As the
SOC Manager, you will lead and mature our Security Operations Center (SOC) capabilities within our MSSP practice. This is a player-coach role that combines technical leadership, operational oversight, and
hands-on security operations. The ideal candidate brings
7-10 years of MSSP experience, including at least
5 years working directly within a SOC environment, along with a strong security engineering background across EDR/MDR, SIEM, Microsoft 365 Security, Crowdstrike and Email Security.
In this role, you will provide leadership and mentorship to SOC analysts while remaining actively involved in day-to-day security operations, detection engineering, threat hunting, incident response, and continuous improvement initiatives. You will serve as a technical escalation point for complex security incidents, help define SOC processes and best practices, and work closely with clients to strengthen their security posture.
This is a remote position from anywhere in the USA.What You Will Do:- SOC leadership & maturity (no hiring duties):
- Establish and refine SOC processes (tiering, shift coverage, escalation paths, QA, SLAs/OLAs).
- Drive runbook discipline, training plans, and continuous improvement for service quality.
- Own SOC KPIs (MTTD/MTTR, detection efficacy, false-positive rate, case aging, CSAT/NPS).
- Detection & response (hands-on):
- Build and tune detections in SIEM/XDR; develop correlation rules, parsers, and dashboards.
- Lead investigations and major incidents end-to-end; conduct post-incident reviews and reporting.
- Perform proactive threat hunting aligned to MITRE ATT&CK and emerging TTPs.
- Tooling & platform engineering:
- Deploy, integrate, and operate EDR/MDR (CrowdStrike, SentinelOne, Blackpoint), Microsoft 365/Windows Defender, SIEM, SOAR, email security, vulnerability scanners, and NSM tools.
- Engineer log onboarding/normalization across cloud (AWS, Azure, M365, GCP), network, endpoint, identity, and SaaS sources.
- Build automation/orchestration playbooks to reduce MTTD/MTTR and analyst toil.
- Service delivery & client engagement:
- Serve as technical point of contact for customers; present posture reviews and improvement plans.
- Define and meet service SLAs; contribute to SOWs, service catalogs, and onboarding playbooks.
- Coordinate with customer IT/CISO teams, vendors, and legal/compliance during incidents.
- Risk, compliance & continuous improvement:
- Map detections, controls, and reporting to frameworks/standards (NIST CSF/800-53, CIS Controls, SOC 2, ISO 27001).
- Drive vulnerability and exposure management with risk-based prioritization.
- Run tabletop exercises, purple-team activities, and lessons learned.
Your knowledge, skills, and abilities:- Deep knowledge of SOC operations (triage, incident lifecycle, evidence handling, documentation).
- Strong grasp of Windows/*nix/AD/M365, identity security (SSO/MFA), network protocols, and cloud telemetry.
- Expertise in detection engineering and query languages (SPL, KQL, Elastic DSL, AQL).
- Familiarity with adversary emulation and frameworks (MITRE ATT&CK, D3FEND, CIS Controls).
- Understanding of email security (phishing, BEC), vulnerability scanning/patching, and network security monitoring (IDS/IPS, PCAP).
- Proficiency with SOAR concepts and playbook design (enrichment, containment, ticketing).
- Scripting/automation (PowerShell, Python, or equivalent) for enrichment, triage, and response.
- Clear written/verbal communication for executive briefings and technical reports.
- Applicants must have authorization to work in the United States without current or future visa sponsorship
Specific Qualifications:- Experience: 7-10 years in MSSP settings; 5+ years on a SOC team; 2-4+ years in a lead/technical lead capacity.
- Platforms (hands-on in several):
- EDR/XDR/MDR: CrowdStrike, SentinelOne, Blackpoint, Microsoft Defender for Endpoint, Cortex XDR, etc.
- Microsoft ecosystem: Microsoft 365, Windows Defender / Defender for Endpoint, Defender for Office 365, Azure security telemetry (KQL, Log Analytics, Sentinel).
- SIEM: Splunk, Microsoft Sentinel, Elastic, QRadar, Exabeam, or similar.
- SOAR: Splunk SOAR, Cortex XSOAR, Sentinel automation.
- Email security & awareness: Mimecast, KnowBe4, Material Security, M365 Defender for Office 365.
- Vulnerability management: Tenable, Qualys, or Rapid7.
- NSM/IDS: Zeek, Suricata, commercial IDS/IPS.
- IR leadership: Proven track record leading medium/major incidents (ransomware, BEC, insider, cloud credential abuse).
- Cloud: Experience securing and monitoring AWS/Azure/GCP and M365 (identity and endpoint telemetry).
- Process: Built or matured playbooks, runbooks, use-case catalogs, and service reporting. Demonstrated KPI/OKR management.
- Certifications (nice to have): CISSP, GIAC (GCIA/GCIH/GCFA/GCDA/GMON), OSCP, Azure/Microsoft security (SC-200/SC-100), Splunk, CrowdStrike CCFR/CCFA, or similar.
- Availability: Able to participate in escalation/on-call rotation and support off-hours incidents as needed.
- Education: BS in CS/Cybersecurity or equivalent experience (experience > degree where applicable)
We currently offer the following benefits: - Access to medical, dental, and vision insurance through Cigna, with the majority of the employee cost covered by the employer
- Employer funding to HSA accounts and FSA access
- Access to a 401(k) through Vanguard with a guaranteed employer contribution
- Flexible vacation policy that allows you to manage your schedule and rest and recharge when you need to.
- 11 holidays with flexibility based on what is important for you and those you love
- Employer-paid short-term and long-term disability, employer-paid life insurance, and access to additional life insurance, hospital coverage, accidental coverage, discounted mental health support, and more
- Support for individual development through certifications, continued learning, conferences, and more