Security Operations Manager

About Northwood:

Northwood is on a mission to transform connectivity between earth and space and bring the benefits of space to the masses through innovations in space communications technologies. If you like building quickly and seeing your work deployed in locations around the globe with real impact, we want you at Northwood.

Role Overview

As Security Operations Lead, you will build and own Northwood's security operations function — standing up SOC capabilities, leading incident response, and developing the detection and threat hunting programs that protect mission-critical infrastructure. This is a senior leadership role for an operator who brings deep hands-on experience across SIEM engineering, EDR, and incident response, and who can build a team and program from the ground up in a highly regulated, dual-use environment.

You will develop detection content tailored to Northwood's hybrid on-premises and cloud infrastructure, building coverage across network security, identity, endpoint, and email security telemetry sources in a highly regulated dual-use environment. This role partners closely with the Security Engineering Lead and reports to the Head of Security.

Responsibilities

Security Operations & Monitoring

• Build and operate Northwood's SOC function, including continuous monitoring of security events across AWS GovCloud, GCC, on-premises facilities, and endpoint environments.

• Own alert triage, investigation, and escalation workflows, ensuring critical threats are identified and actioned with the urgency required of a mission-critical environment.

• Monitor and analyze telemetry across network security, identity, endpoint, and email security platforms, ensuring comprehensive visibility into Northwood's on-premises, cloud, and perimeter environments.

• Develop and maintain SOC operational metrics, reporting cadences, and dashboards for internal stakeholders and government customers.

Detection Engineering

• Develop and continuously improve custom detection logic within Northwood's SIEM platform, including log source onboarding, correlation rule development, tuning, and coverage gap analysis.

• Build behavioral analytics, UEBA rules, and threat hunting queries tailored to Northwood's infrastructure and adversary profiles targeting aerospace and defense.

• Maintain detection content aligned to MITRE ATT&CK, ensuring coverage maps are current and gaps are systematically addressed.

• Integrate threat intelligence feeds into detection workflows and brief stakeholders on emerging threats relevant to government and dual-use space communications infrastructure.

Incident Response & Forensics

• Own security incidents end-to-end, from initial detection through containment, eradication, recovery, and post-incident review.

• Conduct digital forensics and malware analysis using tools such as Volatility, YARA, and supporting utilities across Linux and Windows environments.

• Develop and maintain incident response playbooks and escalation procedures, including communication protocols for government customers and mission-critical operations.

• Lead tabletop exercises and incident response drills to validate playbook effectiveness and team readiness.

Threat Hunting & Intelligence

• Proactively hunt for advanced persistent threats across Northwood's on-premises and cloud environments, developing and refining hunting methodologies as the threat landscape evolves.

• Research adversary tactics, techniques, and procedures targeting aerospace, defense, and critical infrastructure, and translate findings into actionable detection and hardening improvements.

• Maintain familiarity with government incident reporting requirements and ensure response procedures satisfy applicable regulatory obligations.

Automation & Tooling

• Develop Python, PowerShell, or Bash automation for incident response workflows, threat hunting pipelines, and security orchestration across Northwood's environment.

• Build and maintain SOAR playbooks and automated response actions to reduce mean time to respond and minimize manual analyst burden.

• Collaborate with the Security Engineering Lead to ensure SOC tooling integrations across SIEM, EDR, email security, and identity platforms are maintained and continuously improved.

Team Leadership

• Hire, mentor, and develop security operations analysts and engineers as the team scales.

• Define SOC operating procedures, analyst workflows, and on-call responsibilities to ensure consistent operational coverage.

• Serve as a senior security subject-matter expert in cross-functional collaboration with network engineering, infrastructure, and compliance teams.

Basic Qualifications

• 5+ years of hands-on SOC operations, incident response, or threat hunting experience, with demonstrated experience in a technical leadership capacity.

• Hands-on experience building and operating SIEM platforms, including custom detection rule development, log source onboarding, and advanced query development.

• Experience with EDR platforms, including alert triage, policy management, and forensic investigation workflows.

• Digital forensics and malware analysis proficiency, including tools such as Volatility and YARA.

• Proficiency in Python, PowerShell, or Bash for security automation and threat hunting workflows.

• Experience building and maintaining UEBA capabilities for insider risk detection and anomalous behavior identification.

• Strong Linux forensics and log analysis skills across distributed systems.

• Working knowledge of threat intelligence frameworks including MITRE ATT&CK and the Diamond Model.

• Familiarity with compliance frameworks relevant to government environments, including NIST 800-171, CMMC, and DFARS incident reporting requirements.

• Ability to obtain and maintain a TS/SCI clearance.

• U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.

Preferred Qualifications

• Active TS clearance or higher.

• Familiarity with Northwood's core security stack, including FortiGate firewall infrastructure, Cloudflare Zero Trust, Okta, CrowdStrike or SentinelOne EDR, and email security platforms such as Proofpoint or Sublime Security.

• Experience with cloud security monitoring in AWS GovCloud and Microsoft GCC environments.

• Hands-on experience with SOAR platforms and automated response workflow development.

• Background in aerospace, defense, critical infrastructure, or other highly regulated security operations environments.

• Experience with threat hunting in air-gapped or compliance-constrained environments.

• Familiarity with government incident reporting requirements and procedures including DFARS 252.204-7012.

• Certifications such as GCIH, GCFA, GNFA, or equivalent incident response credentials.

• ITAR compliance experience.