Senior Security Operations Engineer

Key Responsibilities

SIEM/SOAR Operations (Google SecOps)

• Own the log ingestion pipeline end-to-end: identify gaps, build feeds, validate parsing, maintain coverage dashboards
• Close the federal logging gap and stand up commercial logging across AWS, Azure, Entra ID, and SaaS
• Activate and configure SecOps SOAR capabilities including Domain-Wide Delegation, marketplace integrations, and bidirectional response actions
• Build and maintain SOAR playbooks for major incident types such as phishing, malware, account compromise, lateral movement, and cloud-specific threats
• Develop and maintain operational dashboards for SOC metrics, alert volumes, MTTA/MTTR, and coverage status
• Manage Google SecOps RBAC

Detection Engineering

• Build and deploy production detection rules mapped to MITRE ATT&CK within the first year
• Develop custom parsers for AWS-native security services including GuardDuty, Security Hub, Inspector, WAF, CloudTrail, and VPC Flow Logs
• Establish a detection lifecycle including proposal, testing, deployment, tuning, and retirement
• Conduct quarterly detection quality reviews to measure false positive rates, coverage gaps, and rule health
• Develop alert threshold optimization to reduce noise and analyst fatigue

Endpoint Detection and Response (SentinelOne)

• Drive SentinelOne deployment across Azure VMs in commercial environments and all federal endpoints
• Configure and operationalize Cloud Funnel for log export into Google SecOps
• Build correlation rules between EDR alerts and SIEM detections
• Manage SentinelOne RBAC groups and policy configuration
• Coordinate with IT on agent deployment, health monitoring, and version management

Incident Response

• Serve as senior escalation point for SOC incidents, ensuring investigations are thorough and reports include root cause, remediation actions, credential rotation plans, and follow-up timelines
• Improve MTTA and MTTR through process optimization, better tooling, and analyst development
• Lead quarterly tabletop exercises and after-action reviews
• Maintain and improve incident response runbooks for all major incident categories
• Integrate incident response workflows with Jira Service Management for tracking and escalation

Vulnerability Management

• Operationalize monthly scanning cadence across all environments using tools such as Nessus, AWS Inspector, and Azure Defender
• Define and enforce remediation SLAs by severity: Critical within 72 hours, High within 7 days, Medium within 30 days
• Build consolidated vulnerability dashboards in Google SecOps
• Track SLA compliance and report metrics to the CISO
• Coordinate remediation with engineering and infrastructure teams

MSSP Oversight

• Serve as primary technical interface with MSSP partner for 24/7 SOC coverage
• Define and hold the MSSP accountable to SLAs, alert quality, and escalation procedures
• Review MSSP deliverables such as dashboards, reports, and playbooks for quality and completeness
• Manage the transition from the previous MSSP and ensure no coverage gaps

SOC Team Technical Leadership

• Provide day-to-day technical direction to SOC analysts by setting priorities, assigning tasks, and reviewing work products
• Ensure incident response reports, playbooks, and dashboards meet quality standards before delivery to leadership or external stakeholders
• Drive OKR execution for SOC-related objectives including logging coverage, detection counts, incident response metrics, and vulnerability SLA compliance
• Identify skill gaps and development opportunities for junior analysts
• Establish and enforce SOC processes that are documented, repeatable, and auditable

Required Qualifications

• 6+ years of experience in security operations, detection engineering, or SIEM/SOAR engineering
• Hands-on experience with Google SecOps (Chronicle) or equivalent enterprise SIEM such as Splunk, Sentinel, or QRadar, with Chronicle strongly preferred
• Production experience with SentinelOne, CrowdStrike, or a comparable EDR platform
• Deep knowledge of AWS security services including GuardDuty, Security Hub, Inspector, CloudTrail, WAF, and Config
• Experience building detection rules mapped to the MITRE ATT&CK framework
• SOAR playbook development and automation experience
• Demonstrated ability to lead without formal authority by setting direction for peers or junior analysts
• Strong incident response skills with experience writing complete reports for executive and external audiences
• Understanding of NIST 800-53 controls, particularly Audit, System Integrity, and Incident Response families
• Excellent written communication skills

Preferred Qualifications

• Experience with Google SecOps (Chronicle), SentinelOne, or similar SIEM/SOAR platforms; certifications are a plus
• Experience working in a FedRAMP High environment such as AWS GovCloud
• Azure security experience including Defender for Cloud, Entra ID, Log Analytics, and Event Hubs
• Experience managing MSSP relationships and enforcing SLAs
• Background in OT/ICS security monitoring
• Experience with vulnerability management tools such as Nessus, Inspector, or Defender
• Previous experience in a startup or high-growth environment building SOC capabilities from early stages

Certifications (Preferred, not required)

• GCIA, GCIH, GSOM, or other GIAC blue team certifications
• Google Chronicle or SecOps certifications
• AWS Security Specialty
• CISSP or CISM
• Detection engineering certifications such as SANS SEC555 or SEC511

Benefits

• 136K-155K base + equity and performance bonus eligible, depending on experience and location
• Full medical, vision, and dental insurance
• Generous PTO
• Remote-first culture with flexible hours
• Opportunity to protect critical infrastructure at scale
• Work with patented, cutting-edge security technology
• Direct ownership of SOC maturation
• Collaborative team with military, federal, and private sector expertise