Senior Cybersecurity Operations Engineer - AI
Bread Financial · Columbus, OH · 3 wk ago
Information Technology$98k–$177k/yrFull-time
About the role
The Senior Cybersecurity Operations Engineer - AI serves as a senior technical leader within the Cybersecurity Operations Center, focusing on advancing detection engineering, automated response, and threat intelligence capabilities to defend critical information assets.
Responsibilities
- Own the design and implementation of key IT projects and initiatives as they relate to the organization's long-term security strategy.
- Identify areas of improvement where processes do not currently exist and drive the development and delivery of new processes to address these gaps.
- Manage ambiguity and deliver quality results with minimal supervision in coordinating projects and other deliverables.
- Escalate identified issues as necessary and identify when to partner with leadership to resolve issues, risks, or obstacles.
- Build consensus for delivering results while finding common ground for collaboration and partnership.
- Create and maintain relevant documentation including run books, project updates, process documentation, architecture and technical requirements, and presentations.
- Develop and deliver Key Performance Indicators (KPIs) through the understanding of the tools and deliverables by helping to develop, maintain, and mature the associated reporting structure.
- Produce meaningful and actionable metrics through data analysis using Excel Pivot Tables, database queries, and other data-driven analysis tools.
- Conduct data analysis exercises using Excel Pivot Tables, database queries, and other data-driven analysis tools.
- Produce presentations at various levels of abstraction dependent on intended audience using Microsoft PowerPoint, Microsoft Visio, or equivalent tools.
- Work in a team-fostered, fast-paced, multi-threaded environment, serving as the subject matter expert in various technical Information Security disciplines and mentoring junior staff.
- Gain knowledge of new technical developments and ensure they are shared appropriately and applied within the department.
- Identify and understand drivers for change and act as an individual champion or partner with leadership to deliver those changes.
- Effectively partner with peers within the department to include them in key projects, risks, or issues.
- Intermediate to expert interpersonal, negotiation, and oral communication skills expected.
- Maintain the highest level of confidentiality and professionalism, identify potential issues, and deliver well-reasoned solutions.
- Diffuse problematic situations and manage through conflict resolution.
- Decompose complex topics and break them down into laymen’s terms or analogies that help drive clarity and understanding.
- Viewed as an enabling partner that provides alternative options or supporting information when saying no to business or IT requests.
- Seen by leadership and peers as creditable, trustworthy, and respectful.
Requirements
- Four or more years experience in Information Security or Infrastructure.
- Intermediate to expert level knowledge of IT tools and practices including, but not limited to: Networking, LDAP Directories, Vulnerability/Patch Management, Change Management, Incident Management, Server and Desktop Management, Mainframe Technologies, Encryption and Key Management, Cloud Architecture and Computing, Software Application General Computing Controls, Business Continuity/Disaster Recovery, Software Development Lifecycle, Access Management, and Cyber Security Tools (Security Incident Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), Data Loss Prevention (DLP), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), End User Behavioral Analytics (EUBA), Web Application Firewall (WAF), Network Access Control (NAC), Privileged Access Management (PAM), Endpoint Detection Response (EDR)).
- Broad range of skills with different technical platforms (firewalls, servers, workstations, networks, storage, security, Internet and cloud (SaaS / IaaS / PaaS) technologies).
- Working understanding of NIST security standards, PCI - DSS and SOX controls.
Preferred Experience
- Five or more years experience in Information Security or Infrastructure experience.
- Five+ years in SOC, detection engineering, threat detection, or security engineering roles.
- Demonstrated ownership of detection lifecycle: ideation, development, tuning, deployment, validation, and continuous improvement.
- Hands-on experience building and maintaining detections in one or more SIEM platforms (Splunk, CrowdStrike Next-Gen SIEM, Palo Alto XSIAM).
- Proven experience onboarding and normalizing logs across endpoint, identity, cloud, network, and application sources.
- Familiarity with testing frameworks for detections (unit testing logic, regression testing, synthetic event generation, and controlled replay).
- Three to five years designing and implementing SOAR playbooks and response automations (Cortex XSOAR, Splunk SOAR).
- Proven experience reducing mean time to detect and respond through automation and orchestration.
- Experience translating intelligence into practical outcomes such as detections, hunts, enrichment, and response actions.
- Familiarity with TI platforms and standards (MISP, OpenCTI, STIX/TAXII) and integrating TI into SIEM and SOAR workflows.
- Strong experience mapping detections and response playbooks to MITRE ATT&CK.
- Experience building behavior-based detections that reduce reliance on static indicators.
- Experience applying AI to detection engineering or SOC operations such as alert summarization, triage enrichment, incident clustering, case routing, and knowledge retrieval.
- Experience designing guardrails for AI usage: human-in-the-loop approvals, audit logging, data handling controls, and prompt or workflow governance.
Skills
- Detection Engineering and Analytics
- Writing high-signal detections using SPL, KQL, EQL, Lucene, Sigma, or equivalent query languages
- Behavior-based detection design, including correlation, baselining, anomaly, and sequence detection
- Alert tuning, suppression, allowlisting, and noise reduction
- Data modeling, normalization, field extraction, parsing, and enrichment strategies
- Detection coverage mapping to MITRE ATT&CK and kill chain concepts
- Automation, SOAR, and Response Engineering
- Building SOAR playbooks and automated response actions with approval gates and safe failure modes
- Integrations via REST APIs, webhooks, message queues, and event-driven designs
- Case management, ticketing integration, and automated evidence collection
- Automated containment actions: disable accounts, revoke sessions, isolate endpoints, block indicators, quarantine email, update firewall rules
- Threat Intelligence and Hunting
- Converting TI into actionable detections, hunts, enrichment, and prioritized response steps
- IOC lifecycle management, confidence scoring, and expiration handling
- Familiarity with STIX/TAXII, MISP, OpenCTI, and TI feeds
- Threat hunting methodologies, hypothesis-driven hunting, and translating hunts into detections
- AI and Agentic SOC Operations
- Designing AI-assisted workflows for triage, summarization, correlation, and recommendation
- Building agentic workflows with human approvals, audit trails, and policy guardrails
- Prompt engineering fundamentals for security workflows and retrieval-augmented approaches
- Evaluating AI outputs for accuracy, bias, and safety, including fallback procedures
- Platforms and Telemetry
- SIEM administration fundamentals and search performance optimization
- Endpoint telemetry and EDR concepts: process trees, persistence, lateral movement, and malware tradecraft
- Identity telemetry: authentication events, conditional access, privilege changes, and OAuth abuse
- Cloud telemetry: audit logs, IAM events, workload signals, and network flow logs
- Engineering Practices
- Scripting and automation using Python and PowerShell
- Infrastructure as code concepts and configuration management practices
- Git, version control, code review, and CI/CD for detection and automation content
- Documentation practices for runbooks, playbooks, and detection intent and testing
Other Duties
- This job description is illustrative of the types of duties typically performed by this job. It is not intended to be an exhaustive listing of each and every essential function of the job.