SecOps Engineer

About the Role

The Security Operations Engineer is responsible for operating the security controls that protect the company's enterprise, cloud, and mission systems, and technical response to security events across the environment. This role operates the day-to-day execution of detection, investigation, vulnerability management, and cloud security posture work, and serves as a hands-on technical authority across the security tooling stack. The Security Operations Engineer partners closely with IT, infrastructure, engineering, and product teams to reduce risk, shorten time-to-detect and time-to-respond, and ensure that security controls function reliably in regulated and non-regulated environments alike. This is a deeply technical role requiring strong engineering fundamentals, incident response experience, and the judgment to make sound security decisions under pressure.

Key Responsibilities:

Detection, Monitoring & Response

• Operate and continuously improve the company's Security Information and Event Management (SIEM) platform, including log source onboarding, parser and normalization maintenance, detection content development, and alert tuning to minimize false positives while preserving coverage.
• Build and maintain detection rules mapped to adversary behaviors and develop corresponding response playbooks and automation.
• Serve as a first responder and technical liaison for security incidents, including triage, containment, forensic collection, root cause analysis, and post-incident review; coordinate with IT, engineering, and legal stakeholders throughout the lifecycle.
• Maintain incident response documentation, runbooks, and evidence-handling procedures suitable for regulated environments and contractual reporting obligations.

Vulnerability Management

• Operate the vulnerability management lifecycle across endpoints, servers, containers, and cloud workloads, including scanning cadence, finding validation, prioritization, remediation tracking, and exception governance.
• Partner with system owners and engineering teams to drive remediation within agreed service levels, and escalate aging or high-severity findings through defined risk channels.
• Produce vulnerability posture reporting and trend analysis for technical and leadership audiences.

Cloud Security Posture Management

• Operate Cloud Security Posture Management tooling across the company's cloud environments, including configuration baseline enforcement, drift detection, and continuous compliance monitoring against internal standards and applicable frameworks.
• Investigate misconfigurations and risky resource states, coordinate remediation with cloud and platform teams, and contribute guardrails and preventive controls where appropriate.

Endpoint Security

• Administer and tune endpoint detection and response (EDR) tooling across corporate and engineering fleets, including policy management, exclusion governance, telemetry quality, and response action workflows.
• Investigate endpoint alerts and suspicious activity, and coordinate containment, isolation, and recovery actions with IT.

Identity, Access & Secrets

• Support operational identity and access management activities, including privileged access monitoring, access review execution, anomaly investigation, and integration of identity telemetry into detection pipelines.
• Partner with IT and engineering on secrets management hygiene, including monitoring for leaked or misused secrets and supporting remediation workflows.

Threat Intelligence

• Consume, evaluate, and operationalize threat intelligence from commercial, open-source, and government sources; translate relevant intelligence into detections, hunts, and control recommendations.
• Conduct periodic threat hunting across available telemetry based on current intelligence and environmental risk.

Data Loss Prevention

As capacity allows, support Data Loss Prevention (DLP) tooling operations, including policy tuning, alert triage, and coordination with data owners on sensitive data handling concerns.

Security Tooling

• Act as a technical liaison for assigned security tools, including deployment, upgrade, integration, and health monitoring; author and maintain the integrations, scripts, and automation that connect security tooling into the broader engineering and IT ecosystem.
• Evaluate new security technologies through proof-of-concept exercises and provide technical input into procurement and platform strategy decisions.

Required Qualifications:

• Five or more years of progressive hands-on experience in security operations, detection engineering, incident response, or a closely related technical security discipline.
• Demonstrated expertise operating a SIEM platform in production, including detection content authoring, data pipeline management, and tuning at scale.
• Proven incident response experience, including acting as a technical lead during material security events from initial triage through post-incident review.
• Strong working knowledge of cloud security in at least one major provider (AWS, Azure, or GCP), including native security services, identity constructs, and common misconfiguration patterns.
• Practical experience with vulnerability management tooling and remediation workflows across mixed environments.
• Solid scripting and automation skills in Python, PowerShell, or a comparable language, including integrating APIs across security and IT tools.
• Familiarity with common detection engineering practices, and established incident response frameworks.
• Ability to communicate complex technical findings clearly in writing and to translate security risk for non-security audiences.
• Bachelor's degree in Computer Science, Information Security, Engineering, or equivalent practical experience.

Preferred Qualifications:

• Experience operating in environments subject to NIST SP 800-171, CMMC, FedRAMP, ISO 27001, or comparable regulated frameworks.
• Hands-on experience with AWS GovCloud, Microsoft 365 GCC High, or other sovereign cloud environments.
• Experience with EDR platforms such as CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint at enterprise scale.
• Experience with CSPM platforms such as Wiz, Prisma Cloud, Orca, or equivalents.
• Detection engineering experience using Sigma, KQL, SPL, or similar query and rule languages.
• Exposure to identity platforms such as Okta, Entra ID, or Ping, including their audit and telemetry surfaces.
• Industry certifications such as GCIH, GCIA, GCFA, GCED, OSCP, or equivalent technical credentials.
• Active US security clearance, or eligibility to obtain one.

Spire operates a hybrid work model, and this position will require you to work a minimum of three days per week in the office.

Access to US export-controlled software and/or technology may be required for this role. If needed, Spire will arrange the necessary licenses—this is not something candidates need to have before applying. #LI-DC1