOAR playbooks, agentic and LLM-assisted triage workflows, and ML-driven detection to reduce MTTD/MTTR, expand coverage, and let a lean team operate at enterprise scale.
- Lead the SOC/CSIRT team technically — mentoring detection and response engineers, raising the bar on investigations, running on-call and escalation models, and acting as commander for major incidents.
- Own the SIEM end-to-end (architecture, data sources, normalization, retention, cost, and tuning) and evolve detection-as-code content aligned to MITRE ATT&CK and Sword’s threat model.
- Lead high-severity incident response from detection through containment, eradication, recovery, and post-incident review, partnering with engineering, IT, legal, and executive stakeholders during critical events.
- Run the threat intelligence and threat hunting programs, converting emerging TTPs into new detections, proactive hardening, and informed risk decisions.
- Define and report on SOC performance — MTTD, MTTR, coverage, automation rate, false-positive rate, on-call health — and use those metrics to drive measurable, continuous improvement.
- Influence security architecture and engineering decisions across the company, ensuring detection, response, and recovery are built into new products, platforms, and infrastructure from day one.
- Establish and continuously improve incident response playbooks, runbooks, and tabletop exercises to ensure organizational readiness.
Requirements
- Bachelor’s degree in Computer Science, Cybersecurity, or equivalent professional experience.
- Proven experience scaling a SOC through automation and AI — SOAR, hyperautomation, LLM-assisted triage, agentic workflows, or ML-driven detection — with measurable impact on MTTR, coverage, or analyst leverage.
- Hands-on experience structuring a SOC, either building one from the ground up or maturing one through significant transformation — SIEM selection, implementation or migration, detection engineering practice, runbook libraries, on-call rotations, and operating metrics.
- Deep SIEM expertise (Splunk, Sentinel, Chronicle, Elastic, or similar) — ingestion architecture, detection-as-code, query optimization, and coverage-versus-cost tradeoffs.
- Prior experience as the technical lead of a SOC or CSIRT team — owning the full incident response lifecycle, mentoring analysts and engineers, and acting as on-call/incident commander during major incidents.
- Strong incident response track record — leading high-severity investigations, root cause analysis, digital forensics, and post-incident reviews that produced durable improvements.
- Solid experience in cloud environments (AWS and/or GCP), with strong understanding of cloud-native threats and controls.
- Strong scripting and development skills (Python, Go, Bash, or similar) for building automation, integrations, and internal tooling.
- Working knowledge of EDR/XDR, identity, and network detection telemetry, and how to combine signals into high-fidelity detections.
- Fluency with security frameworks and standards (NIST 800-61, CIS Controls, MITRE ATT&CK, ISO 27001) and the judgment to apply them pragmatically.
- Background in threat modeling, adversary emulation, and risk-based alert tuning.
- Excellent communicator — able to brief executives during a Sev1, write a clear post-mortem, and translate technical risk into business language for non-technical audiences.
- Proven track record of leading cross-functional efforts in high-pressure situations and fostering collaboration across InfoSec, IT, and engineering.
- Forensics experience, investigating incidents and preserving digital evidence.
Tech Stack
- AWS
- Cloud
- Cyber Security
- Google Cloud Platform
- Python
- Splunk
- Go
Benefits
- Health, dental and vision insurance
- Meal allowance
- Equity shares
- Remote work allowance
- Flexible working hours
- Work from home
- Discretionary vacation
- Snacks and beverages