[LTA-ITCD] LEAD / PRINCIPAL CYBER ENGINEER (AUTOMATION)

The SOC Automation Engineer is the primary builder and maintainer of the Cybersecurity Operations Centre's automation, orchestration, and AI-assisted capability layer. This role owns the engineering of SOAR playbooks, API integrations, and AI/ML-enhanced workflows that reduce manual analyst workload, accelerate detection-to-response timelines, and enable the SOC to operate at scale. Critically, this role is also the SOC's internal champion for identifying and implementing AI augmentation opportunities across all security operations functions — from alert triage to threat hunting to reporting.

Job Scope

• Design, develop, test, and maintain SOAR playbooks for alert triage, enrichment, containment, remediation, and escalation workflows on FortiSOAR and/or Microsoft Sentinel Automation​
• Build modular, reusable playbook components that can be composed across multiple incident scenarios — avoiding monolithic, hard-to-maintain workflows​
• Implement human-in-the-loop decision gates for high-impact automated actions (e.g., account lockout, firewall block, host isolation) to ensure analyst oversight is preserved​
• Define and enforce playbook engineering standards — including error handling, logging, audit trails, rollback logic, and performance benchmarking​
• Maintain a playbook library with version control, documentation, and deprecation lifecycle management
• Continuously monitor and tune playbook performance — tracking automation rate, false action rate, execution time, and analyst override frequency​

• Build and maintain bi-directional API integrations between SOC platforms — connecting Microsoft Sentinel, FortiSOAR, CrowdStrike, Akamai WAF, threat intelligence platforms, ticketing systems, and communication tools​
• Develop custom integration connectors and middleware where out-of-the-box integrations are insufficient or unavailable
• Design and maintain the data enrichment pipeline — automatically augmenting alerts with threat intelligence, asset context, user behaviour history, geolocation, and vulnerability data before analyst review​
• Own the integration between SOC tooling and IT infrastructure sources (firewall APIs, Active Directory, DNS, proxy logs) to enable automated containment and response actions
• Ensure all integrations are resilient — with retry logic, circuit breakers, alerting on connector failure, and fallback handling

• Identify, evaluate, and implement AI/ML capabilities to augment SOC operations across the following areas:
  • Alert triage: Deploy AI-based alert scoring and prioritisation to reduce noise and surface high-fidelity signals
  • Behavioural analytics: Implement ML-driven anomaly detection for user and entity behaviour (UEBA) and network traffic patterns
  • Natural language summarisation: Integrate LLM-based alert and incident summarisation to reduce analyst cognitive load and accelerate triage
  • Threat hunting assistance: Build AI-assisted hypothesis generation tools that suggest hunting queries based on active threat intelligence and environmental baselines
  • Automated investigation: Develop agentic AI workflows that autonomously gather evidence, correlate indicators, and assemble investigation packages for analyst review​
  • Predictive analytics: Implement risk scoring models that predict likelihood of escalation based on historical incident patterns​
• Evaluate and integrate AI-native SOC tooling (e.g., Microsoft Sentinel Copilot for Security, CrowdStrike Charlotte AI, Copilot in Defender XDR) and assess their effectiveness against SOC KPIs​
• Build prompt engineering and LLM workflow guardrails to prevent AI misuse, hallucination propagation, and prompt injection risks within automated pipelines
• Maintain an AI capability register — documenting deployed AI models, their training data, decision logic, known limitations, and human oversight requirements

• Develop automated SOC health monitoring — alerting on data connector failures, ingestion gaps, playbook errors, and platform degradation before analysts are affected

• Build and maintain automated reporting pipelines that surface SOC KPIs (MTTD, MTTR, automation rate, playbook performance) in real-time dashboards for the Product Lead and Tech Lead
• Conduct regular automation effectiveness reviews — identifying playbooks with low automation rates, high override rates, or error-prone logic
• Translate post-incident review findings and detection gap analyses into new or improved automation workflows
• Research and pilot emerging automation and AI technologies, producing evaluation reports and proof-of-concept deployments ​

• Knowledge in Computer Science, Computer Engineering, Data Science, or related technical discipline

• Hands-on playbook development experience on FortiSOAR, Microsoft Sentinel Automation (Logic Apps / Playbooks), or equivalent enterprise SOAR platforms​

• Proficiency in Python for automation, API integration, data transformation, and AI workflow development; PowerShell for Windows/Azure automation​

• Demonstrated experience building REST API integrations between security platforms ​

• Working knowledge of Microsoft Sentinel — Logic Apps, automation rules, watchlists, and KQL for automated query-based triggers

• Experience with agentic AI frameworks (e.g., LangChain, AutoGen, Microsoft Semantic Kernel) for building autonomous investigation workflows​

• Familiarity with SIGMA rule format and automated rule conversion/testing toolchains

• Exposure to threat intelligence platform APIs (MISP, OpenCTI, commercial TIPs) and automated IOC ingestion pipelines

• Knowledge of LLM security risks — prompt injection, data leakage, model poisoning — and how to implement guardrails within automated SOC pipelines

• Experience with container-based deployment (Docker, Kubernetes) for hosting custom automation microservices

• At least 3 years in cybersecurity with at least 2 years focused on security automation, SOAR development, or security engineering​

• Demonstrable portfolio of SOAR playbooks built and deployed in a production SOC environment — covering alert types, enrichment logic, and containment actions

• Hands-on experience integrating 5+ security tools via API in a SOC or security engineering context

• Possess relevant certification such as Microsoft Certified: Security Operations Analyst Associate (SC-200), Azure Security Engineer Associate (AZ-500), CrowdStrike Certified Falcon Responder (CCFR) or GIAC Certified Incident Handler (GCIH)

• Comfortable operating at the boundary of security operations and software engineering, without being fully siloed in either​

As part of the shortlisting process for the role, you may be required to complete a medical declaration and / or undergo further assessment.