Security Operations Lead

Security Operations Lead (SOC Lead)

Role Summary

The Security Operations Lead will oversee all SOC functions and lead a blended team of SOC Analysts and Security Engineers to ensure rapid detection, investigation, and response to security threats. This role is responsible for driving threat hunting, leading major incidents, engineering detection capabilities, and maturing SOC operations to stay ahead of evolving adversary behaviors. The Lead acts as the central coordination point during security events and sets the strategic direction for the SOC to ensure continuous, mission-critical security coverage.

Key Responsibilities

SOC Leadership & Operations

• Lead day‑to‑day SOC operations, including queue management, alert triage oversight, escalation handling, on‑call rotations, and daily situational reporting.
• Mentor and develop SOC analysts across tiers; refine SOPs, workflows, and response playbooks.
• Drive threat hunting activities focused on identifying patterns, outliers, and TTP‑aligned behaviors across host, network, email, and cloud logs.
• Oversee SIEM dashboarding, alert tuning, log source health, and rule/correlation development to strengthen detection depth.
• Coordinate with Security Engineering to ensure logging fidelity, sensor coverage, and integration of new technologies.

Incident Response

• Lead the full lifecycle of incident response: identification, containment, eradication, recovery, forensics support, and post-incident reporting.
• Perform or direct deep-dive investigations using SIEM, NDR, EDR, packet analysis tools, and forensic artifacts.
• Provide expert investigative support for large-scale or complex incidents where technical detections may not be available.
• Guide analysts during high‑severity incidents and act as the primary interface with client leadership and internal stakeholders.
• Oversee threat intelligence intake and ensure IOCs, adversary behaviors, and campaign indicators are integrated into SOC detections.

Detection Engineering & Threat Analytics

• Develop and optimize SIEM correlation rules, dashboards, and monitoring logic.
• Enhance playbooks and automation pipelines to improve consistency and reduce analyst workload.
• Ensure ongoing alignment to evolving threat actor TTPs, including insider threat and APT-style behaviors.
• Integrate new data sources into SOC detection pipelines and validate alert efficacy.

Required Qualifications:

• 8 years of cybersecurity experience, with 3+ years leading SOC or IR teams.
• Hands-on experience triaging alerts, logs, events, and incident artifacts across enterprise environments.
• Strong experience with one or more of the following technologies: SIEM (Splunk. Elastic etic), NDR (ExtraHop), EDR/XDR (Trellix), and packet analysis tools.
• Demonstrated ability to lead incident response for high-severity cybersecurity events.

Preferred Qualifications:

• Advanced experience in threat hunting, analytics, and adversary behavior profiling.
• Certifications such as CISSP, GCIH, GCIA, GCED, CEH, or similar.
• Experience building SIEM/SOAR automations and custom detection content.
• Familiarity with malware triage, static/dynamic analysis, and IOC development.
• Experience leading SOCs supporting federal missions or high‑tempo operational environments.
• Exposure to cloud security monitoring (Azure/AWS/GCP) and SaaS logging integrations.