SOC Detection Engineer - Cloud and AI Automation

Saviynt's AI-powered identity platform manages and governs human and non-human access to all of an organization's applications, data, and business processes. Customers trust Saviynt to safeguard their digital assets, drive operational efficiency, and reduce compliance costs. Built for the AI age, Saviynt is today helping organizations safely accelerate their deployment and usage of AI. Saviynt is recognized as the leader in identity security, with solutions that protect and empower the world’s leading brands, Fortune 500 companies and government institutions. For more information, please visit www.saviynt.com.

About the Job
We are building a next-generation Agentic Security Operations Center (SOC) designed for the AI era. We believe that effective security operations must evolve beyond traditional reactive methods. We are building an intelligent, AI-driven SOC that combines deep cloud security expertise with advanced automation and machine learning to predict, prevent, and neutralize advanced threats faster than ever.

We are seeking a SOC Detection Engineer - Cloud and AI Automation to serve as a technical expert responsible for designing, building, and optimizing detection capabilities across our cloud-native security stack. This is a hands-on-keyboard role for someone who thrives on creating intelligent detections, leveraging AI/ML for threat identification, and building automation that scales security operations. You will be responsible for engineering detection logic, fine-tuning AI-powered alerts, and driving continuous improvement in our detection and response capabilities.

WHAT YOU WILL DOING:
Detection Engineering & Content Development
● Design, develop, and deploy advanced detection rules and logic across SIEM, EDR, CSPM, and cloud-native security platforms.
● Build and maintain detection-as-code using modern frameworks and version control systems (Git).
● Create high-fidelity, low-noise detections mapped to the MITRE ATT&CK framework, focusing on cloud-specific threats and techniques.
● Continuously research emerging threats, TTPs (Tactics, Techniques, and Procedures), and translate threat intelligence into actionable detection content.
● Perform detection efficacy testing and validation using purple team exercises and adversary emulation frameworks.
AI & Machine Learning Integration
● Leverage AI/ML capabilities within security platforms to enhance threat detection accuracy and reduce false positives.
● Build and tune machine learning models for anomaly detection, behavioral analytics, and predictive threat identification.
● Integrate generative AI and large language models (LLMs) to accelerate alert triage, investigation workflows, and threat analysis.
● Evaluate and implement AI-powered security tools for automated threat detection, alert enrichment, and investigation assistance.
● Monitor and optimize AI/ML model performance, addressing data quality, model drift, and false positive/negative rates.

Cloud Security Detection & Monitoring
● Act as a Subject Matter Expert (SME) for cloud security detection engineering across AWS, Azure, and GCP environments.
● Design detections leveraging cloud-native logs (CloudTrail, Azure Activity Logs, GCP Audit Logs) and security services (GuardDuty, Security Command Center, Defender for Cloud).
● Build detections for cloud-specific threats including misconfigurations, identity compromise, data exfiltration, and infrastructure attacks.
● Monitor container and Kubernetes environments, developing detections for runtime threats and supply chain attacks.
Security Automation & Orchestration
● Design and implement automated detection deployment pipelines using secure CI/CD methodologies.
● Build custom scripts (Python, PowerShell, Bash) for automated alert enrichment, evidence collection, and response actions.
● Develop and maintain automated response playbooks in SOAR platforms to handle detection-triggered workflows.
● Integrate security tools via APIs to create seamless, automated detection and response ecosystems.
● Identify opportunities to apply automation and AI to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
Continuous Improvement & Collaboration
● Analyze detection performance metrics, false positive rates, and coverage gaps to drive continuous improvement.
● Collaborate with threat intelligence, incident response, and threat hunting teams to refine detection strategies.
● Create and maintain comprehensive documentation for detection logic, tuning procedures, and operational runbooks.
● Provide technical guidance on detection engineering best practices and emerging technologies.
● Stay current with the latest security research, adversary techniques, and AI/ML
advancements in cybersecurity.

WHAT YOU BRING:
Bachelor's degree in Computer Science, Information Security, Data Science, or a
related field.
● 8-12 years of experience in cybersecurity with at least 4+ years focused on detection engineering, threat detection, or security analytics.
● Strong Cloud Security Detection Skills: Deep, hands-on experience building detections for at least one major cloud provider (AWS, Azure, or GCP), including native security services and log sources.
● AI/ML Security Experience: Practical experience applying machine learning, anomaly detection, or AI-powered tools to security use cases. Understanding of AI/ML model development, tuning, and evaluation.

● Detection Engineering Expertise: Proven track record of creating high-quality detection content using SIEM platforms (Splunk, Azure Sentinel, Chronicle), EDR solutions (CrowdStrike, Microsoft Defender), and cloud security tools.
● Automation & Scripting Proficiency: Strong programming skills in Python (required), with experience in PowerShell or Bash. Ability to build detection pipelines and automation frameworks.
● Technical Depth: Hands-on experience with SOAR platforms, detection-as-code frameworks, log analysis, and data correlation techniques.
● MITRE ATT&CK Mastery: Expert-level understanding of the MITRE ATT&CK framework and its application to detection engineering and threat modeling.
● Analytical Mindset: Strong problem-solving skills with the ability to analyze complex data sets, identify patterns, and translate findings into detection logic.

Good to Have
● Certifications: GIAC Certified Detection Analyst (GCDA), GIAC Cyber Threat Intelligence (GCTI), AWS Certified Security Specialty, Azure Security Engineer Associate, or equivalent.
● Experience with threat intelligence platforms (TIPs) and threat hunting methodologies.
● Knowledge of adversary emulation tools (Atomic Red Team, Caldera,etc.).
● Familiarity with data science tools and frameworks (Jupyter, pandas, scikit-learn).
● Contributions to open-source detection content repositories (Sigma rules, detection
rules, etc.).

If required for this role, you will:
- Complete security & privacy literacy and awareness training during onboarding and annually thereafter
- Review (initially and annually thereafter), understand, and adhere to Information Security/Privacy Policies and Procedures such as (but not limited to):

> Data Classification, Retention & Handling Policy
> Incident Response Policy/Procedures
> Business Continuity/Disaster Recovery Policy/Procedures
> Mobile Device Policy
> Account Management Policy
> Access Control Policy
> Personnel Security Policy
> Privacy Policy

Saviynt is an amazing place to work. We are a high-growth, Platform as a Service company focused on Identity Authority to power and protect the world at work. You will experience tremendous growth and learning opportunities through challenging yet rewarding work which directly impacts our customers, all within a welcoming and positive work environment. If you're resilient and enjoy working in a dynamic environment you belong with us!

Saviynt is an equal opportunity employer and we welcome everyone to our team. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.