Senior Security Operations Engineer

Location: Remote (US-based)

About Dispel:

Dispel is the fastest-growing cybersecurity company recognized in the 2025 Cybersecurity Excellence Awards. We deliver zero trust secure remote access and real-time data streaming for operational technology (OT) and industrial control systems (ICS). Our patented Moving Target Defense technology — referenced in NIST 800-172 — protects critical infrastructure for utilities serving 54 million+ people, manufacturers producing over 50% of US baby formula, and major defense contracts including a $950M IDIQ with the US Air Force.

Why This Role Exists:

Dispel is pursuing FedRAMP High authorization while simultaneously operating a commercial security program. We have a functioning SOC built on Google SecOps (Chronicle) and SentinelOne, but we need a senior IC who can take it from "stood up" to "operationally mature." You'll own the log ingestion pipeline end-to-end and drive material expansion of coverage across federal and commercial environments, including AWS, Azure, and Entra ID.

This person will be the day-to-day technical owner of SOC operations, responsible for closing coverage gaps, building detections, maturing incident response, and providing senior technical direction to the existing SOC analyst. This is a hands-on-keyboard role with leadership expectations — you will not formally manage people, but you will set priorities, review deliverables, and drive execution across the SOC function.

Location: Remote (US-based)About Dispel:Dispel is the fastest-growing cybersecurity company recognized in the 2025 Cybersecurity Excellence Awards. We deliver zero trust secure remote access and real-time data streaming for operational technology (OT) ...

Key Responsibilities:

SIEM/SOAR Operations (Google SecOps)

• Own the log ingestion pipeline end-to-end: identify gaps, build feeds, validate parsing, maintain coverage dashboards
• Close the federal logging gap and stand up commercial logging across AWS, Azure, Entra ID, and SaaS
• Activate and configure SecOps SOAR capabilities including Domain-Wide Delegation, marketplace integrations, and bidirectional response actions
• Build and maintain SOAR playbooks for major incident types such as phishing, malware, account compromise, lateral movement, and cloud-specific threats
• Develop and maintain operational dashboards for SOC metrics, alert volumes, MTTA/MTTR, and coverage status
• Manage Google SecOps RBAC

Detection Engineering

• Build and deploy production detection rules mapped to MITRE ATT&CK within the first year
• Develop custom parsers for AWS-native security services including GuardDuty, Security Hub, Inspector, WAF, CloudTrail, and VPC Flow Logs
• Establish a detection lifecycle including proposal, testing, deployment, tuning, and retirement
• Conduct quarterly detection quality reviews to measure false positive rates, coverage gaps, and rule health
• Develop alert threshold optimization to reduce noise and analyst fatigue

Endpoint Detection and Response (SentinelOne)

• Drive SentinelOne deployment across Azure VMs in commercial environments and all federal endpoints
• Configure and operationalize Cloud Funnel for log export into Google SecOps
• Build correlation rules between EDR alerts and SIEM detections
• Manage SentinelOne RBAC groups and policy configuration
• Coordinate with IT on agent deployment, health monitoring, and version management

Incident Response

• Serve as senior escalation point for SOC incidents, ensuring investigations are thorough and reports include root cause, remediation actions, credential rotation plans, and follow-up timelines
• Improve MTTA and MTTR through process optimization, better tooling, and analyst development
• Lead quarterly tabletop exercises and after-action reviews
• Maintain and improve incident response runbooks for all major incident categories
• Integrate incident response workflows with Jira Service Management for tracking and escalation

Vulnerability Management

• Operationalize monthly scanning cadence across all environments using tools such as Nessus, AWS Inspector, and Azure Defender
• Define and enforce remediation SLAs by severity: Critical within 72 hours, High within 7 days, Medium within 30 days
• Build consolidated vulnerability dashboards in Google SecOps
• Track SLA compliance and report metrics to the CISO
• Coordinate remediation with engineering and infrastructure teams

MSSP Oversight

• Serve as primary technical interface with MSSP partner for 24/7 SOC coverage
• Define and hold the MSSP accountable to SLAs, alert quality, and escalation procedures
• Review MSSP deliverables such as dashboards, reports, and playbooks for quality and completeness
• Manage the transition from the previous MSSP and ensure no coverage gaps

SOC Team Technical Leadership

• Provide day-to-day technical direction to SOC analysts by setting priorities, assigning tasks, and reviewing work products
• Ensure incident response reports, playbooks, and dashboards meet quality standards before delivery to leadership or external stakeholders
• Drive OKR execution for SOC-related objectives including logging coverage, detection counts, incident response metrics, and vulnerability SLA compliance
• Identify skill gaps and development opportunities for junior analysts
• Establish and enforce SOC processes that are documented, repeatable, and auditable

Required Qualifications:

• 6+ years of experience in security operations, detection engineering, or SIEM/SOAR engineering
• Hands-on experience with Google SecOps (Chronicle) or equivalent enterprise SIEM such as Splunk, Sentinel, or QRadar, with Chronicle strongly preferred
• Production experience with SentinelOne, CrowdStrike, or a comparable EDR platform
• Deep knowledge of AWS security services including GuardDuty, Security Hub, Inspector, CloudTrail, WAF, and Config
• Experience building detection rules mapped to the MITRE ATT&CK framework
• SOAR playbook development and automation experience
• Demonstrated ability to lead without formal authority by setting direction for peers or junior analysts
• Strong incident response skills with experience writing complete reports for executive and external audiences
• Understanding of NIST 800-53 controls, particularly Audit, System Integrity, and Incident Response families
• Excellent written communication skills

Preferred Qualifications:

• Experience with Google SecOps (Chronicle), SentinelOne, or similar SIEM/SOAR platforms; certifications are a plus
• Experience working in a FedRAMP High environment such as AWS GovCloud
• Azure security experience including Defender for Cloud, Entra ID, Log Analytics, and Event Hubs
• Experience managing MSSP relationships and enforcing SLAs
• Background in OT/ICS security monitoring
• Experience with vulnerability management tools such as Nessus, Inspector, or Defender
• Previous experience in a startup or high-growth environment building SOC capabilities from early stages

Certifications (Preferred, not required):

• GCIA, GCIH, GSOM, or other GIAC blue team certifications
• Google Chronicle or SecOps certifications
• AWS Security Specialty
• CISSP or CISM
• Detection engineering certifications such as SANS SEC555 or SEC511

Location: Remote (US-based)

About Dispel:

Dispel is the fastest-growing cybersecurity company recognized in the 2025 Cybersecurity Excellence Awards. We deliver zero trust secure remote access and real-time data streaming for operational technology (OT) and industrial control systems (ICS). Our patented Moving Target Defense technology — referenced in NIST 800-172 — protects critical infrastructure for utilities serving 54 million+ people, manufacturers producing over 50% of US baby formula, and major defense contracts including a $950M IDIQ with the US Air Force.

Why This Role Exists:

Dispel is pursuing FedRAMP High authorization while simultaneously operating a commercial security program. We have a functioning SOC built on Google SecOps (Chronicle) and SentinelOne, but we need a senior IC who can take it from "stood up" to "operationally mature." You'll own the log ingestion pipeline end-to-end and drive material expansion of coverage across federal and commercial environments, including AWS, Azure, and Entra ID.

This person will be the day-to-day technical owner of SOC operations, responsible for closing coverage gaps, building detections, maturing incident response, and providing senior technical direction to the existing SOC analyst. This is a hands-on-keyboard role with leadership expectations — you will not formally manage people, but you will set priorities, review deliverables, and drive execution across the SOC function.

Location: Remote (US-based)About Dispel:Dispel is the fastest-growing cybersecurity company recognized in the 2025 Cybersecurity Excellence Awards. We deliver zero trust secure remote access and real-time data streaming for operational technology (OT) ...

Key Responsibilities:

SIEM/SOAR Operations (Google SecOps)

• Own the log ingestion pipeline end-to-end: identify gaps, build feeds, validate parsing, maintain coverage dashboards
• Close the federal logging gap and stand up commercial logging across AWS, Azure, Entra ID, and SaaS
• Activate and configure SecOps SOAR capabilities including Domain-Wide Delegation, marketplace integrations, and bidirectional response actions
• Build and maintain SOAR playbooks for major incident types such as phishing, malware, account compromise, lateral movement, and cloud-specific threats
• Develop and maintain operational dashboards for SOC metrics, alert volumes, MTTA/MTTR, and coverage status
• Manage Google SecOps RBAC

Detection Engineering

• Build and deploy production detection rules mapped to MITRE ATT&CK within the first year
• Develop custom parsers for AWS-native security services including GuardDuty, Security Hub, Inspector, WAF, CloudTrail, and VPC Flow Logs
• Establish a detection lifecycle including proposal, testing, deployment, tuning, and retirement
• Conduct quarterly detection quality reviews to measure false positive rates, coverage gaps, and rule health
• Develop alert threshold optimization to reduce noise and analyst fatigue

Endpoint Detection and Response (SentinelOne)

• Drive SentinelOne deployment across Azure VMs in commercial environments and all federal endpoints
• Configure and operationalize Cloud Funnel for log export into Google SecOps
• Build correlation rules between EDR alerts and SIEM detections
• Manage SentinelOne RBAC groups and policy configuration
• Coordinate with IT on agent deployment, health monitoring, and version management

Incident Response

• Serve as senior escalation point for SOC incidents, ensuring investigations are thorough and reports include root cause, remediation actions, credential rotation plans, and follow-up timelines
• Improve MTTA and MTTR through process optimization, better tooling, and analyst development
• Lead quarterly tabletop exercises and after-action reviews
• Maintain and improve incident response runbooks for all major incident categories
• Integrate incident response workflows with Jira Service Management for tracking and escalation

Vulnerability Management

• Operationalize monthly scanning cadence across all environments using tools such as Nessus, AWS Inspector, and Azure Defender
• Define and enforce remediation SLAs by severity: Critical within 72 hours, High within 7 days, Medium within 30 days
• Build consolidated vulnerability dashboards in Google SecOps
• Track SLA compliance and report metrics to the CISO
• Coordinate remediation with engineering and infrastructure teams

MSSP Oversight

• Serve as primary technical interface with MSSP partner for 24/7 SOC coverage
• Define and hold the MSSP accountable to SLAs, alert quality, and escalation procedures
• Review MSSP deliverables such as dashboards, reports, and playbooks for quality and completeness
• Manage the transition from the previous MSSP and ensure no coverage gaps

SOC Team Technical Leadership

• Provide day-to-day technical direction to SOC analysts by setting priorities, assigning tasks, and reviewing work products
• Ensure incident response reports, playbooks, and dashboards meet quality standards before delivery to leadership or external stakeholders
• Drive OKR execution for SOC-related objectives including logging coverage, detection counts, incident response metrics, and vulnerability SLA compliance
• Identify skill gaps and development opportunities for junior analysts
• Establish and enforce SOC processes that are documented, repeatable, and auditable

Required Qualifications:

• 6+ years of experience in security operations, detection engineering, or SIEM/SOAR engineering
• Hands-on experience with Google SecOps (Chronicle) or equivalent enterprise SIEM such as Splunk, Sentinel, or QRadar, with Chronicle strongly preferred
• Production experience with SentinelOne, CrowdStrike, or a comparable EDR platform
• Deep knowledge of AWS security services including GuardDuty, Security Hub, Inspector, CloudTrail, WAF, and Config
• Experience building detection rules mapped to the MITRE ATT&CK framework
• SOAR playbook development and automation experience
• Demonstrated ability to lead without formal authority by setting direction for peers or junior analysts
• Strong incident response skills with experience writing complete reports for executive and external audiences
• Understanding of NIST 800-53 controls, particularly Audit, System Integrity, and Incident Response families
• Excellent written communication skills

Preferred Qualifications:

• Experience with Google SecOps (Chronicle), SentinelOne, or similar SIEM/SOAR platforms; certifications are a plus
• Experience working in a FedRAMP High environment such as AWS GovCloud
• Azure security experience including Defender for Cloud, Entra ID, Log Analytics, and Event Hubs
• Experience managing MSSP relationships and enforcing SLAs
• Background in OT/ICS security monitoring
• Experience with vulnerability management tools such as Nessus, Inspector, or Defender
• Previous experience in a startup or high-growth environment building SOC capabilities from early stages

Certifications (Preferred, not required):

• GCIA, GCIH, GSOM, or other GIAC blue team certifications
• Google Chronicle or SecOps certifications
• AWS Security Specialty
• CISSP or CISM
• Detection engineering certifications such as SANS SEC555 or SEC511