Lead detection development: achieve full MITRE coverage, maintain low false-positive and false-negative rates. Work closely with alerts consumers (20+ teams) to keep noise low and signal high, ensuring they can act quickly without missing genuine threats.
Architect and operate detection coverage across our cloud and bare-metal environments.
Build and extend our internal D&R tools and pipelines
onboard new logs, build and automate response runbooks.
Integrate threat intelligence into detection logic and IR playbooks, tracking adversary TTPs relevant to Cloud infrastructure.
Lead incident response end-to-end: scoping, containment, root cause analysis, post-incident reviews and controlling critical action items are closed to prevent future possible incidents.
Partner with Compliance and Engineering teams to detect real threats while meeting the needs of both engineers and regulators.
Define and report on D&R metrics: MTTD, MTTR, detection coverage, false positive rates, etc.
Build and maintain Security Incident Response program: people, processes, tools.
Build tools, runbooks, and on-call processes that scale as the company grows.
Requirements
6+ years in security operations, detection engineering, or incident response — with at least 1–2 years leading or mentoring a team.
Deep hands-on experience with cloud-native environments (Kubernetes, Linux workloads, container-based infrastructure).
Strong detection engineering skills: writing and tuning rules/detections in SIEM platforms (e.g., Chronicle, Splunk, Elastic) and SQL.
Experience building or operating SOAR workflows and automating response at scale (ideally with Golang and Temporal).
Working knowledge of threat intelligence frameworks (MITRE ATT&CK, Pyramid of Pain, Kill Chain) and how to operationalize them in detections.
Solid IR fundamentals: memory forensics, log analysis, network traffic analysis, and post-incident reporting.
Stakeholder management: able to coordinate across engineers, compliance, legal, executives during active incident phase. Serve as the primary owner and driver for complex changes, as a result of incidents post-mortem.