About the Role
We are seeking a Security Operations Engineer with a builder’s mindset to join our team. In this role, you will bridge the gap between Security and Engineering, partnering with our engineering teams to consolidate our logging and build a unified observability platform (logs, metrics, synthetics).
You will be the primary architect of our detection logic, responsible for implementing our new SIEM and transforming raw data into high-fidelity alerts. While you will not be the sole monitor of our environment, you will serve as the technical escalation point for our MDR provider (Sophos) and the primary owner of our incident response framework—building the runbooks, playbooks, and triage guides that define how we respond to threats. This is a unique opportunity for an experienced professional to step up from day-to-day analysis and own the design and implementation of a modern detection and response program.
WHAT YOU'LL DO:
SIEM Implementation & Detection Engineering
- Serve as the primary implementer for the new SIEM solution, configuring data ingestion and tuning the platform for optimal performance.
- Own the security observability platform on Grafana (Loki/LogQL, Prometheus/PromQL, Grafana Alerting; OTel for collection), including onboarding sources, parsing, enrichment, and alert routing.
- Own the "Content Engineering" lifecycle: Write, test, and tune detection rules and queries (LogQL, PromQL, SPL, KQL, SQL, etc.) to identify malicious activity with low false-positive rates.
- Partner with the Engineering team to ensure the new observability platform captures the right security telemetry and logs.
- Serve as the primary operator for security monitoring and initial incident triage, participating in the on-call rotation.
Telemetry Engineering & Observability (Security)
- Define logging standards and required security telemetry for product and infrastructure.
- Own log onboarding, parsing, enrichment, normalization, retention, and cost controls.
- Build dashboards and SLOs for security telemetry health (coverage, latency, drop rate).
Incident Response & Process Development
- Develop and maintain the library of Incident Response documents, including Triage Books, Runbooks, and Playbooks for future on-call rotation.
- Act as the primary technical liaison for our MDR provider (Sophos), ensuring they have the context needed to monitor effectively.
- Lead deeper analysis and threat hunting investigations for complex alerts escalated by the MDR or internal teams.
- Own alert routing and incident tracking integration (PagerDuty + Jira/Slack), including severity model, escalation paths, and reporting.
- Lead incident coordination, write post-incident reviews, and drive corrective actions with Engineering.
- Own phishing detection/response workflows and playbooks (user reports, triage, containment).
Operational Health & Optimization
- Continuously evaluate the efficacy of alerts and automations; refine logic to reduce alert fatigue.
- Assist in defining log schemas to ensure data is parsed correctly for both security and engineering use cases.
- Evaluate and implement AI-assisted tools to streamline query generation and dashboard creation.
- Own the integration and correlation between MDR alerts and internal SIEM/incident tracking.
- Implement least-privilege access to security telemetry and ensure logging pipelines avoid sensitive data leakage.
WHAT YOU'LL BRING:
- 5-7 years of total experience in Information Security or Security Operations.
- Proven experience transitioning from a "consumer" of alerts (Analyst) to a "builder" of detections (Engineer).
- Demonstrated experience working with SIEM/observability platforms (Grafana/Loki preferred; Splunk/Elastic/Sentinel/Datadog acceptable), specifically in creating dashboards, reports, and writing complex queries.
- Experience working with Managed Detection and Response (MDR) providers or MSSPs is highly preferred.
- Background in partnering with DevOps or Engineering teams on logging or observability initiatives is a plus.
- Bachelor’s degree in Computer Science, Information Security, or a related field or equivalent work experience.
- Industry certifications such as GCIH, GCIA, GCED, GMON, Security+, CySA+ or related are highly desirable.
YOUR TECHNICAL TOOLKIT:
- Query Languages: Strong proficiency in query languages (e.g., LogQL, PromQL, KQL, SPL, SQL) to interrogate data and build dashboards.
- Detection Logic: Ability to translate threat intelligence and MITRE ATT&CK techniques into actionable detection rules.
- Response Frameworks: Deep understanding of the Incident Response Lifecycle (NIST or SANS) and experience writing clear, executable runbooks.
- Light Scripting: Familiarity with Python or similar scripting languages for automation or API integration is beneficial (though not a primary coding role).
WHAT SETS YOU APART:
- Operator-to-Builder Mindset: The ability to understand the "pain" of a bad alert and the drive to engineer a better solution.
- Cross-Functional Collaboration: Ability to work effectively with Engineering teams to align on data formatting and ingestion without friction.
- Autonomy: Capable of prioritizing work and driving the SIEM implementation forward with minimal oversight.
Salary
$130,000 - $150,000 a year
