Essential Job Functions

• Process and Project Management: Own the design and the implementation of key IT projects and initiatives as they pertain to the organizations long-term security strategy.Identify areas of improvement where processes do not currently exist and drive the development and delivery of new processes to address these gaps.Ability tomanage ambiguity anddeliver quality results with minimal supervision in coordinating projects and other deliverables.Willingness to escalate identified issues as necessary and the ability to identify when to partner with leadership to resolve issues risks or obstacles.Builds consensus for delivering results while finding common ground for collaboration and partnership.

• DocumentationMetrics and Presentations:Understand the various tools and technologies commonly associated with Information Security.Lead the creation of and the maintenance of relevant documentationincluding the ability to deliver run books project updates process documentation architecture and technical requirements and presentations.Develop and deliver Key Performance Indicators (KPIs) through the understanding of the tools and deliverables by helping to develop maintain and mature the associated reporting structure.Ability to produce meaningful and actionable metrics through data analysis. Conduct data analysis exercises using Excel Pivot Tables database queries and other data driven analysis tools. Produces presentations at various levels of abstraction dependent on intended audience using Microsoft Power Point Microsoft Visio or equivalent tools.

• Human Relations:Ability to maintain the highest level of confidentiality and professionalism. Ability to proactively identify potential issues and deliver well-reasoned solutions.Ability to diffuse problematic situations and manage through conflict resolution.Ability todecomposecomplex topics andbreakthemdown into laymens terms or analogies that helpdrive clarity and understanding. Viewed as an enabling partner that providesalternativeoptions orsupporting informationwhen saying no to business or IT requests. Seen by leadership and peers as creditable trustworthy and respectful.

Reports to: Manager Information Security

Working Conditions/ Physical Requirements:

• Normal office environment. (Remote or Hybrid) 3 to 4 days per month are required in office if within 60 miles of a posted Bread Financial location.

• Some travel may be required.

• As the need of the business continue to evolve this role may be asked to work an on-call rotation to include evenings or weekends.

Direct Reports: None

Minimum Qualifications:

• Fouror moreyears experience in Information Security orInfrastructure.

• Intermediate to expert level knowledge of IT tools and practices including but not limited to: Networking LDAP Directories Vulnerability/Patch Management Change Management Incident Management Server and Desktop Management Mainframe Technologies Encryption and Key Management Cloud Architecture and Computing Software Application General Computing Controls Business Continuity/Disaster Recovery Software Development Lifecycle Access Management and Cyber SecurityTools (Security Incident Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Data Loss Prevention (DLP) Intrusion Detection System (IDS) Intrusion Prevention System (IPS) End User Behavioral Analytics (EUBA) Web Application Firewall (WAF) Network Access Control (NAC) Privileged Access Management (PAM) Endpoint Detection Response (EDR). Broad range of skills with different technical platforms (firewalls servers workstations networks storage security Internet and cloud (SaaS / IaaS / PaaS) technologies). Working understanding of NIST security standards PCI - DSS and SOX controls.

Preferred Experience:

• Bachelors or equivalent experiencein Computer Science Networking or Information Technology

• Certification:Security NetworkCISSP SSCP CCSP

• Five or moreyears experience in Information Security or Infrastructure experience.

• 5 years in SOC detection engineering threat detection or security engineering roles

• Demonstrated ownership of detection lifecycle: ideation development tuning deployment validation and continuous improvement.

• Hands-on experience building and maintaining detections in one or more SIEM platforms (Splunk CrowdStrike Next-Gen SIEM Palo Alto XSIAM).

• Proven experience onboarding and normalizing logs across endpoint identity cloud network and application sources.

• Experience managing detections using Git-based workflows code review branching strategies and CI/CD principles.

• Familiarity with testing frameworks for detections (unit testing logic regression testing synthetic event generation and controlled replay).

• 3 years designing and implementing SOAR playbooks and response automations (Cortex XSOAR Splunk SOAR).

• Demonstrated success reducing mean time to detect and respond through automation and orchestration.

• Experience translating intelligence into practical outcomes such as detections hunts enrichment and response actions.

• Familiarity with TI platforms and standards (MISP OpenCTI STIX/TAXII) and integrating TI into SIEM and SOAR workflows.

• Strong experience mapping detections and response playbooks to MITRE ATT&CK.

• Experience building behavior-based detections that reduce reliance on static indicators.

• Experience applying AI to detection engineering or SOC operations such as alert summarization triage enrichment incident clustering case routing and knowledge retrieval.

• Experience designing guardrails for AI usage: human-in-the-loop approvals audit logging data handling controls and prompt or workflow governance.

Skills:

Detection Engineering and Analytics

• Writing high-signal detections using SPL KQL EQL Lucene Sigma or equivalent query languages

• Behavior-based detection design including correlation baselining anomaly and sequence detection

• Alert tuning suppression allowlisting and noise reduction

• Data modeling normalization field extraction parsing and enrichment strategies

• Detection coverage mapping to MITRE ATT&CK and kill chain concepts

Automation SOAR and Response Engineering

• Building SOAR playbooks and automated response actions with approval gates and safe failure modes

• Integrations via REST APIs webhooks message queues and event-driven designs

• Case management ticketing integration and automated evidence collection

• Automated containment actions: disable accounts revoke sessions isolate endpoints block indicators quarantine email update firewall rules

Threat Intelligence and Hunting

• Converting TI into actionable detections hunts enrichment and prioritized response steps

• IOC lifecycle management confidence scoring and expiration handling

• Familiarity with STIX/TAXII MISP OpenCTI and TI feeds

• Threat hunting methodologies hypothesis-driven hunting and translating hunts into detections

AI and Agentic SOC Operations

• Designing AI-assisted workflows for triage summarization correlation and recommendation

• Building agentic workflows with human approvals audit trails and policy guardrails

• Prompt engineering fundamentals for security workflows and retrieval-augmented approaches

• Evaluating AI outputs for accuracy bias and safety including fallback procedures

Platforms and Telemetry

• SIEM administration fundamentals and search performance optimization

• Endpoint telemetry and EDR concepts: process trees persistence lateral movement and malware tradecraft

• Identity telemetry: authentication events conditional access privilege changes and OAuth abuse

• Cloud telemetry: audit logs IAM events workload signals and network flow logs

Engineering Practices

• Scripting and automation using Python and PowerShell

• Infrastructure as code concepts and configuration management practices

• Git version control code review and CI/CD for detection and automation content

• Documentation practices for runbooks playbooks and detection intent and testing

Communication and Operations

• Incident handling and escalation judgment

• Writing clear analyst-friendly detection documentation and response instructions

• Operational maturity mindset: continuous improvement post-incident reviews and backlog prioritization

• Cross-functional collaboration and influencing without authority