Director of Security Operations

About The Position

Requirements

• You bring technical depth across the core disciplines
• Proven experience designing or substantially rebuilding a SOC, not just running one someone else built
• Deep hands-on background in detection engineering, SIEM/data lake architecture, and SOAR automation
• Genuine experience with AI/ML applied to security operations, not familiarity with vendor marketing
• Hands-on threat intelligence program development, including finished intel production and operationalization
• Active threat hunting experience across heterogeneous environments
• Exposure to OT/ICS environments or physical security telemetry at scale
• Track record of reducing MTTD and MTTR through automation and architecture, not headcount
• You know how to design an operating model, not just run one
• Experience structuring coverage models, escalation logic, and stakeholder interfaces in environments where the org chart doesn't make things simple
• Comfort navigating a multi-stakeholder environment with competing priorities and external accountability: customers, auditors, regulators
• Experience operating under contractual security obligations with defined incident response SLAs
• Ability to build processes that scale with automation rather than headcount, and to make that case credibly
• You can lead a team and build a culture
• Experience hiring, developing, and retaining security operations talent across a range of specializations
• Ability to define team structure that matches the operating model: not the one that came before it
• Track record of building culture in a function that operates under pressure

Nice To Haves

• Experience with LLM integration into security tooling, including prompt engineering and evaluating AI output reliability under adversarial conditions
• Data engineering fluency at the schema and query level
• Experience designing SOC coverage for hyperscale or critical infrastructure environments
• Threat intelligence program experience targeting sophisticated or nation-state-adjacent actors
• Comfort in a compliance-adjacent environment (SOC 2, ISO 27001, FedRAMP-adjacent) without being compliance-driven

Responsibilities

• SOC Architecture & Build: design and build FluidStack's security operations capability from scratch, including data architecture, detection logic, automation fabric, toolchain, and team model, using a modern stack
• AI-Native Detection & Triage: define and implement a detection philosophy that assumes AI handles L1; build the pipelines, enrichment logic, and triage automation that resolves high-volume, low-ambiguity alert classes without human intervention
• Agentic Response Workflows: design and deploy autonomous response workflows that contain, investigate, and remediate: not just notify; own and continuously push the boundary between machine-closed and human-required cases
• LLM-Assisted Investigation: integrate LLM-based tooling into the analyst workflow for case summarization, log interpretation, and hypothesis generation; define how AI augments analyst cognition as a genuine force multiplier
• Detection Engineering: own the detection content lifecycle end-to-end: MITRE ATT&CK coverage mapping, detection-as-code workflows, alert quality metrics, and continuous tuning across a heterogeneous environment
• Threat Intelligence: build and operationalize a threat intelligence program that produces finished intelligence relevant to FluidStack's specific threat model and customer base, and connects directly to detection content and hunting hypotheses
• Threat Hunting: design and run a proactive hunting capability operating independently of the alert queue, covering cloud, OT/ICS, physical telemetry, and endpoint across a threat landscape that includes sophisticated, targeted actors
• Multi-Site Physical + OT/ICS Coverage: build detection coverage across data center sites, security-instrumented OT/ICS systems, physical access telemetry, and BMS environments that don't look like a standard enterprise
• Operating Model Design: define the coverage model, escalation logic, stakeholder interfaces, SLA architecture, and feedback loops that make the SOC function as a system, not just a team
• Team & Vendor Strategy: define the human layer of the SOC: size, structure, sourcing model, and skill profile; make the MSSP build-vs-buy call with data, not defaults
• Customer & Regulatory Obligations: ensure the SOC can reliably and demonstrably meet contractual incident notification SLAs and compliance obligations across FluidStack's customer base

Benefits

• Competitive total compensation package (salary + equity).
• Retirement or pension plan, in line with local norms.
• Health, dental, and vision insurance.
• Generous PTO policy, in line with local norms.