Senior Incident Response Engineer

About The Position

Requirements

• 7+ years in security operations with 3+ years in detection engineering, including deep expertise in creating high-fidelity rules (SIGMA, YARA-L, KQL, SPL).
• Proven track record of building detection strategies across SIEM, EDR, and Cloud platforms, grounded in the MITRE ATT&CK framework.
• Expert knowledge of SOAR platforms (e.g., Tines, Splunk SOAR, Cortex XSOAR), architecture, and complex playbook development.
• Proven experience designing and implementing SOAR platform architecture from concept to production.
• Advanced scripting and automation development skills in Python (required) for API integrations and security tool orchestration.
• Strong background in threat hunting methodology, hypothesis development, and campaign execution, with experience leading or co-leading hunting programs.
• Proficiency with data analysis, anomaly detection, and hands-on experience with hunting tools like Jupyter Notebooks, Osquery, and Velociraptor.
• Deep understanding of attack techniques, lateral movement, persistence mechanisms, and post-exploitation TTPs across Windows, Linux, and macOS.
• Familiarity with security frameworks including MITRE ATT&CK, PICERL, NIST CSF, and Detection Maturity Models, and incident response best practices.
• Proven ability to lead technical initiatives, mentor team members, and communicate complex technical concepts to diverse audiences.

Nice To Haves

• Experience with YARA-L.
• Deep familiarity with Detection Frameworks and detection engineering quality frameworks.
• Proven track record implementing SOAR platforms from architecture through operationalization, with experience evaluating multiple platforms.
• Advanced knowledge of CrowdStrike Falcon platform including custom IOA rules.
• Background in purple team activities, adversary emulation, or red teaming.
• Experience with CI/CD practices for detection-as-code and automation-as-code.
• Contributions to open-source security projects or security certifications (GCDA, GCIH, GCIA, GCFA, OSCP, or equivalent).
• Knowledge of security data lakes (Snowflake, BigQuery) and experience with threat intelligence platforms (TIP).
• Published research, blog posts, or conference presentations on detection engineering, automation, or threat hunting topics.

Responsibilities

• Design, implement, and maintain advanced detection rules and correlation logic across SIEM , EDR, and Cloud platforms (AWS, GCP)
• Lead detection strategy and architecture aligned with the Detection Quality frameworks
• Write high-fidelity detection rules using languages like SIGMA and YARA-L
• Conduct deep log source analysis, perform threat modeling, adversary emulation, and maintain MITRE ATT&CK mapping coverage
• Conduct detection gap analysis to identify coverage opportunities across the kill chain
• Create and maintain detection playbooks, runbooks, and comprehensive documentation
• Perform detection quality assessments and continuous improvement initiatives
• Develop complex automated response playbooks for multi-stage incidents spanning multiple security tools
• Integrate security tools via APIs (SIEM, EDR, MDM, CASB, ITSM, threat intelligence platforms)
• Create automated enrichment pipelines incorporating threat intelligence, asset context, and user behavior analytics
• Develop automated containment actions (account disable, host isolation, firewall rule updates)
• Measure and report automation ROI, tracking metrics like time saved and incident handling efficiency
• Handle Incident Response processes and procedures as needed
• Co-lead the organization's threat hunting program with the SOC Manager, defining strategy, methodology, and campaign planning
• Execute proactive threat hunting campaigns by conducting hunt queries across SIEM and EDR platforms
• Analyze large datasets to identify anomalous behavior patterns including user behavior, process execution, network traffic, and cloud activity
• Develop hunting automation and tooling using custom Python scripts, Jupyter Notebooks, Osquery, and Velociraptor
• Collaborate with threat intelligence sources to incorporate latest TTPs into hunting campaigns

Benefits

• You may also be offered a performance-based bonus, equity, and a generous benefits program.