Security Operations Engineer

Team: Cybersecurity

Location: Remote, US

Commitment: Full-time

Workplace Type: remote

Salary:

SIEM Implementation & Detection Engineering

• Serve as the primary implementer for the new SIEM solution, configuring data ingestion and tuning the platform for optimal performance.
• Own the security observability platform on Grafana (Loki/LogQL, Prometheus/PromQL, Grafana Alerting; OTel for collection), including onboarding sources, parsing, enrichment, and alert routing.
• Own the "Content Engineering" lifecycle: Write, test, and tune detection rules and queries (LogQL, PromQL, SPL, KQL, SQL, etc.) to identify malicious activity with low false-positive rates.
• Partner with the Engineering team to ensure the new observability platform captures the right security telemetry and logs.
• Serve as the primary operator for security monitoring and initial incident triage, participating in the on-call rotation.

Telemetry Engineering & Observability (Security)

• Define logging standards and required security telemetry for product and infrastructure.
• Own log onboarding, parsing, enrichment, normalization, retention, and cost controls.
• Build dashboards and SLOs for security telemetry health (coverage, latency, drop rate).

Incident Response & Process Development

• Develop and maintain the library of Incident Response documents, including Triage Books, Runbooks, and Playbooks for future on-call rotation.
• Act as the primary technical liaison for our MDR provider (Sophos), ensuring they have the context needed to monitor effectively.
• Lead deeper analysis and threat hunting investigations for complex alerts escalated by the MDR or internal teams.
• Own alert routing and incident tracking integration (PagerDuty + Jira/Slack), including severity model, escalation paths, and reporting.
• Lead incident coordination, write post-incident reviews, and drive corrective actions with Engineering.
• Own phishing detection/response workflows and playbooks (user reports, triage, containment).

Operational Health & Optimization

• Continuously evaluate the efficacy of alerts and automations; refine logic to reduce alert fatigue.
• Assist in defining log schemas to ensure data is parsed correctly for both security and engineering use cases.
• Evaluate and implement AI-assisted tools to streamline query generation and dashboard creation.
• Own the integration and correlation between MDR alerts and internal SIEM/incident tracking.
• Implement least-privilege access to security telemetry and ensure logging pipelines avoid sensitive data leakage.

WHAT YOU'LL BRING:

• 5-7 years of total experience in Information Security or Security Operations.
• Proven experience transitioning from a "consumer" of alerts (Analyst) to a "builder" of detections (Engineer).
• Demonstrated experience working with SIEM/observability platforms (Grafana/Loki preferred; Splunk/Elastic/Sentinel/Datadog acceptable), specifically in creating dashboards, reports, and writing complex queries.
• Experience working with Managed Detection and Response (MDR) providers or MSSPs is highly preferred.
• Background in partnering with DevOps or Engineering teams on logging or observability initiatives is a plus.
• Bachelor’s degree in Computer Science, Information Security, or a related field or equivalent work experience.
• Industry certifications such as GCIH, GCIA, GCED, GMON, Security+, CySA+ or related are highly desirable.

YOUR TECHNICAL TOOLKIT:

• Query Languages: Strong proficiency in query languages (e.g., LogQL, PromQL, KQL, SPL, SQL) to interrogate data and build dashboards.
• Detection Logic: Ability to translate threat intelligence and MITRE ATT&CK techniques into actionable detection rules.
• Response Frameworks: Deep understanding of the Incident Response Lifecycle (NIST or SANS) and experience writing clear, executable runbooks.
• Light Scripting: Familiarity with Python or similar scripting languages for automation or API integration is beneficial (though not a primary coding role).

WHAT SETS YOU APART:

• Operator-to-Builder Mindset: The ability to understand the "pain" of a bad alert and the drive to engineer a better solution.
• Cross-Functional Collaboration: Ability to work effectively with Engineering teams to align on data formatting and ingestion without friction.
• Autonomy: Capable of prioritizing work and driving the SIEM implementation forward with minimal oversight.