Role OverviewAs Security Operations Lead, you will build and own Northwood's security operations function - standing up SOC capabilities, leading incident response, and developing the detection and threat hunting programs that protect mission-critical infrastructure. This is a senior leadership role for an operator who brings deep hands-on experience across SIEM engineering, EDR, and incident response, and who can build a team and program from the ground up in a highly regulated, dual-use environment.
You will develop detection content tailored to Northwood's hybrid on-premises and cloud infrastructure, building coverage across network security, identity, endpoint, and email security telemetry sources in a highly regulated dual-use environment. This role partners closely with the Security Engineering Lead and reports to the Head of Security.
ResponsibilitiesSecurity Operations & Monitoring
- Build and operate Northwood's SOC function, including continuous monitoring of security events across AWS GovCloud, GCC, on-premises facilities, and endpoint environments.
- Own alert triage, investigation, and escalation workflows, ensuring critical threats are identified and actioned with the urgency required of a mission-critical environment.
- Monitor and analyze telemetry across network security, identity, endpoint, and email security platforms, ensuring comprehensive visibility into Northwood's on-premises, cloud, and perimeter environments.
- Develop and maintain SOC operational metrics, reporting cadences, and dashboards for internal stakeholders and government customers.
Detection Engineering
- Develop and continuously improve custom detection logic within Northwood's SIEM platform, including log source onboarding, correlation rule development, tuning, and coverage gap analysis.
- Build behavioral analytics, UEBA rules, and threat hunting queries tailored to Northwood's infrastructure and adversary profiles targeting aerospace and defense.
- Maintain detection content aligned to MITRE ATT&CK, ensuring coverage maps are current and gaps are systematically addressed.
- Integrate threat intelligence feeds into detection workflows and brief stakeholders on emerging threats relevant to government and dual-use space communications infrastructure.
Incident Response & Forensics
- Own security incidents end-to-end, from initial detection through containment, eradication, recovery, and post-incident review.
- Conduct digital forensics and malware analysis using tools such as Volatility, YARA, and supporting utilities across Linux and Windows environments.
- Develop and maintain incident response playbooks and escalation procedures, including communication protocols for government customers and mission-critical operations.
- Lead tabletop exercises and incident response drills to validate playbook effectiveness and team readiness.
Threat Hunting & Intelligence
- Proactively hunt for advanced persistent threats across Northwood's on-premises and cloud environments, developing and refining hunting methodologies as the threat landscape evolves.
- Research adversary tactics, techniques, and procedures targeting aerospace, defense, and critical infrastructure, and translate findings into actionable detection and hardening improvements.
- Maintain familiarity with government incident reporting requirements and ensure response procedures satisfy applicable regulatory obligations.
Automation & Tooling
- Develop Python, PowerShell, or Bash automation for incident response workflows, threat hunting pipelines, and security orchestration across Northwood's environment.
- Build and maintain SOAR playbooks and automated response actions to reduce mean time to respond and minimize manual analyst burden.
- Collaborate with the Security Engineering Lead to ensure SOC tooling integrations across SIEM, EDR, email security, and identity platforms are maintained and continuously improved.
Team Leadership
- Hire, mentor, and develop security operations analysts and engineers as the team scales.
- Define SOC operating procedures, analyst workflows, and on-call responsibilities to ensure consistent operational coverage.
- Serve as a senior security subject-matter expert in cross-functional collaboration with network engineering, infrastructure, and compliance teams.
Basic Qualifications- 5+ years of hands-on SOC operations, incident response, or threat hunting experience, with demonstrated experience in a technical leadership capacity.
- Hands-on experience building and operating SIEM platforms, including custom detection rule development, log source onboarding, and advanced query development.
- Experience with EDR platforms, including alert triage, policy management, and forensic investigation workflows.
- Digital forensics and malware analysis proficiency, including tools such as Volatility and YARA.
- Proficiency in Python, PowerShell, or Bash for security automation and threat hunting workflows.
- Experience building and maintaining UEBA capabilities for insider risk detection and anomalous behavior identification.
- Strong Linux forensics and log analysis skills across distributed systems.
- Working knowledge of threat intelligence frameworks including MITRE ATT&CK and the Diamond Model.
- Familiarity with compliance frameworks relevant to government environments, including NIST 800-171, CMMC, and DFARS incident reporting requirements.
- Ability to obtain and maintain a TS/SCI clearance.
- U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.
Preferred Qualifications- Active TS clearance or higher.
- Familiarity with Northwood's core security stack, including FortiGate firewall infrastructure, Cloudflare Zero Trust, Okta, CrowdStrike or SentinelOne EDR, and email security platforms such as Proofpoint or Sublime Security.
- Experience with cloud security monitoring in AWS GovCloud and Microsoft GCC environments.
- Hands-on experience with SOAR platforms and automated response workflow development.
- Background in aerospace, defense, critical infrastructure, or other highly regulated security operations environments.
- Experience with threat hunting in air-gapped or compliance-constrained environments.
- Familiarity with government incident reporting requirements and procedures including DFARS [redacted].
- Certifications such as GCIH, GCFA, GNFA, or equivalent incident response credentials.
- ITAR compliance experience.
