Ondo FinanceRemote
Security Engineer - Operations / Incident Response
United States of America
Full Time
3 days ago
H1B Sponsor Likely
Key skills
PythonAILLMAWSAzureGCPOAuthSplunkGitBlockchainSaaSCloud Security
About this role
Ondo Finance is building institutional-grade financial infrastructure for tokenized real-world assets. They are seeking a Senior Security Engineer for Operations / Incident Response to lead the defense of their systems, focusing on detection engineering, incident response, and security automation.
Responsibilities:
- Detection engineering lifecycle in our SIEM (e.g., Splunk, Panther, or equivalent) — write detections, tune for noise, version them in code, and measure their performance
- EDR (e.g., CrowdStrike, SentinelOne) deployment, policy tuning, exclusions hygiene, and response playbooks across macOS-heavy and Linux fleets
- Email security stack: tune detections, investigate phish, run takedowns, and drive user reporting workflows
- Build and operate SOAR / response automation to take repetitive analyst work to zero
- Particpate in and lead incident response: triage, contain, eradicate, recover, and write the post-mortem. Run tabletop exercises with engineering and exec stakeholders
- Build and maintain the on-call rotation, runbooks, and severity definitions for the SIRT
- Integrate identity telemetry and SaaS audit logs into detection coverage; close the gap between IT signals and security signals
- Partner with Infrastructure Security on cloud detection coverage and with Product Security on application-layer signals
- Build, deploy, and operate AI-native workflows in our SecOps stack — LLM-assisted triage, alert summarization, evidence collection, draft IR comms, and analyst copilots — with the guardrails to keep them safe and auditable
- Define how we monitor internal AI usage (sanctioned LLMs, MCP servers, browser-based agents) and how we detect AI-driven attacks against our employees and customers (deepfake voice/video, AI phishing, prompt injection in shared tooling)
- Help us decide where AI belongs in critical workflows (incident comms drafting, log search, detection tuning) and where it does not (signing actions, irreversible response, anything touching customer funds)
Requirements:
- 3-5+ years in security operations, detection engineering, or incident response, including time as a senior IC at a fast-moving company
- Deep, hands-on experience with at least one SIEM (Splunk, Panther, Elastic, Sentinel, Chronicle)
- Production experience with EDR tuning and IR (CrowdStrike, SentinelOne, Defender, or equivalent)
- Solid working knowledge of email security tooling and modern phishing TTPs (BEC, OAuth consent phishing, vendor impersonation, callback phishing)
- SOAR / automation experience
- Strong scripting skills (Python preferred); comfortable working in Git and treating detections as code
- Operational maturity: you can lead an incident, write a clean post-mortem, and push organizational changes that come out of it
- Working fluency with cloud security telemetry in at least one of AWS, GCP, or Azure
- Practical experience integrating AI/LLMs into security workflows, or a track record of evaluating new tooling rigorously and shipping it into production
- Background defending crypto, fintech, or other high-value-target environments
- Experience with on-chain monitoring tools and blockchain-aware incident response
- Threat hunting against identity-based attacks (OAuth abuse, session token theft, IdP compromise)
- Public detection-engineering, IR, or research output (blogs, talks, open-source)