Security and Detection Engineering Manager

Job description / Role

Description

The Security & Detection Engineering Manager is responsible for owning and leading the detection engineering and security platform strategy across a multi-SIEM, multi-tenant MSSP environment.

This role governs detection architecture, ATT&CK coverage, platform interoperability, multi-tenant isolation, cost engineering, quality assurance, and automation governance across a hybrid tooling environment.

Requirements

1. Detection strategy & architecture

• Define and maintain a 12–24 month detection engineering roadmap.
• Own adversary-aligned detection strategy mapped to MITRE ATT&CK.
• Establish detection maturity targets per platform and service tier.
• Maintain a centralised detection content abstraction model (e.g., Sigma/internal DSL).
• Govern detection lifecycle: design ? validation ? deployment ? tuning ? retirement.
• Prevent detection sprawl and duplication across platforms.

2. MITRE ATT&CK coverage governance

• Maintain formal ATT&CK coverage matrix.
• Track and report coverage percentage by tactic and technique.
• Conduct quarterly coverage gap analysis.
• Validate detection coverage through simulation and adversary emulation exercises.
• Produce ATT&CK coverage reporting for executive leadership and audit functions.

3. Multi-tenant detection governance

• Define detection inheritance and baseline models across tenants.
• Govern tenant-level tuning while preserving engineering consistency.
• Enforce strict cross-tenant rule isolation and data scoping controls.
• Maintain metadata-only forwarding controls where required for sovereignty models.
• Prevent cross-tenant configuration contamination.
• Maintain version control and tenant-level detection lineage.

4. Platform interoperability & schema governance

• Own cross-platform detection portability strategy.
• Govern schema alignment across a multi-SIEM environment.
• Define translation and normalisation pipelines.
• Ensure detection parity across supported platforms.
• Govern ingestion mapping and telemetry integrity.

5. Cost engineering & optimisation

• Own ingestion efficiency model and cost per GB governance.
• Monitor cost per alert generated.
• Optimise:
• Retention tiers (hot/warm/cold)
• Query performance
• Rule execution frequency
• Define and track detection efficiency (signal-to-noise ratio).
• Contribute to platform licensing and cost optimisation decisions.

6. Detection quality assurance framework

• Establish formal detection QA process including:
• Peer review prior to deployment
• Pre-production validation environment
• False positive regression testing
• Simulation-based testing
• Implement detection health scoring system.
• Track detection decay and stale logic.
• Maintain detection change traceability.

7. Continuous service improvement

• Establish structured SOC-to-engineering feedback loop.
• Conduct regular analyst review sessions.
• Track false positive patterns and alert fatigue metrics.
• Maintain closed-loop improvement tracking.
• Continuously improve detection fidelity and SOC effectiveness.
• Conduct post-incident detection and control gap analysis.

8. Automation & response engineering governance

• Govern SOAR and response automation across platforms.
• Define tiered automation model (manual / assisted / autonomous).
• Establish human-in-the-loop controls for high-risk actions.
• Enforce automation regression testing and version control.
• Monitor automation success and failure rates.

9. Preventative control operationalisation & validation

• Implement Security Architect–approved hardening baselines (CIS-aligned).
• Operationalise secure configuration standards across:
• Endpoints
• Identity platforms
• Cloud environments
• Network security controls
• Monitor configuration drift and control degradation.
• Integrate preventative control telemetry into SIEM and detection pipelines.
• Validate control effectiveness using detection and incident data.
• Provide structured feedback to the Security Architect on control performance gaps.
• Support exposure reduction initiatives through engineering execution.

10. Compliance & audit evidence ownership

• Maintain full audit trail for detection changes.
• Provide evidence for ISO 27001, NIST CSF and regional regulatory audits.
• Maintain detection version history.
• Ensure automated response actions are logged and traceable.
• Maintain control compliance dashboards and operational metrics.
• Provide ATT&CK coverage documentation to auditors.

11. Engineering leadership & capability development

• Define detection engineering competency framework.
• Mentor and develop Detection Engineers and SIEM Engineers.
• Establish certification roadmap (Elastic, Microsoft, Google).
• Implement technical performance scorecards.
• Develop succession planning and redundancy controls.
• Maintain backlog governance and engineering delivery cadence.

Technical requirements

Platform expertise (required)

• Elastic Security (EQL, index lifecycle, ECS governance)
• Microsoft Defender XDR & Sentinel (KQL, ASIM)

Platform expertise (desired)

• Google SecOps (UDM schema, detection engineering)
• BindPlane (log routing and telemetry aggregation architecture)

Detection engineering

• Behaviour-based detection design
• Correlation engineering
• Sigma rule governance
• Detection-as-code practices
• ATT&CK mapping and coverage measurement

Automation & engineering

• SOAR workflow design
• Python / PowerShell scripting
• CI/CD for detection content
• API integrations (REST/JSON)
• Infrastructure-as-Code fundamentals

Preventative control engineering

• Implement and operationalise architect-approved hardening baselines (CIS-aligned) across endpoints, identity, cloud and network environments.
• Monitor configuration drift and validate control effectiveness using telemetry integrated into SIEM platforms.
• Enforce tenant-level configuration isolation and prevent cross-tenant control contamination in multi-tenant environments.
• Translate architectural security controls into enforceable technical configurations and measurable compliance outcomes.
• Maintain automated control validation, regression testing and compliance-ready reporting for regulatory and audit purposes.

Data & schema governance

• Log normalisation and parsing
• Schema conformity validation
• Ingestion health monitoring
• Data completeness validation

Experience requirements

• 7+ years in security engineering or detection engineering
• 2+ years in technical leadership or management
• Experience in MSSP or multi-tenant SOC environments
• Proven experience with at least two of:
• Elastic
• Microsoft Security Suite
• Google SecOps
• Experience implementing ingestion frameworks (BindPlane or equivalent/Native Collectors)

Key performance indicators

Detection effectiveness

• ATT&CK coverage percentage
• Detection fidelity score
• False positive rate
• Missed detection rate
• Detection decay rate

Operational performance

• Mean Time to Detect (MTTD)
• Mean Time to Respond (MTTR)
• Detection deployment lead time
• Detection retirement cycle time

Cost & efficiency

• Cost per GB ingested
• Cost per alert generated
• Query efficiency score
• Storage optimisation ratio

Quality & governance

• Detection QA pass rate
• Automation success rate
• Automation failure rate
• Schema conformity percentage
• Ingestion failure rate

Engineering leadership

• Backlog delivery velocity
• Certification completion rate
• Cross-platform detection parity percentage