Manager, Defensive Cyber Operations

About the role

We’re hiring a Manager, Defensive Cyber Operations to mature, scale, and continuously iterate our agentic SOC. This is a hands-on player/coach role: you will lead a small team of engineers and analysts while personally owning critical technical outcomes across detection engineering, SOAR automation, breach and attack simulation, and insider threat.

This role is ideal for a technical leader who improves existing systems, writes production‑quality detection and automation, leads investigations, and raises the operational bar through disciplined iteration.

What you’ll do

Lead and develop a small defensive operations team

• Manage, mentor, and grow a small team of security engineers and analysts focused on detection, response, and automation.
• Act as the primary technical escalation point for high‑severity incidents; lead investigations and response decision‑making.
• Set and reinforce quality standards for investigations, detections, automation, documentation, and on‑call readiness.

Mature and iterate on an agentic SOC

• Evolve and refine agentic SOC workflows that improve triage speed, consistency, and decision quality through automated enrichment, correlation, and recommended or automated response actions.
• Iterate on existing SOC workflows, converting repeatable analyst effort into safe, reliable automation with clear guardrails, validation, and auditability.
• Define and track operational metrics such as detection coverage, alert fidelity, automation success rates, and MTTD/MTTR improvements.

Detection engineering & threat detection operations

• Own detection engineering outcomes end‑to‑end: alert logic, correlation rules, anomaly thresholds, tuning, and continuous improvement.
• Mature a detection‑as‑engineering operating model, including requirements, testing, rollout, post‑deployment measurement, and documentation.

SOAR & security automation

• Design, iterate on, and maintain SOAR playbooks for alert enrichment, containment, remediation, and case management.
• Enhance custom automation, integrations, and enrichment logic to reduce manual analyst effort and improve response consistency.
• Ensure automation remains resilient, production‑grade, well‑documented, and operationally safe at scale.

Breach & attack simulation (continuous validation)

• Mature an existing breach & attack simulation capability to continuously validate detection and response effectiveness.
• Translate BAS findings into prioritized detection, automation, and response improvements on a repeatable cadence.

Insider risk

• Advance insider threat detection and response capabilities, including use‑case refinement, signal quality, investigation workflows, and playbooks.
• Balance speed, precision, and appropriate controls while improving investigative consistency.

What we want you to have:

• 5+ years experience leading security operations, detection engineering, incident response, and/or security engineering teams, with direct ownership of operational outcomes.
• Strong hands‑on background in intrusion analysis using SIEM/log analytics, packet captures, and investigation tooling.
• Proven experience maturing SOAR automation and/or custom tooling to drive repeatable response actions.
• Strong detection engineering fundamentals, including alert fidelity, correlation, and continuous tuning.
• Experience operating in cloud‑first environments, with hands‑on security detection or response exposure in AWS and Azure.
• Comfort operating as both technical leader and people manager in on‑call, real‑time security environments.

Preferred qualifications

• Experience iterating on AI‑assisted or agentic SOC workflows with measurable operational impact.
• Strong scripting experience (e.g., Python) for automation, integrations, and enrichment logic.
• Experience with breach and attack simulation, purple team exercises, or continuous control validation programs.
• Detection and response experience across AWS and Azure, including cloud-native logs, identity signals, and workload telemetry.
• Working knowledge of adversary tradecraft and defensive frameworks (e.g., MITRE ATT&CK, NIST‑aligned approaches).
• Security+, CEH, GSEC, CISSP, GCIA, GCIH, GSOC (Equivalent or comparable security engineering, detection, or incident response certifications are welcome.)

Stay up to date on everything Blackbaud, follow us on Linkedin, Twitter, Instagram, Facebook and YouTube ​

Blackbaud powers social impact through purpose‑driven technology and responsible AI. Guided by our Intelligence for Good® vision, we’re building a culture where innovation, trust, and human expertise come together to help organizations make a greater difference in the world.

Blackbaud is proud to be an equal opportunity employer and is committed to maintaining a diverse and inclusive work environment. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, physical or mental disability, age, or veteran status or any other basis protected by federal, state, or local law.

Benefits Include:

• Medical, dental, and vision insurance

• Remote-flexible workforce

• Wellness Programs

• 401(k) program with employer match

• Flexible paid time off

• Generous Parental Leave

• Donations for Doers

• Pet insurance, legal and identity protection

• Tuition reimbursement program