Security Operations Lead

Responsibilities

SOC modernization

• Work with the Director of Information Security to build and execute a SOC modernization roadmap
• Standardize SOC workflows: intake, triage, investigation, escalation/handoff, closure
• Improve case management quality: templates, evidence capture, consistent documentation, audit readiness
• Establish operational rhythms: queue health checks, weekly ops review, monthly metrics and outcomes, tabletop exercises & reviews

AI SOC agents & workflow automation

• Implement AI-assisted SOC capabilities that support analysts, including:
• Alert clustering/deduplication and prioritization support
• Automated enrichment (asset/user context, baselines, threat intel, cloud context)
• Investigation copilots (timeline generation, query suggestions, correlation summaries)
• Draft case notes and executive-ready incident summaries with links back to source evidence
• Assist with defining guardrails for AI usage: human approval gates, scoped permissions, audit trails, redaction/data handling, and “no unsupported claims” standards
• Evaluate vendors and/or internal approaches; run pilots, measure results, and lead production rollouts

Tooling & integration leadership

• Coordinate integrations across SIEM, EDR, SOAR, cloud telemetry, ticketing, and collaboration/on-call tooling
• Partner with Platform Engineering to improve telemetry pipelines (parsing, normalization, enrichment, retention)
• Define operational acceptance criteria for changes (signal quality, latency, reliability, access controls)

Metrics & continuous improvement

• Partner with the Director of Information Security to drive SOC operational KPIs (e.g., time-to-triage, case aging, escalation completeness, automation coverage)
• Drive continuous improvement via regular reviews, quality sampling, and post-case learnings
• Identify recurring pain points and implement targeted fixes (playbooks, automation, training, data improvements)

Enablement & collaboration

• Train and mentor analysts on standard workflows and effective use of AI-assisted tooling
• Improve cross-functional handoffs between SOC, Engineering, IT, and Platform teams
• Provide concise operational updates to the Director of Information Security and leadership stakeholders

Required qualifications

• 5 years in security operations / SOC engineering / incident response operations (or equivalent)
• Strong understanding of SOC workflows, incident lifecycle, and escalation/handoff patterns
• Experience with SIEM/EDR ecosystems and integrating security tooling via APIs/webhooks
• Demonstrated ability to drive operational change: playbooks, metrics, quality, training, adoption
• Strong written communication and stakeholder management

Preferred qualifications

• Experience deploying AI-assisted SOC tooling (copilots/agents) with governance
• SOAR/automation experience with approval-gated actions and safe defaults
• Familiarity with WQL (Wazuh), SPL (Splunk) and/or KQL (Microsoft Sentinel) and light scripting (Python/Bash)
• Cloud and identity familiarity (AWS/Azure/GCP, SSO/MFA/IAM)

What success looks like

• SOC workflows are consistent and measurable across analysts/shifts
• Alert noise is reduced, and investigations start with better context and faster handoffs
• AI-assisted tooling improves analyst throughput and documentation quality with strong guardrails
• Integrations and telemetry quality improvements materially reduce friction and case aging
• Leadership has clear metrics that show SOC operational uplift over time