Senior Security Operations Engineer

Serve as the final escalation point for complex security incidents — leading containment, eradication, recovery, and post-incident review, and coordinating response across engineering, IT, legal, and leadership.

Perform digital forensics (disk, memory, network, and cloud) to determine root cause, support evidence preservation, and produce clear findings for technical and non-technical stakeholders.

Participate in a formal on-call rotation, serving as the primary responder for critical security incidents outside of business hours.

Own detection engineering: write and maintain SIEM correlation rules, develop behavioral analytics, and manage detection-as-code pipelines that keep pace with an evolving threat landscape.

Monitor and tune EDR, SIEM, and cloud-native security tooling (SentinelOne, Wiz Defend, AWS GuardDuty, DataDog) to maintain high-confidence detections and reduce alert fatigue.

Conduct proactive, hypothesis-driven threat hunts using MITRE ATT&CK, threat intelligence feeds, and behavioral analytics across endpoints, network, and cloud environments.

Build and maintain SOAR playbooks that automate high-volume, repetitive response workflows — reducing analyst toil and improving response consistency.

Identify and implement agentic workflows that accelerate security operations — building LLM-powered automation for alert triage, attack chain summarization, detection logic generation, and runbook drafting, with appropriate human-in-the-loop controls and output validation before any AI-generated security content is acted on.

Own detection and response coverage for AI-specific threats — building detection rules for AI application anomalies, prompt injection attempts, excessive agent permission use, and RAG pipeline abuse, mapped against the OWASP LLM Top 10 and MITRE ATLAS framework to identify and close detection coverage gaps.

Use AI coding assistants (Claude Code and GitHub Copilot) as force-multipliers in your daily workflow — drafting automation scripts, detection rules, and infrastructure code, while applying the same critical review to AI-generated output as you would to any peer pull request. 

Maintain clear, rigorous documentation — incident reports, threat hunt findings, detection rationale, and runbooks — that builds organizational knowledge and supports audit readiness.

Bachelor’s Degree in Computer Science, Cybersecurity, Information Systems, or related discipline, or equivalent experience.

Minimum of 5 years of experience in cybersecurity, with at least 3 years focused on security operations, incident response, or a SOC environment.

Hands-on depth with SIEM platforms — Splunk (SPL), Microsoft Sentinel (KQL), or equivalent — including building and tuning complex correlation rules, not just running queries.

Practical experience with EDR platforms (SentinelOne strongly preferred) and a solid understanding of endpoint telemetry, memory processes, and detection tuning across Windows, macOS, and Linux.

Proficiency in Python for scripting detection logic, automation workflows, and investigation tooling. PowerShell and Bash proficiency a plus.

Working knowledge of SOAR platforms (Splunk SOAR/Phantom, Cortex XSOAR, or similar) and demonstrated ability to build — not just execute — automated playbooks.

Solid grounding in AWS security services (GuardDuty, Security Hub, CloudTrail, IAM) and experience conducting investigations in cloud-native environments.

Deep familiarity with MITRE ATT&CK as a practical framework for threat hunting, detection coverage mapping, and adversary emulation — not just as a reference.

Experience performing digital forensics, including evidence collection, memory analysis, log correlation, and articulating findings in written and verbal post-incident reviews.

Relevant certifications valued: CISSP, GCIH, GCFA, GREM, OSCP, or cloud security credentials (AWS Security Specialty). Preferred but not required.

Creative problem solver who questions inherited processes and redesigns them for scale. You see alert fatigue as an engineering problem, not an analyst problem.

Proven ability to operate with urgency and clarity under pressure, lead cross-functional response without direct authority, and keep stakeholders informed without overwhelming them.

Familiarity with AI coding assistants (Claude Code, GitHub Copilot, or equivalent) as active workflow tools — directing them for complex tasks like automation scripting, detection drafting, and technical documentation, with the judgment to know when to trust the output and when to rewrite it.

Working familiarity with the OWASP LLM Top 10 and MITRE ATLAS framework as practical tools for threat modeling LLM-backed systems and identifying detection coverage gaps. Curiosity about agentic SOC automation valued over deep prior expertise.

Strong written and verbal communicator who translates complex threat scenarios into language that resonates with engineers, executives, and board members alike. You elevate the team around you through coaching and knowledge sharing.