3+ years in security engineering, detection engineering, or a hands-on security operations role
Experience owning a SIEM end-to-end (not just using one) and comfort with AWS environments and a variety of log sources from cloud to apps to hosts
Ability to develop automation and scripts and build tooling (Python, Bash, or similar)
Clear communicator who can brief a non-technical audience on threat posture; familiarity with threat intelligence sources, dark web monitoring, or OSINT is a plus, and exposure to product/application telemetry and APM tooling
Requirements:
Own threat awareness across all surfaces: collect, monitor, filter, enrich, and relay external signals (dark web, threat feeds, CVEs, vendor advisories) and monitor internal systems, cloud infrastructure, IdP, messaging and endpoints, and application behavior
Take ownership of the Sumo Logic SIEM (collectors, pipelines, data quality, and detection logic) and plan to integrate Elastic/APM to extend visibility into product and platform behavior
Build and maintain a library of business cases for visibility and monitoring; implement them; tune signals to reduce noise and make visibility actionable
Brief leadership regularly on attack surface, unusual activity, and emerging threats; translate technical signals into clear, decision-ready information and show daily progress
Job description
Our company builds enterprise software that powers restaurant chains at scale. Our systems span cloud infrastructure, distributed platforms, on-premise components, and a product ecosystem that processes massive volumes of operational data.
We don't have a perfect view of our environment today. Some signals exist but aren't being used. Some don't exist yet. Your job is to change that.
We want to know what's happening across our organization — from dark web signals and external threats, to corporate systems, cloud infrastructure, user behavior, application errors, and product anomalies. Today, no one owns that picture end-to-end. You will.
This is not a SOC analyst role. You won't be triaging a ticket queue or watching dashboards someone else built. You'll be building the visibility layer from the ground up and briefing us on what matters.
What You'll Do
Own our threat awareness across every surface
Collect, monitor, filter, enrich, and relay external signals: dark web, threat feeds, CVEs, vendor advisories
Track what's happening inside: corporate systems, cloud infrastructure, IdP, messaging and communication, endpoints, and application behavior.
Be the first to know when something looks wrong — and be able to explain it clearly
Build a library of business cases for visibility and monitoring, then implement them.
Start with Sumo Logic, grow into Elastic
Take ownership of our Sumo Logic SIEM: collectors, pipelines, data quality, and detection logic
Work toward integrating our Elastic/APM stack to extend visibility into product and platform behavior
Tune signal over noise — don't just ingest everything, make what we have trustworthy
Build solutions where they don't exist
Extract security-relevant data from sources that weren't designed to provide it
Write scripts, build pipelines, and create custom solutions when tools don't cover the gap
Show daily progress — small improvements compound
Make visibility actionable
Brief leadership regularly on attack surface, unusual activity, and emerging threats
Translate technical signals into clear, decision-ready information
Identify problems early enough that we can act, not just react
What You Bring
3+ years in security engineering, detection engineering, or a hands-on security operations role
Experience owning a SIEM end-to-end — not just using one
Comfort with AWS environments and a variety of log sources from cloud to apps to hosts
Ability to develop automation and scripts and build tooling (Python, Bash, or similar)
Strong instincts for what matters — you know the difference between noise and signal
Clear communicator who can brief a non-technical audience on threat posture
Nice to have:
Experience with Sumo Logic or Elastic Stack
Familiarity with threat intelligence sources, dark web monitoring, or OSINT
Exposure to product/application telemetry and APM tooling
