Senior Incident Response Engineer

Location: Remote within USA

About The Role

The Senior Detection, Automation, and Incident Response Engineer is a critical technical role responsible for driving the organization's defensive security capabilities across detection engineering, security orchestration, automation, and response (SOAR), and co-leading the organization's threat hunting program. This role is crucial for integrating new threat intelligence into high-fidelity detections and automating incident response processes to maximize team efficiency and response speed.

You'll work directly with the Director of Security Monitoring, Detection and Response and collaborate closely with the SOC Manager to co-lead threat hunting initiatives, while partnering with cross-functional security teams to build and scale our security operations capabilities.

About Our Security Team

You'll be joining a fast-paced security organization that emphasizes automation, engineering-driven approaches, and systematic problem-solving. Our team operates at the intersection of security operations, detection engineering, incident response, and infrastructure security. We value practical solutions, measurable outcomes, and continuous improvement.

What You’ll Do:

1. Detection Engineering & Platform Leadership (40%)

• Design, implement, and maintain advanced detection rules and correlation logic across SIEM , EDR, and Cloud platforms (AWS, GCP)
• Lead detection strategy and architecture aligned with the Detection Quality frameworks
• Write high-fidelity detection rules using languages like SIGMA and YARA-L
• Conduct deep log source analysis, perform threat modeling, adversary emulation, and maintain MITRE ATT&CK mapping coverage
• Conduct detection gap analysis to identify coverage opportunities across the kill chain
• Create and maintain detection playbooks, runbooks, and comprehensive documentation
• Perform detection quality assessments and continuous improvement initiatives

2. Security Automation (SOAR) & Response Leadership (40%)

• Develop complex automated response playbooks for multi-stage incidents spanning multiple security tools
• Integrate security tools via APIs (SIEM, EDR, MDM, CASB, ITSM, threat intelligence platforms)
• Create automated enrichment pipelines incorporating threat intelligence, asset context, and user behavior analytics
• Develop automated containment actions (account disable, host isolation, firewall rule updates)
• Measure and report automation ROI, tracking metrics like time saved and incident handling efficiency
• Handle Incident Response processes and procedures as needed

3. Threat Hunting Co-Leadership & Execution (20%)

• Co-lead the organization's threat hunting program with the SOC Manager, defining strategy, methodology, and campaign planning
• Execute proactive threat hunting campaigns by conducting hunt queries across SIEM and EDR platforms
• Analyze large datasets to identify anomalous behavior patterns including user behavior, process execution, network traffic, and cloud activity
• Develop hunting automation and tooling using custom Python scripts, Jupyter Notebooks, Osquery, and Velociraptor
• Collaborate with threat intelligence sources to incorporate latest TTPs into hunting campaigns

What We Are Looking For: 

• 7+ years in security operations with 3+ years in detection engineering, including deep expertise in creating high-fidelity rules (SIGMA, YARA-L, KQL, SPL).
• Proven track record of building detection strategies across SIEM, EDR, and Cloud platforms, grounded in the MITRE ATT&CK framework.
• Expert knowledge of SOAR platforms (e.g., Tines, Splunk SOAR, Cortex XSOAR), architecture, and complex playbook development.
• Proven experience designing and implementing SOAR platform architecture from concept to production.
• Advanced scripting and automation development skills in Python (required) for API integrations and security tool orchestration.
• Strong background in threat hunting methodology, hypothesis development, and campaign execution, with experience leading or co-leading hunting programs.
• Proficiency with data analysis, anomaly detection, and hands-on experience with hunting tools like Jupyter Notebooks, Osquery, and Velociraptor.
• Deep understanding of attack techniques, lateral movement, persistence mechanisms, and post-exploitation TTPs across Windows, Linux, and macOS.
• Familiarity with security frameworks including MITRE ATT&CK, PICERL, NIST CSF, and Detection Maturity Models, and incident response best practices.
• Proven ability to lead technical initiatives, mentor team members, and communicate complex technical concepts to diverse audiences.

Preferred Qualifications

• Experience with YARA-L.
• Deep familiarity with Detection Frameworks and detection engineering quality frameworks.
• Proven track record implementing SOAR platforms from architecture through operationalization, with experience evaluating multiple platforms.
• Advanced knowledge of CrowdStrike Falcon platform including custom IOA rules.
• Background in purple team activities, adversary emulation, or red teaming.
• Experience with CI/CD practices for detection-as-code and automation-as-code.
• Contributions to open-source security projects or security certifications (GCDA, GCIH, GCIA, GCFA, OSCP, or equivalent).
• Knowledge of security data lakes (Snowflake, BigQuery) and experience with threat intelligence platforms (TIP).
• Published research, blog posts, or conference presentations on detection engineering, automation, or threat hunting topics.

Behavior: 

• Strategic Thinker: You design solutions that scale, anticipate future needs, and align with organizational security strategy
• Builder & Architect: You design and build complex systems from the ground up, with focus on maintainability and scalability
• Quality & Precision Focused: You care deeply about detection accuracy, automation reliability, and operational excellence
• Proactive Hunter: You don't wait for alerts—you actively seek threats and continuously question assumptions
• Data-Driven: You use metrics and data analysis to drive decisions, measure impact, and communicate value

Why Join AlphaSense Security

• High-Impact Leadership Role: Own critical security capabilities (detection, automation, hunting) with direct organizational impact
• Greenfield Opportunities: Architect and build SOAR platform from the ground up and lead major SIEM migration efforts
• Technical Depth: Solve complex problems at scale with Modern security stack
• Scale & Complexity: Protect a critical platform serving enterprise customers with sophisticated threats
• Autonomy & Influence: Shape security architecture decisions, tool evaluations, and team direction
• Growing Team: Join a growing team with clear structure, specialized roles, and growth trajectory
• Balance & Variety: Split time between strategic architecture (detection, SOAR) and hands-on execution (hunting, investigation)
• Innovation Culture: Implement detection-as-code, automation-as-code, and data-driven security practices

Important notice: We are an AI-driven company and actively use AI tools in our day-to-day work. However, the use of AI tools during the interview process is not permitted. Interviews are designed to assess your individual skills and thinking. If we determine that a candidate is using AI assistance to answer interview questions, this may result in disqualification from the hiring process.