SOC Engineer -Threat Detection & Response

Careers at KKR•Boston, MA

4h•Onsite

About The Position

KKR is a leading global investment firm that offers alternative asset management as well as capital markets and insurance solutions. KKR aims to generate attractive investment returns by following a patient and disciplined investment approach, employing world-class people, and supporting growth in its portfolio companies and communities. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. KKR’s insurance subsidiaries offer retirement, life and reinsurance products under the management of Global Atlantic Financial Group. References to KKR’s investments may include the activities of its sponsored funds and insurance subsidiaries. TEAM OVERVIEW KKR's Technology organization is a group of passionate technologists and product managers, unified by a shared mission to deliver exceptional products and solutions that drive value for our stakeholders, clients, and investors. Our passion for technology and innovation fuels our commitment to creating high-quality, impactful solutions that address complex challenges and meet the evolving needs of our sophisticated businesses. Teamwork is at the core of the organization’s success. We thrive on open collaboration and continuous learning, driving a culture that values diversity of thought and collective achievement. Our global footprint enables us to integrate diverse perspectives into product and solution delivery, resulting in comprehensive, adaptable, and scalable solutions. We optimize for impact, prioritizing and delivering solutions with excellence while remaining agile in response to the evolving needs of our businesses. POSITION OVERVIEW We are seeking a SOC Engineer to join our team in New York or Boston, to modernize and mature KKR’s Threat Detection & Response operations through an engineering-first approach. This role focuses on scaling analyst effectiveness by building automation, tooling, and agentic/MCP-style workflows that improve triage speed, case quality, and containment outcomes. This is an in-office position, 5 days per week. You will work across telemetry, case management, SOAR, and analyst workflows to reduce toil, improve consistency, and make response more measurable and reliable. Detection engineering is part of the job, but primarily as signal and workflow engineering: ensuring alerts are enriched, routed, prioritized, and connected to actionable response paths. What Success Looks Like (6–12 months) Material reduction in analyst toil and time-to-triage through automation and standardized workflows. Improved case quality (context, enrichment, recommended actions) and faster escalation decisions. A scalable approach to agentic assistance with guardrails (human approvals, auditing, evaluation). A more reliable TDR operating model: playbooks-as-code, repeatable validation, and measurable performance.

Requirements

5+ years in SOC engineering, security engineering, incident response engineering, or automation/orchestration roles.
Strong engineering fundamentals (version control, testing discipline, scripting/programming).
Proven ability to build workflow automation and integrate security platforms into reliable operational processes.
Experience translating operational pain points into scalable tooling and measurable outcomes.
Experience implementing AI-assisted SOC capabilities with strong governance and evaluation.
Familiarity with agent/tool invocation patterns (MCP-like concepts, secure tool access, auditability).
Experience improving telemetry/data quality and building enrichment pipelines.
Exposure to purple teaming / validation or detection lifecycle engineering.

Nice To Haves

Builder mindset: you enjoy turning messy SOC pain points into scalable tooling, automation, and reliable workflows.
Operationally grounded: you design with the analyst experience in mind—what works at 2am during an incident, not just what’s elegant on paper.
Engineering discipline: you treat workflows, playbooks, and integrations like products (versioned, tested, observable, documented).
Pragmatic about AI: excited by agentic/MCP-style workflows, but disciplined about guardrails, auditability, human-in-the-loop controls, and measurable value.
Systems thinker: comfortable working across telemetry, enrichment, routing, case management, and response actions to improve end-to-end outcomes.
Collaborative influencer: can partner across SOC/IR, threat intel, platform engineering, cloud/identity teams, and ReliaQuest to get adoption and results.
Metrics-driven: you care about impact - time-to-triage, automation success rate, enrichment coverage, alert/case quality.

Responsibilities

Engineer end-to-end SOC workflows from intake → triage → investigation → containment → lessons learned.
Standardize and simplify analyst motions by building reusable workflow components and response patterns.
Improve case management hygiene, escalation criteria, severity frameworks, and handoffs across SOC/IR/MSSP.
Identify bottlenecks and failure modes in current operations and deliver concrete engineering fixes.
Build and maintain SOAR playbooks and workflow automations for enrichment, triage, containment support, and remediation orchestration.
Implement safe automation patterns: approvals, policy constraints, “break glass,” and full audit logging.
Integrate tooling across EDR, identity, cloud, network, and SaaS platforms to enable consistent actions and evidence capture.
Partner with IR to operationalize response plays that reduce mean time to respond/mean time to contain (MTTR/MTTC) without increasing risk.
Design and implement agentic workflows that augment analysts (summarize cases, correlate signals, propose next steps, assemble evidence).
Build/extend MCP-style tools/actions that allow AI systems to access approved data sources and execute controlled tasks.
Create evaluation and guardrails for agentic use: quality scoring, hallucination resistance, drift monitoring, and human-in-the-loop controls.
Assess build vs buy options and drive adoption where it accelerates maturity safely.
Improve enrichment and context pipelines (asset criticality, identity posture, vuln/exposure context, threat intel, ownership, business impact).
Build internal utilities/services that enhance analyst productivity (investigation “one-click” bundles, automated evidence packs, pivot tooling).
Strengthen telemetry reliability: parsing, normalization, key-field consistency, and data quality monitoring.
Enable threat hunting at scale by building reusable investigation pivots, curated datasets, enrichment, and hunt templates that reduce time-to-insight for analysts.
Ensure detections/signals are operationally actionable: required fields, context, response guidance, and clear ownership.
Improve signal quality by partnering with internal teams and ReliaQuest to reduce noise and increase actionability.
Maintain a lightweight lifecycle for detections: onboarding → validation → release → monitoring → retirement.
Build repeatable validation for workflows and signals (purple-team exercises, regression tests, controlled simulations).
Conduct after-action reviews and convert learnings into durable engineering improvements (playbooks, automation, guardrails).
Track and report operational KPIs: time-to-triage, time-to-contain, automation success rate, enrichment coverage, case quality.