Security Operations Lead – SecOps

📋 Description

• Establish the strategy and technical framework for Sword’s Security Operations Center, encompassing the operating model, SIEM and detection architecture, incident response capabilities, and the roadmap for scaling as the company expands.

• Spearhead a transformation of security operations with a focus on AI and automation: design SOAR playbooks, agentic and LLM-assisted triage workflows, and ML-driven detection to minimize MTTD/MTTR, broaden coverage, and enable a lean team to operate at an enterprise level.

• Provide technical leadership for the SOC/CSIRT team — mentoring detection and response engineers, enhancing investigative standards, managing on-call and escalation models, and serving as the commander during significant incidents.

• Take full ownership of the SIEM process (architecture, data sources, normalization, retention, cost, and tuning) and advance detection-as-code content in alignment with MITRE ATT&CK and Sword’s threat model.

• Direct high-severity incident response efforts from detection through containment, eradication, recovery, and post-incident review, collaborating with engineering, IT, legal, and executive stakeholders during critical situations.

• Oversee the threat intelligence and threat hunting programs, translating emerging TTPs into new detection strategies, proactive hardening measures, and well-informed risk decisions.

• Define and report on SOC performance metrics — MTTD, MTTR, coverage, automation rate, false-positive rate, and on-call health — utilizing these metrics to drive continuous and measurable improvements.

• Influence security architecture and engineering decisions company-wide, ensuring that detection, response, and recovery are integrated into new products, platforms, and infrastructures from the outset.

• Create and continuously enhance incident response playbooks, runbooks, and tabletop exercises to ensure organizational preparedness.

⛳️ Requirements

• Bachelor’s degree in Computer Science, Cybersecurity, or equivalent professional experience.

• Demonstrated experience in scaling a SOC through automation and AI — including SOAR, hyperautomation, LLM-assisted triage, agentic workflows, or ML-driven detection — with measurable effects on MTTR, coverage, or analyst leverage.

• Practical experience in structuring a SOC, whether by building one from scratch or enhancing an existing one through significant transformation — including SIEM selection, implementation or migration, detection engineering practices, runbook libraries, on-call rotations, and operational metrics.

• Extensive SIEM expertise (Splunk, Sentinel, Chronicle, Elastic, or similar) — including ingestion architecture, detection-as-code, query optimization, and balancing coverage against costs.

• Previous experience as the technical lead of a SOC or CSIRT team — managing the entire incident response lifecycle, mentoring analysts and engineers, and serving as on-call/incident commander during major incidents.

• Strong record in incident response — leading high-severity investigations, conducting root cause analysis, performing digital forensics, and executing post-incident reviews that lead to sustainable improvements.

• Solid experience in cloud environments (AWS and/or GCP), with a strong understanding of cloud-native threats and controls.

• Proficient scripting and development skills (Python, Go, Bash, or similar) for building automation, integrations, and internal tools.

• Familiarity with EDR/XDR, identity, and network detection telemetry, and the ability to integrate signals into high-fidelity detections.

• Knowledgeable in security frameworks and standards (NIST 800-61, CIS Controls, MITRE ATT&CK, ISO 27001) and capable of applying them judiciously.

• Experience in threat modeling, adversary emulation, and risk-based alert tuning.

• Excellent communication skills — able to brief executives during a Sev1, write clear post-mortems, and translate technical risks into business language for non-technical audiences.

• Proven history of leading cross-functional initiatives in high-pressure environments and promoting collaboration across InfoSec, IT, and engineering teams.

• Forensics experience, including investigating incidents and preserving digital evidence.

🏝️ Benefits

• Health, dental, and vision insurance

• Meal allowance

• Equity shares

• Remote work allowance

• Flexible working hours

• Work from home options

• Discretionary vacation

• Snacks and beverages