SOC Engineer -Threat Detection & Response

TEAM OVERVIEW

KKR's Technology organization is a group of passionate technologists and product managers, unified by a shared mission to deliver exceptional products and solutions that drive value for our stakeholders, clients, and investors. Our passion for technology and innovation fuels our commitment to creating high-quality, impactful solutions that address complex challenges and meet the evolving needs of our sophisticated businesses.

Teamwork is at the core of the organization’s success.  We thrive on open collaboration and continuous learning, driving a culture that values diversity of thought and collective achievement.  Our global footprint enables us to integrate diverse perspectives into product and solution delivery, resulting in comprehensive, adaptable, and scalable solutions. We optimize for impact, prioritizing and delivering solutions with excellence while remaining agile in response to the evolving needs of our businesses.

POSITION OVERVIEW

We are seeking a SOC Engineer to join our team in New York or Boston, to modernize and mature KKR’s Threat Detection & Response operations through an engineering-first approach. This role focuses on scaling analyst effectiveness by building automation, tooling, and agentic/MCP-style workflows that improve triage speed, case quality, and containment outcomes. This is an in-office position, 5 days per week.

You will work across telemetry, case management, SOAR, and analyst workflows to reduce toil, improve consistency, and make response more measurable and reliable. Detection engineering is part of the job, but primarily as signal and workflow engineering: ensuring alerts are enriched, routed, prioritized, and connected to actionable response paths.

What Success Looks Like (6–12 months)

• Material reduction in analyst toil and time-to-triage through automation and standardized workflows.
• Improved case quality (context, enrichment, recommended actions) and faster escalation decisions.
• A scalable approach to agentic assistance with guardrails (human approvals, auditing, evaluation).
• A more reliable TDR operating model: playbooks-as-code, repeatable validation, and measurable performance.

RESPONSIBILITIES

SOC Workflow Engineering & Operational Modernization

• Engineer end-to-end SOC workflows from intake → triage → investigation → containment → lessons learned.

• Standardize and simplify analyst motions by building reusable workflow components and response patterns.
• Improve case management hygiene, escalation criteria, severity frameworks, and handoffs across SOC/IR/MSSP.
• Identify bottlenecks and failure modes in current operations and deliver concrete engineering fixes.

Automation, Orchestration & “Safe Response” Engineering

• Build and maintain SOAR playbooks and workflow automations for enrichment, triage, containment support, and remediation orchestration.
• Implement safe automation patterns: approvals, policy constraints, “break glass,” and full audit logging.
• Integrate tooling across EDR, identity, cloud, network, and SaaS platforms to enable consistent actions and evidence capture.
• Partner with IR to operationalize response plays that reduce mean time to respond/mean time to contain (MTTR/MTTC) without increasing risk.

Agentic / MCP Workflow Engineering (Build + Buy)

• Design and implement agentic workflows that augment analysts (summarize cases, correlate signals, propose next steps, assemble evidence).
• Build/extend MCP-style tools/actions that allow AI systems to access approved data sources and execute controlled tasks.
• Create evaluation and guardrails for agentic use: quality scoring, hallucination resistance, drift monitoring, and human-in-the-loop controls.
• Assess build vs buy options and drive adoption where it accelerates maturity safely.

SOC Tooling, Data, and Context Engineering

• Improve enrichment and context pipelines (asset criticality, identity posture, vuln/exposure context, threat intel, ownership, business impact).
• Build internal utilities/services that enhance analyst productivity (investigation “one-click” bundles, automated evidence packs, pivot tooling).
• Strengthen telemetry reliability: parsing, normalization, key-field consistency, and data quality monitoring.  
• Enable threat hunting at scale by building reusable investigation pivots, curated datasets, enrichment, and hunt templates that reduce time-to-insight for analysts.

Signal Engineering

• Ensure detections/signals are operationally actionable: required fields, context, response guidance, and clear ownership.
• Improve signal quality by partnering with internal teams and ReliaQuest to reduce noise and increase actionability.
• Maintain a lightweight lifecycle for detections: onboarding → validation → release → monitoring → retirement.

Validation, Readiness & Continuous Improvement

• Build repeatable validation for workflows and signals (purple-team exercises, regression tests, controlled simulations).
• Conduct after-action reviews and convert learnings into durable engineering improvements (playbooks, automation, guardrails).
• Track and report operational KPIs: time-to-triage, time-to-contain, automation success rate, enrichment coverage, case quality.

QUALIFICATIONS

• 5+ years in SOC engineering, security engineering, incident response engineering, or automation/orchestration roles.
• Strong engineering fundamentals (version control, testing discipline, scripting/programming).
• Proven ability to build workflow automation and integrate security platforms into reliable operational processes.
• Experience translating operational pain points into scalable tooling and measurable outcomes.

• Experience implementing AI-assisted SOC capabilities with strong governance and evaluation.
• Familiarity with agent/tool invocation patterns (MCP-like concepts, secure tool access, auditability).
• Experience improving telemetry/data quality and building enrichment pipelines.
• Exposure to purple teaming / validation or detection lifecycle engineering.

IDEAL CANDIDATE PROFILE

• Builder mindset: you enjoy turning messy SOC pain points into scalable tooling, automation, and reliable workflows.
• Operationally grounded: you design with the analyst experience in mind—what works at 2am during an incident, not just what’s elegant on paper.
• Engineering discipline: you treat workflows, playbooks, and integrations like products (versioned, tested, observable, documented).
• Pragmatic about AI: excited by agentic/MCP-style workflows, but disciplined about guardrails, auditability, human-in-the-loop controls, and measurable value.
• Systems thinker: comfortable working across telemetry, enrichment, routing, case management, and response actions to improve end-to-end outcomes.
• Collaborative influencer: can partner across SOC/IR, threat intel, platform engineering, cloud/identity teams, and ReliaQuest to get adoption and results.
• Metrics-driven: you care about impact - time-to-triage, automation success rate, enrichment coverage, alert/case quality.

WHY JOIN US?
This role is an opportunity to modernize and scale Threat Detection & Response at KKR through an engineering-first approach. You’ll be a core driver of how we evolve SOC operations for a cloud-first, identity-first, and AI-enabled future - building the workflows, tooling, and safe automation that multiply analyst effectiveness.

You’ll work alongside a global TD&R team and a strong MSSP partner, and the wider technology group, with the mandate to:

• Build SOC accelerators (automation, enrichment, case quality, response consistency) that measurably reduce toil and improve MTTR/MTTC.
• Pioneer agentic/MCP-style workflows with the right governance and controls, turning AI into a practical operational advantage.
• Influence the direction of a maturing program - where your engineering choices directly shape how investigations and response are executed at scale.
  

If you like solving real-world security operations problems with durable engineering, this role has a clear runway and real ownership.