IT Security Administrator IV - Incident Response & Threat Detection Engineer

The Cybersecurity Incident Response (IR) Lead and Detection is responsible for the dual mission of advanced threat detection capabilities and leading the charge during high-stakes security investigations. The individual will response to alerts and design in the logic that finds the needle in the haystack as well as mentor a team of responders to act with precision and speed.

KEY RESPONSIBILITIES:
Detection Engineering (the “Hunt)

• Advanced Logic Development: Design implement and refine complex detection rules and automated remediation workflows to identify adversarial behavior across U. S. Steel’s global infrastructure.
• Framework Mapping: Utilize threat intelligence and the MITRE ATT&CK framework to identify gaps in visibility and proactively mitigate emerging risks.
• System Optimization: Continuously tune SIEM (e.g., Splunk), EDR (e.g., CrowdStrike) and cloud-native security tools to maximize detection fidelity while minimizing alert fatigue.
• Threat Modeling: Develop and maintain threat models, incorporating findings from penetration tests into detection strategies.

Incident Response & Leadership (the Shield)

• Crisis Management: Act as the lead Incident Responder for complex, high-priority investigations, managing the full lifecycle from initial detection to root cause analysis and post-mortem.
• Technical Escalation: Provide Tier 3 (Tier 1-3 teams are managed by a MSP) expert-level support for deep dive investigations, including digital forensics (memory, network and malware analysis).
• Process Evolution: Author and refine IR playbooks and operational guidelines to ensure the team remains agile in an evolving threat landscape.
• Mentorship: Coach and train junior U. S. Steel analysts and direct MSP-provided analysts on advanced investigation techniques, fostering a culture of technical excellence and psychological safety.

Governance & Collaboration

• Cross-Functional Liaison: Partner with IT, Legal and Privacy teams to ensure rapid containment of threats and compliance.
• Audit Readiness: Maintain comprehensive documentation of detection strategies and incident timeliness to support internal audits and external due diligence.

EDUCATION, KNOWLEDGE, SKILLS AND ABILITIES:
Required Qualifications:

• Bachelor’s degree in cybersecurity, computer science or a related field with seven plus years of experience in a Security Operations Center (SOC) or with Incident Response or Threat Detection.
• Hands on tooling experience in SIEM, EDR and Cloud Security (AWS, Azure or GCP).
• Proficiency in scripting (Python, PowerShell or Bash) and experience with automation and/or orchestration (SOAR) tools.
• Strong analytical thinking and attention to detail when evaluating security data.
• Problem solving under pressure in a fast-paced cybersecurity environment.
• Excellent communication skills and the ability to explain technical findings to both technical and non-technical stakeholders.
• Strong ethical judgment and adherence to security policies and procedures when handling sensitive data.
• Demonstrated strong leadership qualities (critical thinking, cross-functional collaboration, communication).
• Ability to execute rapid containment strategies that minimize business disruption.

Preferred Skills:
GCIH, GCFA, GNFA, SISSP or other equivalent advanced security certifications.

WORK ENVIRONMENT/ PHYSICAL REQUIREMENTS:

• Prolonged computer usage and visual interaction with screens and dashboards.
• Must be able to remain stationary 50% of the time.
• Ability to travel 10% of the time