SOC Detection Engineer - Cloud and AI Automation en Saviynt

About the Job
We are building a next-generation Agentic Security Operations Center (SOC) designed for the AI era. We believe that effective security operations must evolve beyond traditional reactive methods. We are building an intelligent, AI-driven SOC that combines deep cloud security expertise with advanced automation and machine learning to predict, prevent, and neutralize advanced threats faster than ever.

We are seeking a SOC Detection Engineer - Cloud and AI Automation to serve as a technical expert responsible for designing, building, and optimizing detection capabilities across our cloud-native security stack. This is a hands-on-keyboard role for someone who thrives on creating intelligent detections, leveraging AI/ML for threat identification, and building automation that scales security operations. You will be responsible for engineering detection logic, fine-tuning AI-powered alerts, and driving continuous improvement in our detection and response capabilities.

Detection Engineering & Content Development
● Design, develop, and deploy advanced detection rules and logic across SIEM, EDR, CSPM, and cloud-native security platforms.
● Build and maintain detection-as-code using modern frameworks and version control systems (Git).
● Create high-fidelity, low-noise detections mapped to the MITRE ATT&CK framework, focusing on cloud-specific threats and techniques.
● Continuously research emerging threats, TTPs (Tactics, Techniques, and Procedures), and translate threat intelligence into actionable detection content.
● Perform detection efficacy testing and validation using purple team exercises and adversary emulation frameworks.
AI & Machine Learning Integration
● Leverage AI/ML capabilities within security platforms to enhance threat detection accuracy and reduce false positives.
● Build and tune machine learning models for anomaly detection, behavioral analytics, and predictive threat identification.
● Integrate generative AI and large language models (LLMs) to accelerate alert triage, investigation workflows, and threat analysis.
● Evaluate and implement AI-powered security tools for automated threat detection, alert enrichment, and investigation assistance.
● Monitor and optimize AI/ML model performance, addressing data quality, model drift, and false positive/negative rates.

Cloud Security Detection & Monitoring
● Act as a Subject Matter Expert (SME) for cloud security detection engineering across AWS, Azure, and GCP environments.
● Design detections leveraging cloud-native logs (CloudTrail, Azure Activity Logs, GCP Audit Logs) and security services (GuardDuty, Security Command Center, Defender for Cloud).
● Build detections for cloud-specific threats including misconfigurations, identity compromise, data exfiltration, and infrastructure attacks.
● Monitor container and Kubernetes environments, developing detections for runtime threats and supply chain attacks.
Security Automation & Orchestration
● Design and implement automated detection deployment pipelines using secure CI/CD methodologies.
● Build custom scripts (Python, PowerShell, Bash) for automated alert enrichment, evidence collection, and response actions.
● Develop and maintain automated response playbooks in SOAR platforms to handle detection-triggered workflows.
● Integrate security tools via APIs to create seamless, automated detection and response ecosystems.
● Identify opportunities to apply automation and AI to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
Continuous Improvement & Collaboration
● Analyze detection performance metrics, false positive rates, and coverage gaps to drive continuous improvement.
● Collaborate with threat intelligence, incident response, and threat hunting teams to refine detection strategies.
● Create and maintain comprehensive documentation for detection logic, tuning procedures, and operational runbooks.
● Provide technical guidance on detection engineering best practices and emerging technologies.
● Stay current with the latest security research, adversary techniques, and AI/ML
advancements in cybersecurity.

Bachelor's degree in Computer Science, Information Security, Data Science, or a
related field.
● 8-12 years of experience in cybersecurity with at least 4+ years focused on detection engineering, threat detection, or security analytics.
● Strong Cloud Security Detection Skills: Deep, hands-on experience building detections for at least one major cloud provider (AWS, Azure, or GCP), including native security services and log sources.
● AI/ML Security Experience: Practical experience applying machine learning, anomaly detection, or AI-powered tools to security use cases. Understanding of AI/ML model development, tuning, and evaluation.

● Detection Engineering Expertise: Proven track record of creating high-quality detection content using SIEM platforms (Splunk, Azure Sentinel, Chronicle), EDR solutions (CrowdStrike, Microsoft Defender), and cloud security tools.
● Automation & Scripting Proficiency: Strong programming skills in Python (required), with experience in PowerShell or Bash. Ability to build detection pipelines and automation frameworks.
● Technical Depth: Hands-on experience with SOAR platforms, detection-as-code frameworks, log analysis, and data correlation techniques.
● MITRE ATT&CK Mastery: Expert-level understanding of the MITRE ATT&CK framework and its application to detection engineering and threat modeling.
● Analytical Mindset: Strong problem-solving skills with the ability to analyze complex data sets, identify patterns, and translate findings into detection logic.

Good to Have
● Certifications: GIAC Certified Detection Analyst (GCDA), GIAC Cyber Threat Intelligence (GCTI), AWS Certified Security Specialty, Azure Security Engineer Associate, or equivalent.
● Experience with threat intelligence platforms (TIPs) and threat hunting methodologies.
● Knowledge of adversary emulation tools (Atomic Red Team, Caldera,etc.).
● Familiarity with data science tools and frameworks (Jupyter, pandas, scikit-learn).
● Contributions to open-source detection content repositories (Sigma rules, detection
rules, etc.).