Senior Threat Detection and Response Engineer - 🔵 Blue Team

Responsibilities

• Threat Detection & Security Tool Management
• Platform Ownership (Operational Focus): Act as the primary internal operations owner and subject matter expert for key security platforms, including Endpoint Detection and Response (EDR), Cloud Detection and Response (CDR), Cloud-Native Application Protection Platform (CNAPP), Security Information and Event Management (SIEM), and Network Detection and Response (NDR). Triage findings from tools like Shodan, Horizon3.ai, and ZeroFox.
• Operational Optimization: Continuously monitor, tune, and optimize security tool configurations to ensure maximum detection efficacy and minimize false positives, focusing on the strategic direction of the platforms.
• Signal Integrity: Proactively monitor and implement solutions to detect sensor and logging signal loss across all security platforms to ensure complete visibility.
• Use Case Development: Collaborate with internal and vSOC teams to develop, test, and implement new detection use cases and correlated alerts within the SIEM and other platforms.
• Shared Engineering: Partner closely with the Infrastructure Security Engineer role regarding the foundational engineering, deployment, and infrastructure health of these security platform
• Proactive Threat Hunting: Regularly execute threat hunting exercises based on current threat intelligence, internal knowledge, and platform capabilities to identify stealthy, pre-execution, or undetected threats across the environment.
• Vulnerability Triage & Prioritization: Immediately triage, prioritize, and drive remediation for critical security vulnerabilities and security findings (e.g., from CNAPP or vulnerability scanners) that warrant treatment as a high-severity security incident.


• Incident Response (IR) and Digital Forensics (DFIR)
• Triage and Initial Handling: Serve as the internal escalation point for critical alerts from the vSOC. Perform rapid triage, scoping, and initial handling/containment for security incidents.
• Small-Scale Forensics: Handle end-to-end incident response and digital forensics for small-scale, routine incidents (e.g., minor malware infections, policy violations).
• Outsourced IR Coordination: Act as the technical lead and liaison for larger, complex security incidents, coordinating activities and providing necessary data and context to retained external incident response firms.
• Process Improvement: Develop, refine, and maintain internal runbooks, playbooks, and Standard Operating Procedures (SOPs) for incident response and threat hunting.


•  vSOC Oversight and Partnership
• Liaison: Serve as the primary technical point of contact between our internal teams and the external vSOC/MSSP partner.
• Performance Monitoring: Oversee the vSOC's performance, ensuring adherence to established SLAs and quality standards for alert handling, monitoring, and reporting.
• Strategic Direction: Guide the vSOC's focus by communicating organizational risks, strategic priorities, and desired operational outcomes.
• Reporting: Generate and present regular reports on operational security metrics, incident trends, and vSOC performance to internal stakeholders.


•  Security Awareness and Communication
• Monthly Security Newsletter: Produce and distribute a mandatory monthly security newsletter covering threat intelligence, tool adoption, compliance/best practices, and internal case studies.
• Annual Security Awareness Training: Develop, update, and manage the mandatory annual security awareness training for all personnel, focusing on relevance, engagement, and high-risk behaviors.

Qualifications

• Experience: 5+ years of experience in Security Operations, Threat Hunting, Incident Response, or a closely related field.
• Tooling Expertise: Expert-level hands-on operational and tuning experience with one or more major platforms across EDR (e.g., CrowdStrike, SentinelOne), SIEM (e.g., Splunk, Microsoft Sentinel), and Cloud Security (e.g., CNAPP solutions)
• .Operational Skills: Strong understanding of security alert analysis, log review, data correlation techniques, threat modeling, and alert suppression/refinement
• IR/DFIR Knowledge: Proven experience in incident triage, evidence preservation, chain of custody, and basic forensic analysis techniques.
• IR Handling Certification:  You must have one of the following: CISSP-ISSAP (Incident Response content within CISSP) – (ISC)²GIAC Certified Incident Handler (GCIH) – GIACGIAC Cyber Threat Intelligence (GCTI) – GIACGIAC Network Forensic Analyst (GNFA) – GIACGIAC Certified Forensic Analyst (GCFA) – GIACCertified Ethical Hacker (CEH) – EC-CouncilEC-Council Certified Incident Handler (ECIH) – EC-CouncilCertified Computer Examiner (CCE) – IACISEnCase Certified Examiner (EnCE) – Guiding TechCertified Forensic Computer Examiner (CFCE) – ISFCECREST Registered Incident Handler (CRIH) – CRESTCREST Certified Incident Manager (CCIM) – CRESTISO/IEC 27035 Lead Implementer (IR process) – PECB/OTHERCertified Digital Forensics Examiner (CDFE) – Mile2CompTIA Cybersecurity Analyst (CySA+) — CompTIA
• Networking/OS: Solid understanding of network protocols, operating system internals (Windows, macOS, Linux), and cloud environments (AWS, Azure, or GCP).
• Cloud Expertise: Deep understanding of threat detection and incident response within major cloud environments (AWS, Azure, or GCP), including knowledge of cloud logging sources, native security tools, and common attack paths.
• Container Security: Familiarity with security concepts and threat detection within container orchestration platforms, such as Kubernetes, OpenShift, or similar variants.
• Soft Skills: Excellent communication, documentation, and partnership management skills.

Preferred Qualifications

• Certification Preference: GIAC Certified Incident Handler (GCIH) is highly preferred.
• Network Detection Experience: Direct experience with deploying, configuring, and tuning network security monitoring tools (e.g., Suricata, Snort, Zeek, Corelight) or similar commercial network detection and response (NDR) solutions, especially within cloud environments (AWS/Azure/GCP).
• Scripting/Automation: Proficiency in scripting languages (e.g., Python, GoLang) for automating security tasks, incident response steps, or data analysis.
• Cloud-Native Tools: Experience with native cloud security services (e.g., AWS Security Hub, Azure Sentinel, GCP Security Command Center).