Senior Cybersecurity Operations Engineer - AI

Essential Job Functions 

• Process and Project Management: Own the design and the implementation of key IT projects and initiatives as they pertain to the organization's long-term security strategy. Identify areas of improvement where processes do not currently exist and drive the development and delivery of new processes to address these gaps.  Ability to manage ambiguity and deliver quality results with minimal supervision in coordinating projects and other deliverables. Willingness to escalate identified issues as necessary and the ability to identify when to partner with leadership to resolve issues, risks or obstacles. Builds consensus for delivering results while finding common ground for collaboration and partnership. 

• Documentation, Metrics and Presentations: Understand the various tools and technologies commonly associated with Information Security. Lead the creation of and the maintenance of relevant documentation including the ability to deliver run books, project updates, process documentation, architecture and technical requirements and presentations. Develop and deliver Key Performance Indicators (KPIs) through the understanding of the tools and deliverables by helping to develop, maintain and mature the associated reporting structure. Ability to produce meaningful and actionable metrics through data analysis. Conduct data analysis exercises using Excel Pivot Tables, database queries, and other data driven analysis tools.  Produces presentations at various levels of abstraction dependent on intended audience using Microsoft Power Point, Microsoft Visio, or equivalent tools. 

• Human Relations: Ability to maintain the highest level of confidentiality and professionalism. Ability to proactively identify potential issues and deliver well-reasoned solutions. Ability to diffuse problematic situations and manage through conflict resolution.  Ability to decompose complex topics and break them down into laymen’s terms or analogies that help drive clarity and understanding.  Viewed as an enabling partner that provides alternative options or supporting information when saying no to business or IT requests.  Seen by leadership and peers as creditable, trustworthy and respectful.   

Reports to: Manager, Information Security  

Working Conditions/ Physical Requirements:

• Normal office environment. (Remote or Hybrid), 3 to 4 days per month are required in office if within 60 miles of a posted Bread Financial location.

• Some travel may be required.

• As the need of the business continue to evolve, this role may be asked to work an on-call rotation to include evenings or weekends. 

Direct Reports: None 

Minimum Qualifications:  

• Four or more years experience in Information Security or Infrastructure.  

• Intermediate to expert level knowledge of IT tools and practices including, but not limited to: Networking, LDAP Directories, Vulnerability/Patch Management, Change Management, Incident Management, Server and Desktop Management, Mainframe Technologies, Encryption and Key Management, Cloud Architecture and Computing, Software Application General Computing Controls, Business Continuity/Disaster Recovery, Software Development Lifecycle, Access Management, and Cyber Security Tools (Security Incident Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), Data Loss Prevention (DLP) , Intrusion Detection System (IDS), Intrusion Prevention System (IPS), End User Behavioral Analytics (EUBA), Web Application Firewall (WAF), Network Access Control (NAC), Privileged Access Management (PAM), Endpoint Detection Response (EDR).  Broad range of skills with different technical platforms (firewalls, servers, workstations, networks, storage, security, Internet and cloud (SaaS / IaaS / PaaS) technologies).  Working understanding of NIST security standards, PCI - DSS and SOX controls.  

Preferred Experience: 

• Bachelor’s or equivalent experience in Computer Science, Networking or Information Technology 

• Certification: Security +, Network+, CISSP, SSCP, CCSP 

• Five or more years experience in Information Security or Infrastructure experience. 

• ​5+ years in SOC, detection engineering, threat detection, or security engineering roles

• Demonstrated ownership of detection lifecycle: ideation, development, tuning, deployment, validation, and continuous improvement.

• Hands-on experience building and maintaining detections in one or more SIEM platforms (Splunk, CrowdStrike Next-Gen SIEM, Palo Alto XSIAM).

• Proven experience onboarding and normalizing logs across endpoint, identity, cloud, network, and application sources.

• Experience managing detections using Git-based workflows, code review, branching strategies, and CI/CD principles.

• Familiarity with testing frameworks for detections (unit testing logic, regression testing, synthetic event generation, and controlled replay).

• 3+ years designing and implementing SOAR playbooks and response automations (Cortex XSOAR, Splunk SOAR).

• Demonstrated success reducing mean time to detect and respond through automation and orchestration.

• Experience translating intelligence into practical outcomes such as detections, hunts, enrichment, and response actions.

• Familiarity with TI platforms and standards (MISP, OpenCTI, STIX/TAXII) and integrating TI into SIEM and SOAR workflows.

• Strong experience mapping detections and response playbooks to MITRE ATT&CK.

• Experience building behavior-based detections that reduce reliance on static indicators.

• Experience applying AI to detection engineering or SOC operations such as alert summarization, triage enrichment, incident clustering, case routing, and knowledge retrieval.

• Experience designing guardrails for AI usage: human-in-the-loop approvals, audit logging, data handling controls, and prompt or workflow governance.

Skills:

Detection Engineering and Analytics

• Writing high-signal detections using SPL, KQL, EQL, Lucene, Sigma, or equivalent query languages

• Behavior-based detection design, including correlation, baselining, anomaly, and sequence detection

• Alert tuning, suppression, allowlisting, and noise reduction

• Data modeling, normalization, field extraction, parsing, and enrichment strategies

• Detection coverage mapping to MITRE ATT&CK and kill chain concepts

Automation, SOAR, and Response Engineering

• Building SOAR playbooks and automated response actions with approval gates and safe failure modes

• Integrations via REST APIs, webhooks, message queues, and event-driven designs

• Case management, ticketing integration, and automated evidence collection

• Automated containment actions: disable accounts, revoke sessions, isolate endpoints, block indicators, quarantine email, update firewall rules

Threat Intelligence and Hunting

• Converting TI into actionable detections, hunts, enrichment, and prioritized response steps

• IOC lifecycle management, confidence scoring, and expiration handling

• Familiarity with STIX/TAXII, MISP, OpenCTI, and TI feeds

• Threat hunting methodologies, hypothesis-driven hunting, and translating hunts into detections

AI and Agentic SOC Operations

• Designing AI-assisted workflows for triage, summarization, correlation, and recommendation

• Building agentic workflows with human approvals, audit trails, and policy guardrails

• Prompt engineering fundamentals for security workflows and retrieval-augmented approaches

• Evaluating AI outputs for accuracy, bias, and safety, including fallback procedures

Platforms and Telemetry

• SIEM administration fundamentals and search performance optimization

• Endpoint telemetry and EDR concepts: process trees, persistence, lateral movement, and malware tradecraft

• Identity telemetry: authentication events, conditional access, privilege changes, and OAuth abuse

• Cloud telemetry: audit logs, IAM events, workload signals, and network flow logs

Engineering Practices

• Scripting and automation using Python and PowerShell

• Infrastructure as code concepts and configuration management practices

• Git, version control, code review, and CI/CD for detection and automation content

• Documentation practices for runbooks, playbooks, and detection intent and testing

Communication and Operations

• Incident handling and escalation judgment

• Writing clear, analyst-friendly detection documentation and response instructions

• Operational maturity mindset: continuous improvement, post-incident reviews, and backlog prioritization

• Cross-functional collaboration and influencing without authority