Security Engineer - Operations / Incident Response

Skills

About the Role

You will own the day-to-day defense of Ondo. You will write detections, tune them, run incidents, build automations, and decide what tooling we keep, replace, or retire. You will partner closely with IT, Infrastructure, Product Security, and our Security Incident Response Team (SIRT) to mature how Ondo detects and responds to threats across SaaS, endpoints, cloud, and identity.

Requirements

• 3-5+ years in security operations, detection engineering, or incident response, including time as a senior IC at a fast-moving company
• Hands-on experience with at least one SIEM (Splunk, Panther, Elastic, Sentinel, Chronicle)
• Production experience with EDR tuning and IR (CrowdStrike, SentinelOne, Defender, or equivalent)
• Solid working knowledge of email security tooling and modern phishing TTPs (BEC, OAuth consent phishing, vendor impersonation, callback phishing)
• SOAR / automation experience
• Strong scripting skills (Python preferred); comfortable working in Git and treating detections as code
• Operational maturity: you can lead an incident, write a clean post-mortem, and push organizational changes that come out of it
• Working fluency with cloud security telemetry in at least one of AWS, GCP, or Azure
• Practical experience integrating AI/LLMs into security workflows, or a track record of evaluating new tooling rigorously and shipping it into production

Responsibilities

• Write detections and tune them in the SIEM and measure their performance
• Deploy and tune EDR (eg CrowdStrike, SentinelOne), manage exclusions hygiene, and develop incident response playbooks for macOS and Linux fleets
• Tune detections in the email security stack, investigate phishing, run takedowns, and drive user reporting workflows
• Build and operate SOAR and automation to eliminate repetitive analyst work
• Lead incident response including triage, containment, eradication, recovery, and post-mortem writing; run tabletop exercises with engineering and executive stakeholders
• Build and maintain the on-call rotation, runbooks, and severity definitions for the SIRT
• Integrate identity telemetry and SaaS audit logs into detection coverage and bridge IT signals with security signals
• Collaborate with Infrastructure Security on cloud detection coverage and with Product Security on application-layer signals
• Build deploy and operate AI-native workflows in the SecOps stack including LLM-assisted triage, alert summarization, evidence collection, draft IR communications, and analyst copilots with guardrails
• Define how we monitor internal AI usage and how we detect AI-driven attacks against our employees and customers (deepfake, AI phishing, prompt injection) and manage related tooling
• Decide where AI belongs in critical workflows and where it does not, such as signing actions or anything touching customer funds