FREE ACCESS
5,000–10,000 jobs/day
See all jobs on JobTailor
Search thousands of fresh jobs every day.
Discover
- Fresh listings
- Fast filters
- No subscription required
Create a free account and start exploring right away.
Tech Stack
Tools & technologiesAWSAzureCloudDockerGoGoogle Cloud PlatformJavaScriptKubernetesPythonTerraformTypeScript
About the role
Key responsibilities & impact- Monitor, triage and investigate security alerts across our internal estate and customer-operated solutions — covering cloud, identity, endpoint, network, application and AI workloads.
- Drive incidents end-to-end: scoping, containment, eradication, recovery and post-incident review, working to clearly defined SLAs and rules of engagement.
- Produce high-quality incident write-ups and lessons-learned for both technical and executive audiences, and feed findings back into detections, runbooks and engineering backlogs.
- Act as an escalation point for first-line alerts and partner with on-call engineering when an incident crosses into platform reliability or customer impact.
- Develop and execute hypothesis-driven threat hunts across cloud telemetry, identity signals, endpoint data and application logs — looking for what alerts won’t catch.
- Map adversary behaviour to frameworks such as MITRE ATT&CK, and turn confirmed findings into durable detections, dashboards and automated playbooks.
- Track emerging threats, CVEs and threat-actor TTPs relevant to our stack and customer base, and translate them into concrete hunts and detections.
- Partner with our Red Team and AI Ethics functions on purple-team exercises to validate and improve coverage.
- Build, tune and maintain detections in our SIEM and XDR tooling (e.g. Microsoft Sentinel, Defender XDR), keeping a tight handle on signal-to-noise.
- Develop SOAR playbooks and enrichment pipelines that turn one-off investigations into repeatable, measured workflows.
- Use AI and agentic workflows as a force amplifier on day-to-day SOC work — triage summarisation, log analysis, hypothesis generation, drafting reports and playbooks.
- Help shape how we monitor and defend the AI services we operate — LLM workloads, RAG pipelines, agent integrations — alongside our AI Ethics and engineering teams.
- Stay close to evolving guidance on AI security (e.g. OWASP Top 10 for LLMs, NIST AI RMF) and translate it into practical monitoring, detection and response patterns.
- Operate detections and investigations across cloud workloads — primarily Microsoft 365 and Azure, with meaningful coverage of AWS and GCP and the wider enterprise IT stack.
- Work closely with platform engineering and SRE teams on misconfiguration, exposure and identity hygiene — not just incidents.
- Work alongside the Head of Information Security, Red Team, AI Ethics leads, platform engineering and product teams to embed defensive thinking early.
- Partner with customer-facing teams when incidents or hunts touch the solutions we operate on behalf of customers — with care for production stability, customer data and contractual obligations.
- Contribute to runbooks, detection libraries, threat-intel notes and post-incident reviews so the whole team gets better with every engagement.
- Operate within strict rules of engagement and a strong ethical compass around evidence handling, privacy and disclosure.
Requirements
What you’ll need- **Required **
- - Demonstrable hands-on experience in a **SOC, CSIRT, MDR or equivalent defensive security role** — triage, investigation, incident response and threat hunting against modern cloud-based environments.
- - Strong understanding of common attacker techniques (MITRE ATT&CK), modern intrusion patterns, and the telemetry needed to detect and investigate them.
- - Solid grasp of **cloud security and operations** in at least one major provider — ideally Microsoft 365 and Azure — including IAM, networking, logging/telemetry, common misconfigurations and attack paths.
- - Working knowledge of SIEM, EDR/XDR and SOAR tooling (e.g. Microsoft Sentinel, Defender XDR, or equivalents) — writing and tuning detections, building playbooks, managing signal quality.
- - **Coding capability** in at least one of Python, PowerShell, Go, JavaScript/TypeScript or similar — comfortable writing scripts, automations and integrations, not just running other people’s tools.
- - Practical understanding of **AI/LLM systems** — how they work, where they fail, and the new risks they introduce (prompt injection, insecure tool use, training/RAG data exposure) — and an interest in defending them.
- - An **automation-first mindset**: you instinctively look for the repeatable pattern, the script, the playbook — and you measure improvement, not effort.
- - Comfort with **agentic development workflows** — using AI coding assistants and AI co-work / pair-development models (Claude Code, Copilot, Cursor or equivalent) as part of your day-to-day delivery.
- - Awareness of the wider **AI ecosystem** — major model providers, agent frameworks, vector stores, MCP-style tool integrations — and an instinct for where defenders need to pay attention.
- - Clear written and verbal communication in English: able to brief engineers, executives and (where relevant) customers on incidents, hunts and risk.
- - A strong ethical compass and discipline around scope, evidence handling, customer data and responsible disclosure.
- **Desirable **
- - Industry certifications such as GCIA, GCIH, GCFA, GCDA, GNFA, BTL1/BTL2, CySA+, AZ-500/SC-200, AWS/Azure/GCP security specialties or equivalent.
- - Hands-on experience defending or monitoring **AI / LLM workloads** in production — detections for prompt injection, tool abuse, data exfiltration via agents, or anomalous model usage.
- - Meaningful exposure to **AWS and/or GCP** security operations alongside Microsoft 365 / Azure.
- - Experience with **identity-centric detections** across Entra ID / Azure AD, Active Directory, OAuth/OIDC and federated environments.
- - Detection engineering experience: writing and maintaining content in KQL, Sigma, YARA or equivalent, with version control and test coverage.
- - Familiarity with **CI/CD, containers and IaC** (Docker, Kubernetes, Terraform or equivalent) and how to monitor and defend them.
- - Purple-teaming experience: working with offensive colleagues to validate and improve detections from real attacker behaviour.
- - Familiarity with regulatory and standards contexts relevant to enterprise customers — ISO 27001, SOC 2, PCI DSS, GDPR, POPIA.
- - Threat-intel experience: consuming, producing or operationalising CTI in a way that actually changes what the SOC does day-to-day.
Benefits
Comp & perks- This is your chance to join and friendly and passionate team that will motivate you to learn and develop your career in the company.******Benefits may include:**
- - Remote/Flexible work
- - Discovery Medical Aid
- - Connectivity Allowance
- - 15 days paid holiday a year- (this includes three Sabio days)
- - Momentum EAP
- ****The Small Print******Strictly No Agencies; any submission of resumes without prior request from Sabio Group will not be deemed as an introduction and therefore will not warrant an introduction fee. All applicants must have the right to work in the territory to which the role relates (UK & EU). Sabio Group are unable to offer sponsorship on any roles advertised.
ATS Keywords
✓ Tailor your resumeApplicant Tracking System Keywords
Tip: use these terms in your resume and cover letter to boost ATS matches.
Hard Skills & Tools
incident responsethreat huntingcloud securitySIEMEDRXDRSOARPythonPowerShellKQL
Soft Skills
communicationethical compassautomation mindsetcollaborationanalytical thinkingproblem-solvingattention to detailreport writingincident managementteamwork
Certifications
GCIAGCIHGCFAGCDAGNFABTL1BTL2CySA+AZ-500SC-200