Role Summary
We are seeking a Lead SOC Validation & Adversary Simulation Engineer to strengthen the effectiveness of our Security Operations Center (SOC / VSOC) by continuously validating detections, response workflows, and telemetry using adversary-informed testing techniques.
This role is SOC-owned and SOC-driven. The primary objective is to improve detection fidelity, reduce blind spots, and increase SOC readiness across vehicle, cloud, and other environments. Adversary simulation and Purple Team techniques are used as methods to harden SOC operations not as standalone Red Team activities.
Key Responsibilities
- SOC Detection Validation & Assurance (Primary Focus)
- Own continuous validation of SOC detections across:
- Vehicle telemetry and in-vehicle IDS
- Telematics and backend services
- Cloud APIs, and other supporting systems
- Validate alerts against realistic attacker behavior, not synthetic rules
- Identify:
- Detection gaps
- Signal quality issues
- Excessive false positives or low-value alerts
- Partner with SOC engineers to improve alert logic, correlation, and response playbooks
Adversary Simulation in Support of SOC
- Design controlled adversary simulations to test SOC capabilities:
- API misuse and abuse
- Lateral movement
- Unauthorized diagnostics or ECU access
- Align scenarios to MITRE ATT&CK (Cloud API + Automotive)
- Coordinate with Red Team only when advanced exploitation is required
SOC Telemetry & Signal Engineering
- Work with platform and product teams to:
- Improve log coverage and quality
- Define high-value security signals
- Reduce noisy or redundant telemetry
- Influence what gets logged, where, and why—from ECUs to cloud services
- Help SOC prioritize telemetry based on risk and detection value
Incident Readiness & Response Validation
- Validate SOC incident response workflows through:
- Detection-driven exercises
- Tabletop scenarios informed by real attack paths
- Measure and improve:
- Mean Time to Detect (MTTD)
- Mean Time to Triage (MTTT)
- Mean Time to Respond (MTTR)
- Ensure SOC procedures align with real attack timelines
Threat Modeling & Risk Alignment
- Leverage TARA / threat-modeling outputs to prioritize SOC coverage
- Ensure SOC monitoring aligns with:
- ISO/SAE 21434
- UNECE R155/R156
- Translate detection gaps into risk-based narratives for leadership and auditors
- Support audit evidence by demonstrating validated monitoring effectiveness
Automation & Continuous SOC Validation
- Build or enhance SOC validation automation, including:
- Detection testing frameworks
- Alert replay and validation pipelines
- Coverage and maturity dashboards
- Integrate validation workflows into:
- SIEM
- SOAR
- CI/CD where applicable
- Reduce manual SOC testing and increase repeatability
Metrics, Reporting & Leadership Communication
- Define SOC-focused KPIs such as:
- ATT&CK coverage by detection
- Detection efficacy over time
- Reduction in blind spots
- Produce clear SOC maturity and readiness reports
- Communicate findings to:
- SOC leadership
- Product security
- Engineering stakeholders
Required Qualifications
Technical Experience
- Cybersecurity with strong SOC, detection engineering, or incident response experience
- Deep understanding of:
- SOC operations and alert lifecycle
- Detection engineering and signal tuning
- Adversary techniques and kill chains
- Experience working with:
- SIEM and SOC tooling
- Cloud and API monitoring
- Network and system telemetry
- Strong scripting or automation skills (Python, Go, C)
Leadership & Collaboration
- Proven experience leading SOC improvement initiatives
- Ability to influence detection priorities across teams
- Strong written and verbal communication skills
- Comfortable presenting to leadership and auditors
