Cortex Platform Engineer

We are looking for an experienced Cortex Platform Engineer with deep expertise in Palo Alto Networks’ Cortex ecosystem. Cortex XDR is the primary focus of this role — you will own its deployment, configuration, detection engineering, and day-to-day operations — but you will also bring working knowledge across Cortex XSOAR, XSIAM, Cortex Cloud, and Prisma Access to support a maturing, integrated security operations environment.

This is a hands-on, high-ownership role at the intersection of endpoint security, SOC automation, cloud security posture, and secure network access. You will partner closely with SOC analysts, security architects, and cloud engineering teams to drive platform adoption, improve detection coverage, and accelerate response across the full Cortex stack.

Core Responsibilities:
Cortex XDR — Primary Focus

• Own end-to-end deployment, configuration, and lifecycle management of Cortex XDR across Windows, macOS, and Linux endpoints at enterprise scale.

• Design and maintain agent policies, prevention profiles, and exclusion sets; manage multi-tenant or multi-instance architectures where applicable.

• Develop, tune, and maintain BIOC rules, custom correlation policies, and Behavioral Threat Protection (BTP) configurations to maximize signal fidelity and minimize analyst fatigue.

• Lead Tier 2/Tier 3 incident investigations using XDR’s causality analysis engine, storyline feature, and XQL-based threat hunting across endpoint, network, and cloud telemetry.

• Coordinate response actions including endpoint isolation, process termination, and file quarantine; produce post-incident reports for technical and executive audiences.

• Translate MITRE ATT&CK mappings and threat intelligence into actionable XDR detection logic; conduct regular alert reviews to identify tuning opportunities and coverage gaps.

Cortex XSOAR — Automation & Orchestration

• Build, maintain, and optimize XSOAR playbooks for automated triage, enrichment, containment, and response workflows tied to XDR and other platform alerts.

• Manage integration packs, custom scripts, and connector configurations to support bidirectional data flow between XSOAR and the broader security toolset.

• Collaborate with SOC analysts to identify high-value automation candidates, reducing manual toil and accelerating mean time to respond (MTTR).

• Maintain playbook documentation, versioning, and testing standards to ensure operational reliability

Cortex XSIAM — AI-Driven SOC Operations

• Support the deployment and configuration of Cortex XSIAM as the organization’s AI-driven SOC platform, including data source onboarding and ingestion pipeline management.

• Leverage XSIAM’s machine learning-driven alert correlation and incident scoring to reduce alert volume and prioritize analyst queues.

• Assist in defining and tuning XSIAM detection rules, analytics models, and dashboard views aligned to SOC operational requirements.

• Work with security leadership to evaluate XSIAM’s AI-generated insights and feed findings back into detection and response improvement cycles.

Cortex Cloud — Cloud Security Posture

• Operate Cortex Cloud (CNAPP) to provide continuous visibility into cloud workload security posture across AWS, Azure, and GCP environments.

• Manage cloud workload protection policies, vulnerability findings, and compliance benchmarks; triage and escalate high-severity findings to cloud engineering teams.

• Integrate Cortex Cloud telemetry into XDR and XSIAM detection pipelines to extend threat visibility into cloud-native workloads and container environments.

• Support cloud security assessments and assist in developing guardrails and policy-as-code aligned to organizational security standards.

Prisma Access — SASE & Secure Network Access

• Support the administration and operational maintenance of Prisma Access for secure remote access, branch connectivity, and SASE policy enforcement.

• Assist with policy configuration, user/tunnel management, and troubleshooting of Prisma Access deployments in coordination with network engineering.

• Integrate Prisma Access logs and telemetry into XDR and XSIAM for unified visibility across network and endpoint data sources.

• Participate in SASE architecture reviews and contribute security operations requirements to network and access design discussions.

Platform Integration & Governance

• Architect and maintain integrations across the Cortex platform and adjacent tools including SIEM (Splunk, Sentinel, QRadar), ticketing systems, and identity providers.

• Maintain platform health across all Cortex components: version management, licensing, policy compliance, and coverage gap reporting.

• Define and track platform KPIs across detection effectiveness, automation rate, response time, and cloud posture; report to security leadership on a recurring cadence.

• Produce and maintain runbooks, architecture documentation, and knowledge base content for SOC and engineering team use.

Required Qualifications:
Experience

• 5+ years of hands-on cybersecurity experience in SOC engineering, security operations, or endpoint/cloud security roles.

• 3+ years of direct, production experience operating Cortex XDR at enterprise scale — lab-only experience does not meet this requirement.

• Demonstrated experience with at least two additional Cortex platform components (XSOAR, XSIAM, Cortex Cloud, or Prisma Access) in a production environment.

• Proven ability to write and optimize XQL queries for threat hunting, detection tuning, and forensic investigation.

• Hands-on experience with XSOAR playbook development and integration pack management.

• Working knowledge of at least one SIEM platform (Splunk, Sentinel, or QRadar) with integration experience.

Technical Knowledge

• Strong understanding of Windows, macOS, and Linux internals as they relate to endpoint telemetry, process execution, and persistence mechanisms.

• Solid grasp of the MITRE ATT&CK framework with the ability to map detections to specific techniques and sub-techniques.

• Familiarity with cloud security fundamentals across AWS, Azure, or GCP — IAM, workload security, network segmentation, and logging.

• Understanding of SASE principles, zero-trust network access concepts, and secure remote access architectures.

• Scripting competency in Python, PowerShell, or Bash for automation, log parsing, and platform integration development.

Preferred Qualifications:
Certifications

• Palo Alto Networks Certified Detection and Response Analyst (PCDRA) — strongly preferred; expected within 90 days of hire if not already held.

• Palo Alto Networks Certified Network Security Engineer (PCNSE) — advantageous given the breadth of Palo Alto platform coverage in this role.

• Palo Alto Networks Certified Security Automation Engineer (PCSAE) for candidates with strong XSOAR focus.

• GIAC GCED, GCIH, or equivalent incident response certification.

• AWS, Azure, or GCP cloud security certifications (e.g., AWS Security Specialty, AZ-500, Google Professional Cloud Security Engineer).

Additional Technical Experience

• Hands-on XSIAM deployment or migration experience, particularly from legacy SIEM or XDR-only environments.

• Experience with Cortex Cloud’s CSPM, CWPP, or CDR capabilities in a multi-cloud environment.

• Familiarity with Prisma SD-WAN or broader Palo Alto Networks network security portfolio.

• Experience with threat intelligence platforms (MISP, ThreatConnect, Anomali) integrated into XSOAR or XSIAM workflows.

• Background in managed detection and response (MDR) or MSSP environments with multi-tenant platform management experience.