Own the log ingestion pipeline end-to-end: identify gaps, build feeds, validate parsing, maintain coverage dashboards
Close the federal logging gap and stand up commercial logging across AWS, Azure, Entra ID, and SaaS
Activate and configure SecOps SOAR capabilities including Domain-Wide Delegation, marketplace integrations, and bidirectional response actions
Build and maintain SOAR playbooks for major incident types such as phishing, malware, account compromise, lateral movement, and cloud-specific threats
Develop and maintain operational dashboards for SOC metrics, alert volumes, MTTA/MTTR, and coverage status
Manage Google SecOps RBAC
Build and deploy production detection rules mapped to MITRE ATT&CK within the first year
Develop custom parsers for AWS-native security services including GuardDuty, Security Hub, Inspector, WAF, CloudTrail, and VPC Flow Logs
Establish a detection lifecycle including proposal, testing, deployment, tuning, and retirement
Conduct quarterly detection quality reviews to measure false positive rates, coverage gaps, and rule health
Develop alert threshold optimization to reduce noise and analyst fatigue
Drive SentinelOne deployment across Azure VMs in commercial environments and all federal endpoints
Configure and operationalize Cloud Funnel for log export into Google SecOps
Build correlation rules between EDR alerts and SIEM detections
Manage SentinelOne RBAC groups and policy configuration
Coordinate with IT on agent deployment, health monitoring, and version management
Serve as senior escalation point for SOC incidents, ensuring investigations are thorough and reports include root cause, remediation actions, credential rotation plans, and follow-up timelines
Improve MTTA and MTTR through process optimization, better tooling, and analyst development
Lead quarterly tabletop exercises and after-action reviews
Maintain and improve incident response runbooks for all major incident categories
Integrate incident response workflows with Jira Service Management for tracking and escalation
Operationalize monthly scanning cadence across all environments using tools such as Nessus, AWS Inspector, and Azure Defender
Define and enforce remediation SLAs by severity: Critical within 72 hours, High within 7 days, Medium within 30 days
Build consolidated vulnerability dashboards in Google SecOps
Track SLA compliance and report metrics to the CISO
Coordinate remediation with engineering and infrastructure teams
Serve as primary technical interface with MSSP partner for 24/7 SOC coverage
Define and hold the MSSP accountable to SLAs, alert quality, and escalation procedures
Review MSSP deliverables such as dashboards, reports, and playbooks for quality and completeness
Manage the transition from the previous MSSP and ensure no coverage gaps
Provide day-to-day technical direction to SOC analysts by setting priorities, assigning tasks, and reviewing work products
Ensure incident response reports, playbooks, and dashboards meet quality standards before delivery to leadership or external stakeholders
Drive OKR execution for SOC-related objectives including logging coverage, detection counts, incident response metrics, and vulnerability SLA compliance
Identify skill gaps and development opportunities for junior analysts
Establish and enforce SOC processes that are documented, repeatable, and auditable

Requirements

6+ years of experience in security operations, detection engineering, or SIEM/SOAR engineering
Hands-on experience with Google SecOps (Chronicle) or equivalent enterprise SIEM such as Splunk, Sentinel, or QRadar, with Chronicle strongly preferred
Production experience with SentinelOne, CrowdStrike, or a comparable EDR platform
Deep knowledge of AWS security services including GuardDuty, Security Hub, Inspector, CloudTrail, WAF, and Config
Experience building detection rules mapped to the MITRE ATT&CK framework
SOAR playbook development and automation experience
Demonstrated ability to lead without formal authority by setting direction for peers or junior analysts
Strong incident response skills with experience writing complete reports for executive and external audiences
Understanding of NIST 800-53 controls, particularly Audit, System Integrity, and Incident Response families
Excellent written communication skills

Benefits

136K-155K base + equity and performance bonus eligible, depending on experience and location
Full medical, vision, and dental insurance
Generous PTO
Remote-first culture with flexible hours
Opportunity to protect critical infrastructure at scale
Work with patented, cutting-edge security technology
Direct ownership of SOC maturation
Collaborative team with military, federal, and private sector expertise

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

log ingestion pipelineSOAR capabilitiesdetection rulescustom parsersalert threshold optimizationincident responsevulnerability dashboardsdetection engineeringSIEMcloud security

Soft Skills

leadershipcommunicationincident responseprocess optimizationteam coordinationtechnical directionreport writingtraining and developmentprioritizationproblem-solving