[Hiring] Security Operations Lead @Sword Health

Role Description

As Security Operations Lead, you'll lead our SecOps squad and own how Sword detects, investigates, and responds to threats. You'll help structure how this function operates — setting the direction on SIEM architecture, detection engineering, and incident response — and use automation and AI to scale a focused team across a fast-growing, multi-continent footprint. You'll be a core voice in our security strategy, and the systems, processes, and culture you build will set the bar for how Sword protects 700,000+ members.

What you’ll be doing

• Set the strategy and technical direction for Sword’s Security Operations Center — defining the operating model, SIEM and detection architecture, incident response capability, and the roadmap to scale them as the company grows.
• Drive an AI- and automation-first transformation of security operations: design SOAR playbooks, agentic and LLM-assisted triage workflows, and ML-driven detection to reduce MTTD/MTTR, expand coverage, and let a lean team operate at enterprise scale.
• Lead the SOC/CSIRT team technically — mentoring detection and response engineers, raising the bar on investigations, running on-call and escalation models, and acting as commander for major incidents.
• Own the SIEM end-to-end (architecture, data sources, normalization, retention, cost, and tuning) and evolve detection-as-code content aligned to MITRE ATT&CK and Sword’s threat model.
• Lead high-severity incident response from detection through containment, eradication, recovery, and post-incident review, partnering with engineering, IT, legal, and executive stakeholders during critical events.
• Run the threat intelligence and threat hunting programs, converting emerging TTPs into new detections, proactive hardening, and informed risk decisions.
• Define and report on SOC performance — MTTD, MTTR, coverage, automation rate, false-positive rate, on-call health — and use those metrics to drive measurable, continuous improvement.
• Influence security architecture and engineering decisions across the company, ensuring detection, response, and recovery are built into new products, platforms, and infrastructure from day one.
• Establish and continuously improve incident response playbooks, runbooks, and tabletop exercises to ensure organizational readiness.

Qualifications

• Bachelor’s degree in Computer Science, Cybersecurity, or equivalent professional experience.
• Proven experience scaling a SOC through automation and AI — SOAR, hyperautomation, LLM-assisted triage, agentic workflows, or ML-driven detection — with measurable impact on MTTR, coverage, or analyst leverage.
• Hands-on experience structuring a SOC, either building one from the ground up or maturing one through significant transformation — SIEM selection, implementation or migration, detection engineering practice, runbook libraries, on-call rotations, and operating metrics.
• Deep SIEM expertise (Splunk, Sentinel, Chronicle, Elastic, or similar) — ingestion architecture, detection-as-code, query optimization, and coverage-versus-cost tradeoffs.
• Prior experience as the technical lead of a SOC or CSIRT team — owning the full incident response lifecycle, mentoring analysts and engineers, and acting as on-call/incident commander during major incidents.
• Strong incident response track record — leading high-severity investigations, root cause analysis, digital forensics, and post-incident reviews that produced durable improvements.
• Solid experience in cloud environments (AWS and/or GCP), with strong understanding of cloud-native threats and controls.
• Strong scripting and development skills (Python, Go, Bash, or similar) for building automation, integrations, and internal tooling.
• Working knowledge of EDR/XDR, identity, and network detection telemetry, and how to combine signals into high-fidelity detections.
• Fluency with security frameworks and standards (NIST 800-61, CIS Controls, MITRE ATT&CK, ISO 27001) and the judgment to apply them pragmatically.
• Background in threat modeling, adversary emulation, and risk-based alert tuning.
• Excellent communicator — able to brief executives during a Sev1, write a clear post-mortem, and translate technical risk into business language for non-technical audiences.
• Proven track record of leading cross-functional efforts in high-pressure situations and fostering collaboration across InfoSec, IT, and engineering.
• Forensics experience, investigating incidents and preserving digital evidence.

Requirements

• €50,400 - €79,200 a year (This range includes base, variable and equity).
• Compensation details reflect the base salary and any potential variable, bonus or sales incentives, and the Company’s estimation of the value of private company stock options, if applicable.
• Actual pay is determined by skills, qualifications, experience, location, market demand, and other factors.
• Compensation may be modified in the future.

Benefits

• Health, dental and vision insurance
• Meal allowance
• Equity shares
• Remote work allowance
• Flexible working hours
• Work from home
• Discretionary vacation
• Snacks and beverages