[LTA-ITCD] LEAD / PRINCIPAL TECHNICAL CYBER ENGINEER

[What the role is]

LEAD / PRINCIPAL TECHNICAL CYBER ENGINEER

[What you will be working on]

The SOC Tech Lead is the technical authority for all security monitoring and detection platforms within the Cybersecurity Operations Centre. This role drives the architecture, engineering quality, and continuous improvement of the SOC's detection capabilities, tooling stack, and automation workflows. The Tech Lead bridges detection engineering with operational execution, ensuring that analysts at every tier are equipped with reliable, high-fidelity signals and efficient tooling.

Job Scope

Detection Engineering & Use Case Development

• Own the end-to-end design, development, and quality assurance of detection rules, correlation logic, and threat scenarios across SIEM and EDR platforms
• Author and peer-review detection rules using KQL (Microsoft Sentinel), SIGMA, and platform-native query languages
• Translate threat intelligence, MITRE ATT&CK mappings, and red team findings into production-ready detection use cases
• Define and maintain alert fidelity standards — tuning rules to minimise false positives while maximising true positive coverage
• Maintain a detection coverage matrix mapped to the MITRE ATT&CK framework, identifying and prioritising coverage gaps

Platform Architecture & Integration

• Lead the architecture, configuration, and optimisation of core SOC platforms including SIEM, SOAR, EDR, and threat intelligence platforms
• Design and maintain data ingestion pipelines — ensuring log sources are properly parsed, normalised, and enriched before entering the detection layer
• Own API integrations between SOC tooling (e.g., Sentinel ↔ FortiSOAR ↔ CrowdStrike ↔ threat intel feeds) and broader IT/security infrastructure
• Evaluate and onboard new security technologies, conducting proof-of-concept assessments and producing technical recommendation reports
• Define and enforce data retention, log archiving, and storage optimisation strategies aligned to compliance requirements

SOAR & Automation Engineering

• Lead the design, development, and maintenance of SOAR playbooks for alert triage, enrichment, containment, and incident escalation
• Establish engineering standards for playbook logic, error handling, and audit trails
• Identify automation opportunities to reduce manual analyst workload and accelerate MTTD/MTTR metrics
• Integrate SOAR workflows with ticketing systems, communication platforms, and external threat intelligence services

Technical Standards & Governance

• Define and enforce technical standards for detection rule development, playbook design, data source onboarding, and platform configuration management
• Conduct regular detection health reviews — assessing rule performance, coverage drift, and platform reliability
• Own the SOC technology risk register, tracking technical debt, dependency risks, and platform vulnerabilities
• Ensure all platform configurations and detection logic are version-controlled, documented, and change-managed

Analyst Enablement & Technical Leadership

• Provide technical guidance and mentoring to analysts on detection engineering, threat hunting, and advanced investigative techniques
• Conduct technical onboarding for new analysts, establishing baseline competency in SOC tooling and workflows
• Collaborate with the Product Lead on sprint planning
• Ensure dashboards, alert views, and triage workflows match analyst cognitive workflows
• Represent the SOC in technical forums, vendor engagements, and cross-functional security architecture reviews

Threat Hunting & Continuous Improvement

• Lead proactive threat hunting exercises using hypothesis-driven and intelligence-led methodologies
• Convert successful hunt findings into permanent detection rules and monitoring logic
• Track and benchmark key technical metrics: detection coverage %, alert-to-incident conversion rate, playbook automation rate, MTTD, MTTR
• Conduct post-incident technical reviews to identify detection gaps and drive rule improvements

[What we are looking for]

• Knowledge in Computer Science, Computer Engineering, Data Science, or related technical discipline

• Hands-on expertise in Microsoft Sentinel

• Proficiency in KQL or exposure to SIGMA rule format is advantageous

• Operational and integration experience with CrowdStrike Falcon

• Experience designing and building SOAR playbooks on platforms such as FortiSOAR, Microsoft Sentinel Automation

• Working knowledge of firewall policy, WAF rules (e.g., Akamai), and proxy/DNS security controls — sufficient to validate log source quality and detection logic

• Practical knowledge of Microsoft Azure security services and AWS security logging (CloudTrail, GuardDuty, Security Hub); ability to onboard cloud-native log sources into SIEM

• Proficiency in Python and/or PowerShell for automation, API integration, and log enrichment pipelines

• Demonstrated ability to map detections to ATT&CK tactics, techniques, and procedures (TTPs)

• Experience with threat intelligence platforms (MISP, OpenCTI, or commercial TIP integration)

• Familiarity with DNSSEC, DNS security monitoring, and network traffic analysis

• Exposure to adversarial AI/LLM-based attack techniques and AI-assisted detection methods

• Knowledge of quantum-safe cryptography migration considerations as they relate to security monitoring

• Experience with CI/CD pipelines for detection-as-code practices (Git-based rule management, automated testing of detection logic)

• At least 5 years in cybersecurity with at least 3 years in a detection engineering, SOC engineering, or senior analyst role

• Possess relevant certification such as Microsoft Certified: Security Operations Analyst Associate (SC-200), Azure Security Engineer Associate (AZ-500), GIAC Certified Detection Analyst (GCDA) or GIAC Certified Enterprise Defender (GCED) or any ISACA certification

• Strong written and verbal communication

• Structured problem-solving mindset with attention to detection logic accuracy and operational impact

• Collaborative team leader who can balance platform stability with continuous improvement velocity

• Ability to operate under pressure during high-severity incidents while maintaining engineering rigour

As part of the shortlisting process for the role, you may be required to complete a medical declaration and / or undergo further assessment.