Search by job, company or skills

Deriv

Lead SOC Analyst

Save
  • Posted 10 days ago
  • Be among the first 10 applicants
Early Applicant

Job Description

Most SOC roles are about keeping the lights on. This one is about building the system that makes the lights unnecessary. We're deploying AI that triages threats in real-time, enriches alerts automatically, and flags the cases that actually need human judgment. Your job is to lead the team through what that looks like in practice—investigating the complex incidents, owning the detections, and raising the standard for how the SOC operates day to day.

Why This Matters

Deriv's mission is Trading for Anyone, Anywhere, Anytime. Millions of active traders. Transactions around the clock. Dozens of regulatory environments. Real money, real regulations, real consequences.

Security here isn't overhead. It's infrastructure. A missed detection or a slow response isn't a ticket—it's a breach with financial and regulatory weight behind it. And at the scale we operate, alert fatigue isn't an excuse; it's a problem we're solving with AI.

Why Deriv

  • Automated security review on every pull request—before a human touches the code
  • Dozens of fraud detection models running continuously in production
  • Autonomous threat triage platforms handling first-pass analysis in real-time
  • 400+ users on our workflow orchestration platform, including security workflows

You'll extend systems already in production. Not propose automation that might get approved.

What You'll Do

Lead when it counts

  • Take ownership of complex incident investigations—credential abuse, targeted malware, data exfiltration attempts
  • Act as the escalation point for junior analysts during active incidents: guide the process, make containment calls, drive the resolution
  • Run post-incident reviews that produce action items, not just documentation

Keep detection ahead of attackers


  • Hunt for threats proactively using MITRE ATT&CK, threat intelligence, and behavioural anomalies
  • Write and tune detection rules that reduce false positives without introducing blind spots
  • When attacker techniques evolve, your detection coverage evolves first

Build the SOC that runs consistently


  • Develop and refine playbooks so the team responds the same way whether it's Tuesday morning or 3am Saturday
  • Identify workflow inefficiencies and fix them before they become gaps under pressure
  • Champion AI tools for alert enrichment, triage automation, and incident documentation

Communicate clearly, not just technically


  • Deliver incident reports that are actionable for engineers and readable for stakeholders
  • Track MTTD, MTTR, and false positive rates—and use them to drive real improvements
  • Translate threat data into decisions, not just information

Who You Are


  • You've run real incidents. Not tabletop exercises. Actual investigations under pressure—credential abuse, endpoint compromise, lateral movement. You know what containment looks like and you've made the calls.
  • You write detection rules, not just review them. SIEM query language is native to you. You tune rules based on attacker behaviour, not alert volume.
  • You mentor without slowing down. When junior analysts are stuck during an active incident, you guide them through it. Teaching and doing happen at the same time.
  • You push automation before it's required. You've experimented with AI-assisted triage or automated enrichment and you're not waiting for permission to do more of it.
  • You take team outcomes personally. When an investigation hits a dead end, you find another path. When a playbook breaks under pressure, you fix it before the next shift inherits the gap.

Tech Stack & Experience


  • 7+ years in cybersecurity operations, with hands-on incident response across detection, containment, and recovery
  • Experience mentoring or guiding peers in a live security context
  • SIEM: Splunk, Elastic, or equivalent—hands-on query experience required
  • Endpoint & Network: EDR platforms, IDS/IPS, network forensics tools
  • Automation: SOAR platforms, Python for enrichment scripts, AI-assisted triage
  • Cloud: Working knowledge of AWS or GCP security tooling
  • Frameworks: MITRE ATT&CK, D3FEND, and NIST SP 800-61
  • GCIH, GCIA, GCFA, OSCP, or equivalent hands-on certification is a plus

The Honest Reality


Threats don't arrive with clean context. You'll investigate incidents where the first five pivots lead nowhere. You'll tune detection rules only to discover new attacker techniques that bypass them. You'll build playbooks that still require judgment calls to execute.

But you'll do it alongside people building AI that genuinely changes how SOC works. Automated triage that handles the obvious so you can focus on the complex. Detection systems that adapt faster than manual rule updates ever could. A team that measures success in response times, not ticket counts.

If you want predictable work and clear-cut alerts, this isn't it. If you want to lead real investigations and help build a security function that's always one step ahead, it might be.

More Info

Job Type:
Industry:
Function:
Employment Type:

About Company

Job ID: 149633645