Back to all jobs
O
Security Engineer - Operations / Incident Response
Ondo Finance
United StatesRemote1mo ago
- Employment
- Full-time
About the role
- Detection engineering lifecycle in our SIEM (e.g., Splunk, Panther, or equivalent) — write detections, tune for noise, version them in code, and measure their performance.
- EDR (e.g., CrowdStrike, SentinelOne) deployment, policy tuning, exclusions hygiene, and response playbooks across macOS-heavy and Linux fleets.
- Email security stack: tune detections, investigate phish, run takedowns, and drive user reporting workflows.
- Build and operate SOAR / response automation to take repetitive analyst work to zero.
- Particpate in and lead incident response: triage, contain, eradicate, recover, and write the post-mortem. Run tabletop exercises with engineering and exec stakeholders.
- Build and maintain the on-call rotation, runbooks, and severity definitions for the SIRT.
- Integrate identity telemetry and SaaS audit logs into detection coverage; close the gap between IT signals and security signals.
- Partner with Infrastructure Security on cloud detection coverage and with Product Security on application-layer signals.
- Build, deploy, and operate AI-native workflows in our SecOps stack — LLM-assisted triage, alert summarization, evidence collection, draft IR comms, and analyst copilots — with the guardrails to keep them safe and auditable.
- Define how we monitor *internal* AI usage (sanctioned LLMs, MCP servers, browser-based agents) and how we detect AI-driven attacks against our employees and customers (deepfake voice/video, AI phishing, prompt injection in shared tooling).
- Help us decide where AI belongs in critical workflows (incident comms drafting, log search, detection tuning) and where it does not (signing actions, irreversible response, anything touching customer funds).
- 3-5+ years in security operations, detection engineering, or incident response, including time as a senior IC at a fast-moving company.
- Deep, hands-on experience with at least one SIEM (Splunk, Panther, Elastic, Sentinel, Chronicle)
- Production experience with EDR tuning and IR (CrowdStrike, SentinelOne, Defender, or equivalent).
- Solid working knowledge of email security tooling and modern phishing TTPs (BEC, OAuth consent phishing, vendor impersonation, callback phishing).
- SOAR / automation experience
- Strong scripting skills (Python preferred); comfortable working in Git and treating detections as code.
- Operational maturity: you can lead an incident, write a clean post-mortem, and push organizational changes that come out of it.
- Working fluency with cloud security telemetry in at least one of AWS, GCP, or Azure.
- Practical experience integrating AI/LLMs into security workflows, *or* a track record of evaluating new tooling rigorously and shipping it into production.
- Background defending crypto, fintech, or other high-value-target environments.
- Experience with on-chain monitoring tools and blockchain-aware incident response.
- Threat hunting against identity-based attacks (OAuth abuse, session token theft, IdP compromise).
- Public detection-engineering, IR, or research output (blogs, talks, open-source).
764,000+ hidden jobs like this
Ondo Finance and thousands of companies post here first — often days before LinkedIn or Indeed. Your first 5 applications are free; go Pro to apply without limits.
Everything Pro unlocks:
- Unlimited applications — free stops at 5
- Track every application in one place
- Apply straight to the source, one click
- Save & organize roles you love
- Roles pulled from company boards before the big sites
