SOC Lead

Role: SOC Lead

Location: Dallas TX 75039 / Onsite

Contract

We are looking for an experienced SOC Lead to anchor our Security Operations function within a managed services environment. This is a senior client-facing role combining deep technical expertise in threat detection and vulnerability management with the leadership capability to drive service excellence across a cross-functional delivery team.

Key responsibilities

Security operations & incident management

• Own end-to-end SOC operations - monitoring triage escalation and closure across assigned accounts
• Lead P1/P2 security incident bridges - coordinating technical response client communication and executive reporting simultaneously
• Drive post-incident RCA and feed findings back into detection rules and runbooks
• Maintain and continuously improve the SOC runbook library
• Define and enforce SLA targets for detection containment and response

Vulnerability management - Qualys

• Own the vulnerability management programme - scan scheduling asset coverage findings triage and remediation tracking
• Configure and govern Qualys scan policies asset groups and reporting templates aligned to client risk appetite
• Produce executive and operational vulnerability reports - translating CVSS scores into prioritised remediation plans
• Define and enforce vulnerability SLAs by severity tier (Critical High Medium)
• Own the exception register and risk acceptance process
• Drive continuous improvement of scan coverage - agent deployment gaps credential scan gaps

Threat detection & platform - Palo Alto XSIAM/ Trellix

• Operate and govern XSIAM as the primary SIEM/SOAR platform - ingestion config data source onboarding parser management
• Build tune and maintain detection rules and correlation logic
• Develop and manage SOAR playbooks for automated response - enrichment containment ticketing integration
• Conduct threat hunting exercises using MITRE ATT&CK as the reference framework
• Maintain XSIAM dashboards for both operational and executive audiences

Endpoint security - Trellix & Microsoft Defender (MDE)

• Govern EDR across the estate using Trellix and MDE - coverage policy compliance agent health
• Configure and tune Trellix policies - threat prevention rules containment actions SIEM integration
• Manage MDE deployment - onboarding alert suppression custom KQL detection rules
• Coordinate endpoint isolation forensic investigation and remediation workflows
• Track and report on endpoint protection coverage driving remediation of gaps

Threat management & intelligence

• Lead the threat intelligence function - consuming feeds contextualising IOCs translating into actionable detections
• Conduct regular threat landscape reviews and present findings in governance forums
• Map SOC coverage against MITRE ATT&CK - identifying detection gaps
• Maintain a threat register with current actor profiles and defensive recommendations

Process design & governance

• Design document and own SOC processes - incident response vulnerability management change control escalation workflows
• Establish and run monthly SOC governance reviews - SLA performance incident trends threat posture
• Define and track SOC KPIs - MTTD MTTR false positive rate vulnerability remediation SLA compliance
• Own the SOC tool stack governance - version management health monitoring integration integrity

Client engagement & stakeholder management

• Serve as the primary SOC point of contact for client stakeholders - leading governance calls and QBRs
• Prepare and present monthly and quarterly SOC reports for both technical and executive audiences
• Translate complex security findings into clear risk-contextualised language for C-suite communication
• Manage client expectations proactively - flagging risks and posture changes before they escalate

Team leadership & cross-functional collaboration

• Lead and mentor a team of SOC analysts (L1/L2/L3) - performance expectations appraisals skills development
• Act as primary escalation point for the team on complex incidents and ambiguous threat scenarios
• Collaborate with infrastructure IAM network and compliance teams for integrated security coverage
• Drive a continuous improvement culture - blameless retrospectives lessons learned good practice recognition
• Coordinate with ITSM and change management to ensure security events are correctly tracked and closed

Skills & experience

• 7 years in security operations in a managed services or multi-client SOC environment
• Hands-on Palo Alto XSIAM - rule writing playbook development data source integration threat hunting
• Strong Trellix knowledge - policy management EDR configuration SIEM integration
• Microsoft Defender for Endpoint (MDE) - onboarding custom KQL detections incident response
• Qualys expertise - scan configuration asset management vulnerability reporting remediation governance
• Threat intelligence capability - IOC analysis MITRE ATT&CK mapping threat hunting methodology
• Strong ITIL process knowledge applied in live operations - incident problem change and service reporting
• Proven ability to lead client-facing governance sessions and communicate to senior stakeholders
• Track record of building or improving SOC processes and runbooks

Desirable

• Certifications: CISSP CISM CEH SC-200 Palo Alto XSIAM specialist
• SOAR scripting - Python or PowerShell for playbook development
• Cloud security operations - Azure Sentinel AWS Security Hub
• Regulatory framework familiarity - PCI-DSS SOC 2 ISO 27001
• Behavioural competencies
• Accountability - owns outcomes not just activities
• Client orientation - treats operational excellence and client confidence as inseparable
• Composure under pressure - leads calmly during P1s regardless of client or internal pressure
• Communication clarity - adjusts depth and tone for engineers managers and executives
• Continuous improvement mindset - treats every incident and process gap as a learning opportunity
• Collaborative leadership - builds trust across functions through expertise and follow-through