SOC Engineering Lead

About the Role

We are seeking an experienced and hands-on Lead SOC Engineer to architect, evolve, and oversee the technical operations of our Security Operations Centre. This role is ideal for a seasoned engineer with a deep background in SIEM, EDR, and threat intelligence technologies, who thrives in a fast-paced, highly automated security environment.

The successful candidate will be instrumental in shaping the core detection and response capabilities of the SOC, leading engineering efforts across Elastic SIEM, Microsoft Sentinel, Defender for Endpoint, CrowdStrike, and MISP, while building robust ITSM automation in JIRA.

Key Responsibilities

• Lead the technical design, implementation, and tuning of SIEM platforms (Elastic,         Microsoft Sentinel).
• Engineer and operationalise endpoint detection capabilities using Defender for             Endpoint, CrowdStrike, and Elastic Defend.
• Maintain and optimise threat intelligence workflows, including integrations with             MISP.
• Build and maintain robust ITSM integrations and automations in JIRA for incident           and change management.
• Work with the SOC leadership team to build, iterate and improve engineering to             continue to delvier a world class SOC.
• Work closely with SOC analysts to ensure telemetry, detections, and playbooks             align with real-world attack techniques (MITRE ATT&CK, D3FEND).
• Develop and maintain detection engineering pipelines including log onboarding,           parsing, enrichment, correlation rules, and alerting logic.
• Automate repetitive tasks using scripting and infrastructure-as-code tools                    (PowerShell, Python, Terraform, etc.).
• Drive integration between security tooling and external systems (e.g., threat feeds,       SOAR platforms, ticketing tools).
• Act as escalation point for complex detection and incident response scenarios.
• Mentor junior engineers and analysts, and contribute to a culture of continuous improvement.
• 
  

Required Experience

• Minimum 5 years of experience engineering and operating Security Operations             Centre platforms.
• Deep knowledge and hands-on experience with:
• SIEM: Elastic Stack (Beats, Logstash, Kibana, Elasticsearch), Microsoft Sentinel
• EDR: Microsoft Defender for Endpoint, CrowdStrike Falcon, Elastic Defend
• Threat Intelligence: MISP (integration, automation, ingestion)
• SOAR and automation:: including JIRA automations, sentinel playbooks, azure           logic apps and functions, API’s and other integrations.
• ITSM: JIRA (incident, change, and service automation)
• Strong scripting and automation skills (Python, PowerShell, Bash).
• Experience implementing detection-as-code pipelines and detection content                 engineering at scale.
• Solid understanding of threat detection, digital forensics, and security telemetry.
• Experience integrating SOC tooling with third-party platforms and APIs.
• 
  

Desirable Skills

• Familiarity with threat modelling techniques and industry standard risk frameworks      (e.g., STRIDE, DREAD, MITRE).
• Knowledge of compliance standards (e.g., ISO 27001, NIST 800-53).
• Exposure to containerised deployments, cloud-native logging, AWS and                         Azure/M365 security architecture.

Our Purpose

The Cyberfort Group is a community of 150+ passionate people united by one overall mission “to make the world safer, one business at a time”. We are the "one-stop shop" for all things cyber and are working to build a centre of excellence for our customers by building an amazing place to work, learn and develop all our people.

We work with a diverse range of clients, including large Governmental departments as well as other public sector organisations and businesses within the private sector. We're growing our business and our team through our continuous investment in developing technology and cyber capability; we aim to deliver innovation to our customers as fast as possible.

Our goal is to implement, deliver and support solutions that make us stand out.