Principal Mission Defense Lead (TS/SCI)

Description

Mantis Security is seeking a Principal Mission Defense Lead to help stand up and lead a new SOC / Mission Defense Team (MDT) supporting mission-critical infrastructure in AWS Commercial and AWS GovCloud environments. This role will establish the operational defense function for a global, internet-facing platform that enables dozens of critical mission systems.

This is a senior hands-on position for a defender with proven experience monitoring networks, responding to active threats, assessing impacts, restoring systems to a safe state, and writing clear technical and executive reports. The successful candidate will help define the MDT operating model, identify capability gaps, establish triage and escalation standards, and create incident response and incident handling SOPs from scratch.

The MDT will operate independently from the cloud infrastructure team to preserve separation of duties. The infrastructure team will deploy and maintain the underlying AWS-native security tooling and platform services, while the MDT will operate those capabilities from a defender’s perspective and work closely with infrastructure engineers to tune detections, improve visibility, influence configuration changes, and strengthen the overall security monitoring stack.

This role requires a senior hands-on defender who can build a mission defense function while actively performing the work. The right candidate will know how to defend networks, investigate incidents, improve detections, tune monitoring capabilities, write credible reports, and help leadership determine the people, workflows, and capabilities needed to scale the MDT into a mature operational team.

Key Responsibilities

• Stand up and lead the Mission Defense Team operating model for a cloud-enabled, internet-facing mission environment supporting global operations.
• Perform hands-on security monitoring, network defense, alert triage, incident response, containment coordination, threat removal, impact assessment, and post-incident analysis.
• Lead development of incident response, incident handling, escalation, evidence preservation, reporting, and defensive SOPs and playbooks from the ground up.
• Assess the security monitoring and analytics stack and recommend improvements to visibility, detection fidelity, alerting, dashboards, correlation, log search, investigative workflow, and response effectiveness.
• Work closely with the cloud infrastructure team to influence improvements to deployed security tooling, detections, logging, and defensive configurations while maintaining proper separation of duties.
• Tune and operationalize detections, correlation, dashboards, search workflows, and investigative content so the security stack produces actionable, mission-relevant defensive value for the MDT.
• Conduct and oversee threat hunting, network analysis, exfiltration analysis, incident investigation, forensic support, and vulnerability and exposure review.
• Produce timely and defensible incident reports, investigation summaries, after-action reports, executive briefings, and operational security updates.
• Advise leadership on staffing, skill mix, workflows, and operational capabilities required to mature the MDT into a fully effective mission defense function.
• Identify blind spots, readiness gaps, and unknown unknowns in monitoring coverage, processes, response capability, and defensive operations.
  
  

Requirements

Required Qualifications

• Active TS/SCI clearance.
• 10 years of relevant experience, 4 of which are in security operations, cyber defense, incident response, network defense, mission defense, or SOC leadership roles.
• Proven hands-on experience defending networks, monitoring enterprise or mission environments, responding to incidents, removing active threats, assessing impacts, and restoring systems to a safe operational state.
• Demonstrated experience creating or maturing incident response and incident handling SOPs, defensive workflows, and operational playbooks.
• Strong experience with security monitoring, threat detection, alert triage, incident investigation, and containment coordination.
• Experience leading or materially improving a SOC, CSIRT, incident response function, or cyber defense team.
• Ability to evaluate security monitoring and defense tooling and recommend practical improvements to detections, dashboards, workflows, search capability, and response processes.
• Ability to translate ambiguous operational risk into actionable procedures, staffing recommendations, and technical priorities.
• Strong written communication skills, including experience producing formal incident and investigative reporting for technical and leadership audiences.
  
  

Acceptable Technical Background

Candidates do not need deep prior AWS-native security operations experience if they bring strong analogous experience from on-premises, hybrid, enterprise, or DoD network defense environments and can adapt those skills to cloud-based workflows.

Relevant Experience May Include

• SIEM / log analysis: Splunk, Elastic, QRadar, ArcSight, or Amazon OpenSearch Service
• Threat detection / finding correlation: traditional SOC detection platforms or AWS-native services such as GuardDuty and Security Hub
• Network security monitoring / IDS / IPS: Suricata, Snort, Zeek, Trellix, Cisco Secure, Palo Alto, Fortinet, or AWS Network Firewall
• Web application / edge protection: traditional WAF technologies or AWS WAF
• Vulnerability and exposure management: Nessus, Tenable, Qualys, Rapid7, or Amazon Inspector
• Cloud activity monitoring / investigation: enterprise audit and log-analysis platforms or services such as AWS CloudTrail and Amazon Detective
• Traffic analysis / forensic support: Wireshark, tcpdump, NetFlow analysis, packet capture tools, Volatility, EnCase, FTK, or Velociraptor
  
  

Required Certifications

• At least one DoD 8570 IAT Level II certification, such as Security
  
  

Preferred Certifications

• Preferred advanced certifications include GIAC GCIH, GCIA, or GCFA