Senior SIEM Detection Engineer

AHEAD builds platforms for digital business. By weaving together advances in cloud infrastructure, automation and analytics, and software delivery, we help enterprises deliver on the promise of digital transformation. At AHEAD, we prioritize creating a culture of belonging, where all perspectives and voices are represented, valued, respected, and heard. We create spaces to empower everyone to speak up, make change, and drive the culture at AHEAD. We are an equal opportunity employer, and do not discriminate based on an individual's race, national origin, color, gender, gender identity, gender expression, sexual orientation, religion, age, disability, marital status, or any other protected characteristic under applicable law, whether actual or perceived. We embrace all candidates that will contribute to the diversification and enrichment of ideas and perspectives at AHEAD. The compensation range indicated in this posting reflects the On-Target Earnings (“OTE”) for this role, which includes a base salary and any applicable target bonus amount. This OTE range may vary based on the candidate’s relevant experience, qualifications, and geographic location. Why AHEAD: Through our daily work and internal groups like Moving Women AHEAD and RISE AHEAD, we value and benefit from diversity of people, ideas, experience, and everything in between. We fuel growth by stacking our office with top-notch technologies in a multi-million-dollar lab, by encouraging cross department training and development, sponsoring certifications and credentials for continued learning. USA Employment Benefits include: - Medical, Dental, and Vision Insurance - 401(k) - Paid company holidays - Paid time off - Paid parental and caregiver leave - Plus more! See benefits https://www.aheadbenefits.com/ for additional details. Use of AI: We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, assessing responses, or to capture recordings and create transcriptions or summaries during interviews. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please refer to the Candidate Privacy Notice or contact us at [email protected]. You may opt-out of the review or analysis of your application and resume by AI tools by using the General Application. Please include the role you wish to apply for in the Additional Information field. You may also choose to opt-out of recording and transcription at any time, including after joining an interview.  Candidates will not be penalized for choosing to opt-out. Roles and Responsibilities Lead and perform detection content development within the SIEM platform (Elastic, Palo XSIAM, Crowdstrike), including: Creation, tuning, and lifecycle management of detection rules, correlation rules, and analytic stories/use cases Definition and maintenance of data models, normalization, and enrichment required to support high‑quality detections Mapping detections to frameworks such as MITRE ATT&CK where applicable Identify gaps in detection coverage based on incident trends, threat intelligence, and hunt activities Reduce false positives and improve alert signal‑to‑noise ratio through iterative tuning Translate playbooks and incident response workflows into robust, testable detection. Monitor and manage the health and performance of SIEM detection content, including: Tracking detection firing patterns, volumes, and performance impact. Conducting post-incident reviews to refine detections and create new coverage. Ensuring detections remain aligned with client use cases, risk profiles, and contracted scope. New and existing detections are prioritized based on risk, impact, and available data Partner with AHEAD Managed Security and client resources in the design and implementation of new data visualizations and detection rules, including: Building dashboards, visualizations, and investigative views that support triage and hunting Collaborate with AHEAD Managed Security SOAR (Swimlane) engineering resources to: Integrate SIEM detections with SOAR workflows for enrichment, triage, and response Continuously improve incident investigation workflows and automation quality based on detection output Engage with client security and IT infrastructure teams for new data source onboarding activities, including: Defining logging, parsing, normalization, and enrichment requirements to support current and planned detections Validating that ingested data is complete, normalized, and usable for detection engineering Tune rules, filters, and policies across SIEM and related security technologies (IDS, EDR, firewalls, etc.) to: Improve accuracy, visibility, and coverage while minimizing noise Ensure consistent correlation and context across multiple technologies Perform data mining and exploratory analysis of log sources to: Uncover and investigate anomalous activity and potential undetected attack patterns Identify new detection opportunities and support proactive threat hunting Assist with the development and improvement of processes and procedures for: Detection lifecycle management (design, testing, deployment, monitoring, retirement) Improving incident response times, incident quality, and overall Managed Security functions Participate in client-facing security meetings to: Explain detection strategy, coverage, and improvements Position Requirements Experience with Elastic Security and its core components (Elasticsearch, Logstash, Kibana, Filebeat, Elastic Agent), with a focus on detection engineering, rule creation, and data modeling Strong SIEM administration and configuration experience, particularly around detection use cases, correlation logic, and alert workflows Experience writing tools or scripts to automate detection-related tasks, data quality checks, and integrations in Python or similar languages Demonstrated ability to think creatively and build elegant detection solutions to complex security problems Excellent verbal and written communication skills, including the ability to communicate detection logic and findings to both technical and non‑technical stakeholders Incident handling/response experience, with a focus on using detections to support and improve IR workflows Desire to work both independently and collaboratively with a larger managed services and client team A strong appetite for learning, experimentation, and continuous improvement in detection engineering 2–4 years of experience in Security Detection Engineering, Security Automation, or related disciplines Hands-on experience with common security technologies: IDS, Firewall, SIEM, SOAR, EDR, endpoint and network security tools Knowledge of common security analysis tools & techniques, including log analysis, correlation, and anomaly detection Understanding of common security threats, attack vectors, vulnerabilities, and exploits, and how they manifest in telemetry Strong regular expression skills and familiarity with query languages used in SIEM platforms Customer service focused and portrays energy, professionalism, and welcoming characteristics Strong ability to work in a highly sensitive and confidential environment Ability to meet deadlines and perform effectively under pressure Ability to identify issues and help develop strategic and tactical plans for Managed Security and detection-related initiatives Ability to use good judgment and decision-making skills in ambiguous or complex detection and incident scenarios Education and Certifications Bachelor’s Degree in Computer Science, Information Security, or related/equivalent educational or work experience One or more of the following certifications is preferred: CISSP, GCIA, GCIH, GPYC, GMON, GCDA, Elastic Certified Engineer

{
  "content_hash": "ddfbd11c84058787e695edb5eee86afd8f2e49f605388c616a2b4922824aa8a7",
  "source_hash": "f227bf4088d27a9818d299a117d773d58aa3d0afb818e5a1c1fdfee548f2e935",
  "last_changed_at": "2026-06-04T11:19:45.838Z",
  "active_status": "deleted"
}

{
  "language": "en",
  "location": {
    "raw": "United States",
    "city": null,
    "region": null,
    "country": "United States",
    "is_remote": true,
    "confidence": 0.95
  },
  "salary_max": 150000,
  "salary_min": 120000,
  "inferred_at": "2026-06-02T10:31:49.958Z",
  "launch_scope": {
    "reason": "english_us_canada",
    "included": true,
    "language": "en",
    "location": {
      "raw": "United States",
      "city": null,
      "region": null,
      "country": "United States",
      "is_remote": true,
      "confidence": 0.95
    },
    "countries": [
      "United States"
    ]
  },
  "remote_policy": "remote",
  "salary_period": "year",
  "workplace_type": "remote",
  "salary_currency": "USD"
}

{}

{
  "lists": [
    {
      "text": "Roles and Responsibilities ",
      "content": "\n<li>Lead and perform detection content development within the SIEM platform (Elastic, Palo XSIAM, Crowdstrike), including:\n\n</li><li>Creation, tuning, and lifecycle management of detection rules, correlation rules, and analytic stories/use cases</li>\n<li>Definition and maintenance of data models, normalization, and enrichment required to support high‑quality detections</li>\n<li>Mapping detections to frameworks such as MITRE ATT&amp;CK where applicable</li>\n<li>Identify gaps in detection coverage based on incident trends, threat intelligence, and hunt activities</li>\n<li>Reduce false positives and improve alert signal‑to‑noise ratio through iterative tuning</li>\n<li>Translate playbooks and incident response workflows into robust, testable detection.&nbsp;</li>\n\n\n<li><span data-teams=\"true\">Monitor and manage the health and performance of SIEM detection content, including:</span>\n\n</li><li>Tracking detection firing patterns, volumes, and performance impact.&nbsp;</li>\n<li>Conducting post-incident reviews to refine detections and create new coverage.</li>\n<li>Ensuring detections remain aligned with client use cases, risk profiles, and contracted scope.</li>\n<li>New and existing detections are prioritized based on risk, impact, and available data</li>\n\n\n<li>Partner with AHEAD Managed Security and client resources in the design and implementation of new data visualizations and detection rules, including:\n\n</li><li>Building dashboards, visualizations, and investigative views that support triage and hunting</li>\n\n\n<li>Collaborate with AHEAD Managed Security SOAR (Swimlane) engineering resources to:\n\n</li><li>Integrate SIEM detections with SOAR workflows for enrichment, triage, and response</li>\n<li>Continuously improve incident investigation workflows and automation quality based on detection output</li>\n\n\n<li>Engage with client security and IT infrastructure teams for new data source onboarding activities, including:\n\n</li><li>Defining logging, parsing, normalization, and enrichment requirements to support current and planned detections</li>\n<li>Validating that ingested data is complete, normalized, and usable for detection engineering</li>\n\n\n<li>Tune rules, filters, and policies across SIEM and related security technologies (IDS, EDR, firewalls, etc.) to:\n\n</li><li>Improve accuracy, visibility, and coverage while minimizing noise</li>\n<li>Ensure consistent correlation and context across multiple technologies</li>\n\n\n<li>Perform data mining and exploratory analysis of log sources to:\n\n</li><li>Uncover and investigate anomalous activity and potential undetected attack patterns</li>\n<li>Identify new detection opportunities and support proactive threat hunting</li>\n\n\n<li>Assist with the development and improvement of processes and procedures for:\n\n</li><li>Detection lifecycle management (design, testing, deployment, monitoring, retirement)</li>\n<li>Improving incident response times, incident quality, and overall Managed Security functions</li>\n\n\n<li>Participate in client-facing security meetings to:\n\n</li><li>Explain detection strategy, coverage, and improvements</li>\n\n\n"
    },
    {
      "text": "Position Requirements",
      "content": "\n<li>Experience with Elastic Security and its core components (Elasticsearch, Logstash, Kibana, Filebeat, Elastic Agent), with a focus on detection engineering, rule creation, and data modeling</li>\n<li>Strong SIEM administration and configuration experience, particularly around detection use cases, correlation logic, and alert workflows</li>\n<li>Experience writing tools or scripts to automate detection-related tasks, data quality checks, and integrations in Python or similar languages</li>\n<li>Demonstrated ability to think creatively and build elegant detection solutions to complex security problems</li>\n<li>Excellent verbal and written communication skills, including the ability to communicate detection logic and findings to both technical and non‑technical stakeholders</li>\n<li>Incident handling/response experience, with a focus on using detections to support and improve IR workflows</li>\n<li>Desire to work both independently and collaboratively with a larger managed services and client team</li>\n<li>A strong appetite for learning, experimentation, and continuous improvement in detection engineering</li>\n<li>2–4 years of experience in Security Detection Engineering, Security Automation, or related disciplines</li>\n<li>Hands-on experience with common security technologies: IDS, Firewall, SIEM, SOAR, EDR, endpoint and network security tools</li>\n<li>Knowledge of common security analysis tools &amp; techniques, including log analysis, correlation, and anomaly detection</li>\n<li>Understanding of common security threats, attack vectors, vulnerabilities, and exploits, and how they manifest in telemetry</li>\n<li>Strong regular expression skills and familiarity with query languages used in SIEM platforms</li>\n<li>Customer service focused and portrays energy, professionalism, and welcoming characteristics</li>\n<li>Strong ability to work in a highly sensitive and confidential environment</li>\n<li>Ability to meet deadlines and perform effectively under pressure</li>\n<li>Ability to identify issues and help develop strategic and tactical plans for Managed Security and detection-related initiatives</li>\n<li>Ability to use good judgment and decision-making skills in ambiguous or complex detection and incident scenarios</li>\n"
    },
    {
      "text": "Education and Certifications",
      "content": "\n<li>Bachelor’s Degree in Computer Science, Information Security, or related/equivalent educational or work experience</li>\n<li>One or more of the following certifications is preferred: CISSP, GCIA, GCIH, GPYC, GMON, GCDA, Elastic Certified Engineer</li>\n"
    }
  ],
  "country": "US",
  "createdAt": 1777905521875,
  "updatedAt": null,
  "categories": {
    "team": "MS Security",
    "location": "United States",
    "commitment": "Full Time",
    "department": "( Managed Services )",
    "allLocations": [
      "United States"
    ]
  },
  "salaryRange": {
    "max": 150000,
    "min": 120000,
    "currency": "USD",
    "interval": "per-year-salary"
  },
  "workplaceType": "remote"
}