Lead Security Engineer, Detection & Response
New York, NY, USA · Remote
Founding detection engineer for an AI-first security operation
Location: Remote (US, Eastern Time preferred) | Type: Full-Time | Experience: 5-8 years security engineering with 2+ years detection engineering | Team: Security & Risk (reports to CISO)
About the Role
We are looking for our founding Detection & Response engineer. You will design, build, and run the detection engineering function as we scale a security program that is AI-centered by design, working directly with the CISO to decide what we monitor, why we monitor it, and how we respond when something matters.
You will not be a log-diving analyst. We are deliberately building an operation where agent-driven tooling- much of it built or tuned by you- handles triage, enrichment, and routine investigation, freeing your time for the higher-order work: designing detections, evolving the detection strategy, leading incidents, and helping engineering, data, and product teams build security in by design.
You will lead Security Operations, working alongside the CISO and other team members to drive our capabilities to new levels. The function will grow with the company; you will set the standard for what it looks like.
What You’ll Do
• Stand up an agent-driven Security Operations capability. Lead the PoC and production deployment of our AI SOC platform, design the detection and response workflows it executes, and own its day-to-day effectiveness.
• Own detection engineering end-to-end. Build, test, version-control, and tune detections across our cloud infrastructure, endpoints, identity and access including privileged access, email, productivity SaaS, and AI usage.
• Define and lead our AI-risk detection program. Sanctioned and unsanctioned LLM use, sensitive data leakage to external models, prompt-injection abuse against our products, and agent or model misuse internally. Align this work to our ISO/IEC 42001 commitments.
• Run incident response. Serve as technical incident commander for material events and tabletop exercises, drive post-incident reviews, and feed lessons learned into the detection portfolio, risk register, and the broader engineering culture.
• Lead our Data Loss Prevention strategy. Design the policies, telemetry coverage, response playbooks, and privacy guardrails. Build it as an insider-risk and inappropriate-use program, not a surveillance program.
• Translate our regulatory commitments into concrete detection coverage. SOC 2, ISO 27001, ISO 27017 and 27018, ISO 42001, GDPR, DORA, and NIS2. Partner with the CISO on control efficacy and with Vanta for continuous monitoring and audit support.
• Make expert recommendations on tooling, architecture, and process. We are hiring you for your expertise, judgment, and explicit guidance. You will be a core part of the decision making.
• Partner across Engineering, Data, and Product. You are the internal authority on detection-informed security design. You will influence through code reviews, design reviews, and architectural input, not through process gates.
• Build AI scaffolding for the security function. Develop skills, agents, and automations that take routine work off your plate and the plates of your peers, and that compound the team’s output as the company scales.
• Multiply your impact through mentoring and stretch assignments. Use your depth to upskill colleagues across Security, Engineering, Data, and Product. Sponsor stretch work for peers, share what you know freely, and raise the technical bar of the people around you.
• Own the economics of our detection data pipeline. Decide what we log, where it lives, how long we keep it, and what it costs.
Who You Are
• 5+ years in security engineering or security operations, with at least 2 years doing detection engineering as code: writing, peer-reviewing, version-controlling, and tuning detections rather than operating someone else’s content packs.
• Strong cloud security depth, ideally on AWS. You can reconstruct user activity from cloud audit logs without a runbook, and you know where native cloud security tooling stops covering you.
• Comfortable in Python and SQL (or a SIEM-native query dialect). You build the pipeline, parse the data, and ship the integration rather than waiting on someone else.
• AI-fluent as a builder, not just a user. You develop skills, agents, and automations that dramatically enhance the productivity of yourself and the people around you, and you reach for that approach by default when you see work that should not require a human in the loop. You have a clear-eyed view of where AI replaces human judgment and where it cannot.
• Experience leading or substantively contributing to incident response, including evidence handling, forensic timeline reconstruction, and post-incident analysis.
• Direct experience operating within SOC 2, ISO 27001, or an equivalent framework. You understand how detection coverage maps to auditable evidence.
• A builder’s temperament. Comfortable being the first to do something, comfortable disagreeing with your manager, and comfortable picking the 80% answer when the 100% answer would take six months.
• An owner’s temperament. The function is yours. The detections are yours. The incidents are yours. The strategy is yours, in partnership with the CISO.
• Comfort with the rhythms of a small company. Incidents are rare; when one matters, the team shows up. You do not expect a formal on-call rotation, and you are equally willing to lean in for a Saturday morning page and to take a Wednesday afternoon for yourself when the work allows.
Wondering If You’re a Good Fit?
We invest in our people and value candidates with diverse backgrounds, even if you are not a 100% match on every line above. A few qualities we have found compatible with our team:
• Prior experience as the first or second security engineer at a startup.
• Direct experience deploying an agent-based SOC platform (any vendor).
• ISO/IEC 42001 awareness, or substantive work on AI governance from a security-controls perspective.
• DORA or NIS2 awareness, or experience supporting customers in the EU financial-services sector.
• Detection-as-code in production with Sigma, Panther, Datadog, Splunk, or a custom toolchain. We care that you have lived in one, not which one it was.
• UEBA or insider-risk program experience, especially in environments that took privacy and proportionality seriously.
• Familiarity with modern macOS MDM and identity-aware endpoint management.
• Experience working alongside or directly leading GRC work items.
What You Don’t Need
• A specific degree or certification. We weigh demonstrated mastery over credentials.
• Experience in our exact tooling stack. We will train on the platform; we cannot train the judgment.
• Prior people-management experience. This is a senior IC role with founding-leader scope.
Why Sigma360
We are a remote-first, AI-first company in a fast-growing category. The security function is being built deliberately, and you will help shape it from early days. You will set the standard for what it looks like and have the autonomy that comes with arriving early. Expectations are high. So is trust.
Sigma360 is a venture-backed data and analytics company building modern software to help organizations manage risk and make better decisions. We value curiosity, clarity of thought, and pragmatic execution, and we believe great products come from strong collaboration across disciplines. Sigma360 is an equal opportunity employer committed to building an inclusive and diverse workplace.
Benefits:
401(k)
Dental insurance
Health insurance
Paid time off
Vision insurance