SOC Engineer

Position Name: SOC Engineer

Reports to: SOC Team Lead

Location/Type: Remote, Ukraine

Status: Exempt

Role Summary

The SOC Engineer is responsible for designing, implementing, and improving the detections, automations, workflows, and security controls that support Atlas Technica’s security operations across a multi-tenant client base.

This is a hands-on engineering role focused on improving how the SOC detects, correlates, escalates, and responds to real security activity. The role goes beyond tooling administration and pipeline maintenance. The right candidate can connect signals across identity, email, endpoint, SIEM, and user-reported activity, and turn those lessons into stronger detections, safer automation, clearer runbooks, better operational guardrails, and sustained noise reduction. They should be capable of owning an incident end to end, including coordination across internal and external stakeholders, communications, resolution, and post-incident reporting.owning an incident end to end, including coordination across internal and external stakeholders, communications, resolution, and post-incident reporting.

This role requires strong professional English communication skills to support cross-functional coordination, technical documentation, incident communications, and client-facing discussions when needed.

Responsibilities

Detection, correlation, and workflow engineering

• Design and maintain integrations between SIEM/SOC platforms, Microsoft Defender, Entra ID, Intune, ticketing systems, and related internal security workflows.
• Build and improve alert routing, normalization, enrichment, and correlation logic so related signals are investigated together rather than in isolation.
• Develop and refine detections and workflow logic for high-risk scenarios such as account compromise, mailbox abuse, MFA abuse, remote-access-tool misuse, suspicious endpoint activity, and other cross-channel attack patterns.
• Partner with outsourced SOC providers and internal teams on telemetry onboarding, detection content, enrichment, and workflow requirements.
• Own recurring alert-noise reduction by identifying high-volume false positives, investigating root cause, and driving approved tuning, suppression, enrichment, and whitelisting changes that preserve detection value while improving analyst efficiency.
  
  

Incident-driven ownership, automation, and containmentIncident-driven automation and containment

• Own and lead confirmed compromise incidents, coordinate with internal and external parties, through the entire incident lifecycle
• Identify high-value opportunities to automate repetitive SOC tasks such as enrichment, case linking, notification, evidence gathering, and approved response actions.
• Implement safe, well-documented automated containment actions with clear approvals, rollback paths, and operational guardrails.
• Ensure automations are usable during live incidents and do not introduce unsafe assumptions, blind spots, or unnecessary business disruption.
  
  

Security controls and baseline engineering

• Translate Atlas standards and client security requirements into enforceable configurations and policies across Microsoft 365, Entra ID, Intune, Microsoft Defender, and related platforms.
• Implement and maintain security baselines across tenants and detect configuration drift at scale.
• Support improvements around high-risk user protections, remote-access-tool governance, containment controls, and security policy standardization.
  
  

Runbooks, quality, and operational maturity

• Co-own SOC runbooks and playbooks with analysts and SOC leadership, ensuring they are practical, testable, and usable in ambiguous real-world scenarios.
• Continuously refine detection logic, escalation criteria, peer-review expectations, and closure standards based on incident lessons learned.
• Improve how user-reported suspicious activity, support tickets, and security telemetry are linked into a coordinated response workflow.
• Produce clear technical documentation, implementation notes, and incident-driven improvement recommendations.
• Produce clear technical documentation and professional English communications for runbooks, workflow changes, incident-driven improvements, and cross-team coordination
  
  

Reporting and reliability

• Build and maintain reports and dashboards for SOC reliability and performance, including alert quality, tuning outcomes, false positive reduction, MTTA, MTTR, reopen rate, and documentation quality.
• Ensure SOC systems, integrations, and workflows are reliable, monitored, and supportable.
• Participate in change control and governance processes related to security tooling, detections, and automations.
  
  

Required Qualifications

• 4+ years of experience in IT, security engineering, security operations, incident response, or a closely related security role, with at least 2+ years directly focused on SOC engineering, detection engineering, security automation, or Microsoft security operations.
• Demonstrated incident management capability, including the ability to operate autonomously during an active incident, coordinate internal and external stakeholders, drive communications, manage containment and resolution, and own the full incident lifecycle through post-incident summary and follow-up actions.
• Strong hands-on experience with Microsoft 365 and Azure, including Entra ID, Intune, Microsoft Defender, Conditional Access, and related security controls.
• Strong hands-on experience with one or more SIEM or SOC platforms such as Microsoft Sentinel, Splunk, or QRadar.
• Hands-on experience with scripting and automation using PowerShell and at least one of Python, Logic Apps, or similar tooling, including work with REST APIs and modern integration patterns.
• Demonstrate ability to correlate identity, email, endpoint, SIEM, and user-reported signals into a single investigation path and escalate appropriately when patterns indicate likely or active compromise.
• Demonstrate experience designing, tuning, validating, or improving SOC detections and monitors, including thresholds, enrichment, exclusions, suppression logic, and false-positive reduction.
• Demonstrate experience engineering or supporting workflows for high-severity incidents, including triage, containment decisions, documentation, handoffs, stakeholder updates, and post-incident improvement work.
• Ability to work effectively through ambiguity, incomplete runbooks, delayed escalations, or partial tooling degradation while still operating safely, escalating clearly, and documenting decisions.
• Strong professional proficiency in written and spoken English, including the ability to explain technical risk, containment decisions, and operational tradeoffs clearly to internal teams and client-facing stakeholders.
• Experience with documenting and maintaining architectures, runbooks, workflows, operational standards, and related security process documentation over time.
  
  

Strongly Preferred

• Experience in an MSP, MDR, MSSP, or other multi-tenant security operations environment.
• Experience supporting clients in financial services or other highly regulated, high-sensitivity environments.
• Experience engineering detections or workflows involving business email compromise, account compromise, MFA abuse, remote-access-tool abuse, or Microsoft security incidents.
• Experience with vulnerability and exposure tooling, exposure data normalization, and remediation workflow design.
• Experience building or improving QA, peer review, escalation governance, or operational audit processes for security workflows.
  
  

Nice to Have

• Experience with Cavelo or similar exposure or vulnerability platforms.
• Certifications such as Security+, CySA+, BTL1, CISSP, Security+, or equivalent.
• Experience with SOAR platforms, case management integrations, and configuration-as-code approaches for security controls.