Skip to content
ReplitReplitFoster City, CA

Security Operations Lead

Lead and scale Replit's 24/7 global SOC, owning SIEM, detection engineering, AI-powered triage/automation, and threat response across multi-cloud, Kubernetes, SaaS, endpoints, and AI workloads. Requires 7+ years in security operations with 3+ years leading SOC functions, deep cloud/SIEM expertise, and hands-on detection engineering.

295k – 385k
Hybrid7+ YOESecurity Engineering

About the role

What You’ll Do

SOC Leadership & 24/7 Monitoring

  • Lead, mentor, and scale a global SOC team responsible for 24/7 monitoring, alert intake, triage, correlation, and escalation.
  • Build operational rigor: processes, runbooks, SLAs, metrics, and quality standards for high-scale environments.
  • Cover monitoring across:
    • Cloud infrastructure (GCP, AWS, Azure)
    • Kubernetes/GKE/EKS/AKS clusters
    • SaaS platforms (Google Workspace, GitHub, Slack, Okta, etc.)
    • Endpoints (macOS, Linux, Windows) including EDR/XDR telemetry
    • Developer platforms + CI/CD pipelines
    • AI/ML systems and model-serving workflows

AI-Based SOC Integration & Innovation

  • Evaluate, adopt, and integrate AI-native SOC technologies for triaging, detection, and correlation.
  • Identify opportunities to automate triage, investigations, enrichment, and reporting.
  • Serve as the internal expert on the capabilities and limitations of AI-based SOC tooling.

SIEM & Telemetry Ownership

  • Own the entire SIEM ecosystem—ingestion, normalization, correlation, enrichment, tuning, dashboards, and metrics.
  • Expand telemetry across:
    • Cloud logs, API logs, system events
    • SaaS audit logs and admin events
    • Identity providers (Okta, Google, Azure AD)
    • Endpoint EDR/XDR event streams
  • Standardize data schemas and improve detection signal quality across sources.

Detection Engineering

  • Develop high-fidelity detections for:
    • Cloud-native attacks
    • Identity threats and lateral movement
    • SaaS misconfigurations and privilege abuse
    • Endpoint malware/behavior anomalies
    • Insider threats and account takeover patterns
  • Use MITRE ATT&CK, MITRE Cloud Matrix, and threat intel to drive detection coverage.
  • Collaborate with Engineering, Cloud Security, and SRE to ensure telemetry supports detection use cases.

Triage, Threat Analysis & Escalation

  • Lead day-to-day triage and threat analysis activities, ensuring accurate categorization and prioritization.
  • Drive complex investigations involving correlated events across cloud, SaaS, endpoints, and developer platforms.
  • Guide root cause analysis and work with owners to drive remediation and architectural improvements.
  • Continuously refine logic, reduce false positives, and improve signal quality.

Cross-Functional Collaboration

  • Partner with Cloud Security on cloud posture and preventative controls.
  • Work with Compliance/GRC to support SOC 2, ISO 27001, and audit readiness.
  • Collaborate with SRE and Engineering to instrument new services with structured logs and detection hooks.
  • Coordinate with IT / Endpoint teams to ensure full endpoint telemetry and EDR response readiness.
  • Communicate threats, gaps, and trends to leadership and engineering stakeholders.

Required Skills & Experience

  • 7+ years of experience in Security Operations, with 3+ years in a senior or lead capacity.
  • Experience leading or collaborating with 24/7 SOC environments (internal, hybrid, or MSSP).
  • Strong experience with SIEM platforms (Chronicle, Splunk, Elastic, Sentinel, Panther, etc.).
  • Deep understanding of:
    • Cloud security monitoring (GCP required; AWS/Azure preferred)
    • SaaS security monitoring (Okta, Google Workspace, GitHub, Slack, etc.)
    • Endpoint security telemetry (EDR/XDR tools such as CrowdStrike, SentinelOne, or Defender)
    • Kubernetes and container detection
  • Hands-on detection engineering skills, event correlation, threat hunting, and log analysis.
  • Familiarity with AI-based SOC platforms and LLM-driven detection/triage tools.
  • Strong understanding of identity security, OAuth/OIDC, and API telemetry patterns.
  • Experience with SOAR and scripting (Python, Go, Bash).
  • Knowledge of MITRE ATT&CK, cloud kill chains, behavioral detections, and detection lifecycle management.

Preferred Qualifications

  • Experience with UBA/UEBA, ML-driven anomaly detection, or autonomous remediation systems.
  • Previous experience at a high-growth tech company.
  • Security certifications (GCIH, GCIA, GCTI, GCDA, GCFA, etc.).

What We Value

  • Operational excellence: Building reliable, scalable SOC systems.
  • Analytical rigor: Capable of making sense of large, complex, multi-source telemetry.
  • Leadership: Mentorship and guidance of analysts and engineers.
  • Adaptability: Comfortable evaluating and integrating next-gen AI-based SOC tools.
  • Clear communication: Able to articulate risk, incidents, and recommendations to both technical and executive audiences.
  • Automation mindset: Focused on reducing manual toil via SOAR, scripting, and AI augmentation.
  • Curiosity: Passion for learning, experimenting, and staying ahead of evolving threats—especially those targeting cloud-native and AI systems.

Skills

SIEMChronicleSplunkElasticSentinelPantherGCPAWSAzureKubernetesEdrXdrCrowdstrikeSentineloneMicrosoft Defender
OpenAI

Security Preparedness Lead, Coding Agents

OpenAISan Francisco, CA

Lead security efforts to protect OpenAI's internal AI coding agents from advanced cyber threats including APTs and insider risks. Requires strong hands-on technical skills in threat modeling, prototyping defenses, and coordinating cross-team security initiatives.

293k – 405k
HybridSecurity Engineering
Fluidstack

Manager, Incident Response

FluidstackSan Francisco, CA +1

Lead incident response as senior commander and escalation lead for AI compute infrastructure. Build and manage 24/7 IR team and on-call program from scratch, handling cross-domain (cyber/physical/OT) incidents with executive, legal, and regulatory communications.

300k – 400k
On-site7+ YOESecurity Engineering
Fluidstack

Regional Site Security Lead, Deployment & Ops

FluidstackSan Francisco, CA +2

Lead physical security operations and teams across multiple regional sites including data centers. Own incident response, vendor management, audits, and standardization of security procedures.

300k – 400k
On-site8+ YOESecurity Engineering
OpenAI

Secure Manufacturing & Stealth Investigator

OpenAISan Francisco, CA

Lead complex investigations into leaks, insider risks, supply chain compromises, and adversarial activity affecting OpenAI's secure manufacturing, stealth programs, unreleased hardware, and prototypes. Requires 8+ years investigative experience across cyber, physical, and operational domains.

288k – 425k
Hybrid8+ YOESecurity Engineering
Fluidstack

Security Lead, Deployment & Ops

FluidstackNew York, NY +2

Own physical security end-to-end for greenfield hyperscale data center builds from groundbreaking through steady-state operations, managing guard forces, security systems deployment, and critical asset protection. Requires 10+ years data center security experience and deep ESS knowledge.

280k – 300k
On-site10+ YOESecurity Engineering