Security Operations Engineer

WorkWave is seeking a Security Operations Engineer with a builder’s mindset to join their team. This role involves bridging the gap between Security and Engineering, implementing a new SIEM, and transforming raw data into high-fidelity alerts while serving as the technical escalation point for incident response.

Responsibilities:

• Serve as the primary implementer for the new SIEM solution, configuring data ingestion and tuning the platform for optimal performance
• Own the security observability platform on Grafana (Loki/LogQL, Prometheus/PromQL, Grafana Alerting; OTel for collection), including onboarding sources, parsing, enrichment, and alert routing
• Own the "Content Engineering" lifecycle: Write, test, and tune detection rules and queries (LogQL, PromQL, SPL, KQL, SQL, etc.) to identify malicious activity with low false-positive rates
• Partner with the Engineering team to ensure the new observability platform captures the right security telemetry and logs
• Serve as the primary operator for security monitoring and initial incident triage, participating in the on-call rotation
• Define logging standards and required security telemetry for product and infrastructure
• Own log onboarding, parsing, enrichment, normalization, retention, and cost controls
• Build dashboards and SLOs for security telemetry health (coverage, latency, drop rate)
• Develop and maintain the library of Incident Response documents, including Triage Books, Runbooks, and Playbooks for future on-call rotation
• Act as the primary technical liaison for our MDR provider (Sophos), ensuring they have the context needed to monitor effectively
• Lead deeper analysis and threat hunting investigations for complex alerts escalated by the MDR or internal teams
• Own alert routing and incident tracking integration (PagerDuty + Jira/Slack), including severity model, escalation paths, and reporting
• Lead incident coordination, write post-incident reviews, and drive corrective actions with Engineering
• Own phishing detection/response workflows and playbooks (user reports, triage, containment)
• Continuously evaluate the efficacy of alerts and automations; refine logic to reduce alert fatigue
• Assist in defining log schemas to ensure data is parsed correctly for both security and engineering use cases
• Evaluate and implement AI-assisted tools to streamline query generation and dashboard creation
• Own the integration and correlation between MDR alerts and internal SIEM/incident tracking
• Implement least-privilege access to security telemetry and ensure logging pipelines avoid sensitive data leakage

Requirements:

• 5-7 years of total experience in Information Security or Security Operations
• Proven experience transitioning from a 'consumer' of alerts (Analyst) to a 'builder' of detections (Engineer)
• Demonstrated experience working with SIEM/observability platforms (Grafana/Loki preferred; Splunk/Elastic/Sentinel/Datadog acceptable), specifically in creating dashboards, reports, and writing complex queries
• Experience working with Managed Detection and Response (MDR) providers or MSSPs is highly preferred
• Background in partnering with DevOps or Engineering teams on logging or observability initiatives is a plus
• Bachelor's degree in Computer Science, Information Security, or a related field or equivalent work experience
• Industry certifications such as GCIH, GCIA, GCED, GMON, Security+, CySA+ or related are highly desirable
• Strong proficiency in query languages (e.g., LogQL, PromQL, KQL, SPL, SQL) to interrogate data and build dashboards
• Ability to translate threat intelligence and MITRE ATT&CK techniques into actionable detection rules
• Deep understanding of the Incident Response Lifecycle (NIST or SANS) and experience writing clear, executable runbooks
• Familiarity with Python or similar scripting languages for automation or API integration is beneficial (though not a primary coding role)