Senior Security Engineer, Threat Detection & Response

As a Senior Security Engineer on the Threat Detection & Response team, you will lead complex incident investigations, mature our insider risk program, and serve as a trusted partner to engineering, legal, executive leadership, and external stakeholders during high-stakes security events.

You'll lead end-to-end response for the most sensitive security incidents, build and scale our insider risk monitoring capabilities, and translate complex technical findings into actionable insights for both technical teams and C-suite stakeholders. You'll set the bar for investigative diligence, evidence handling, and cross-functional coordination during high-stakes situations.

This role is a great fit for a seasoned investigator and incident responder who thrives in high-pressure environments, has deep experience navigating multi-stakeholder investigations, and wants to make a tangible impact on a growing security program.

This position requires the ability to obtain and maintain a security clearance.

• →Lead end-to-end incident response for complex, high-severity security events, including technical investigation, containment, eradication, recovery, and executive-level reporting
• →Build and mature True Anomaly's insider risk monitoring program, including detection strategy, investigative playbooks, and cross-functional escalation paths
• →Serve as the principal technical liaison between the security team and partner organizations (IT, Engineering, Legal, HR, Compliance, and external government partners), translating complex technical findings for non-technical decision-makers
• →Perform evidence collection, digital forensics, and malware triage activities; ensure investigative findings are documented to a standard suitable for legal, regulatory, and law enforcement use
• →Develop and operationalize incident response plans, playbooks, and SOPs that scale with team growth and mission complexity
• →Design and tune detections across corporate, cloud, and mission environments, leveraging frameworks like MITRE ATT&CK
• →Proactively hunt for threats, including insider threats, and leverage threat intelligence to anticipate emerging adversary TTPs
• →Administer and optimize EDR, SIEM, and SOAR platforms; build automation to improve investigative efficiency
• →Brief executive leadership on active incidents, threat landscape, and program maturity in clear business terms
• →Mentor junior detection and response engineers and contribute to hiring as the team grows

A good candidate will have:

• 4+ years of experience in cybersecurity, with significant time spent leading incident response, complex investigations, threat hunting, or detection engineering
• Demonstrated experience leading multi-stakeholder investigations end-to-end, from initial triage through executive reporting and post-incident review
• Hands-on experience with digital forensics, malware triage, and evidence handling in environments where investigative rigor matters
• Experience building or contributing to an insider risk or insider threat monitoring program
• Strong working knowledge of EDR platforms, SIEM platforms (e.g., Splunk, Elastic, or similar), and SOAR tooling
• Working knowledge of Windows, MacOS, and Linux endpoint security and common attack techniques
• Solid understanding of attack vectors, adversary TTPs, and security frameworks such as MITRE ATT&CK and the Cyber Kill Chain
• Experience with scripting (e.g. Python, PowerShell, or Bash) for automation, enrichment, or analysis tasks
• Proven ability to brief executives and translate technical risk into business language
• Clear verbal and written communication skills, with experience producing intelligence reports, investigative findings, or executive briefings

An ideal candidate will also have:

• Active TS/SCI security clearance or ability to obtain and maintain a security clearance
• Knowledge of digital forensics and malware analysis techniques
• Experience building or significantly maturing a detection and response program
• Experience working in Azure Government Cloud (Azure GovCloud) environments
• Experience with cloud security monitoring in AWS, GCP, or Azure commercial environments
• Familiarity with CMMC, FedRAMP, NIST 800-53, or other federal compliance frameworks
• Experience with Detections-as-Code, CI/CD, etc
• Experience participating in or supporting red team/purple team exercises

• This role operates in a fast-paced, high-stakes environment where rapid decision-making and adaptability are essential
• Onsite work is required in our Denver or Long Beach offices
• On-call rotation participation, including after-hours participation, is required for incident response coverage
• Must be comfortable working under pressure during active security incidents
• High degree of autonomy and ownership
• Direct access to leadership and opportunity to influence security strategy