Cyber Defense Engineer
Role details
Job location
Tech stack
Job description
The Cyber Defense Engineer at Evinova is positioned as an internal subject matter expert for cyber threat detection, analysis, and response. The successful candidate will be specifically accountable for the design, engineering, and operational execution of our cyber threat detection and response capabilities across a global multi-cloud environment and will be exposed to several leading technologies such as Amazon Web Services, Microsoft 365, SalesForce, Splunk Cloud, and several others.
This role operates as the primary technical escalation point for all cyber threats identified by our Security Operations Center (SOC) and is responsible for validating, investigating, and directing responses to escalated security incidents. This role provides a unique blend of technical detection engineering with threat-informed cyber defense strategy ownership.
With Evinova positioned as a trusted technology partner to Life Sciences and Pharmaceutical Research focused organizations, this role will be exposed to regulated workloads, clinical data, and GxP-relevant systems. Considering our business context, success in this role requires adequate understanding of system assurance principles, data integrity controls, and relevant external guidance / compliance requirements (e.g., ISO 27001, SOC2, NIST CSF, UK / EU GDPR, etc.).
This position is ideal for technically skilled cybersecurity professionals who thrive in fast paced global organizations and enjoy solving complex operational challenges with innovative approaches. In addition to supporting the Cyber Defense pillar, this role will have daily exposure across our entire cybersecurity function and working collaboratively to secure Evinova's Digital Health Suite.
This position will report directly to the Evinova Head of Cybersecurity with a dotted line to the Head of Cybersecurity Engineering and will have several peers to collaborate with; ensuring adequate leadership visibility and cross-functional exposure across adjacent cyber domains. If you are a cyber defense pro looking to gain cyber leadership experience, this is the perfect role for you.
Due to the business critical nature of this role, there may be times where after-hours support is needed to address cybersecurity incidents. Evinova cybersecurity is a globally distributed team with team members located in both the United States and Spain.
Key Responsibilities:
SIEM Platform Management (Splunk Focus)
Oversee the work of our outsourced service provider who provides SIEM maintenance support
Provide architectural and operational ownership of Splunk ES as the enterprise detection platform
Design data ingestion strategies covering cloud telemetry, identities, SaaS services, and system audit logs
Engineer compliant data models to normalize security telemetry and enable scalable detection use case development
Build operational dashboards supporting SOC monitoring, incident tracking, regulatory reporting, and executive cyber risk metrics
Optimize search performance, indexing strategies, and storage utilization to balance detection depth with cost efficiency
Integrate third-party and native security tooling into Splunk via APIs, forwarders, and data pipeline engineering
Cloud Detection and Response Architectures (AWS-focused)
Provide cyber defense telemetry requirements into security architecture reviews for new platforms, applications, and cloud services
Engineer and operationalize detections leveraging native AWS telemetry sources such as Cloud Trail, Guard Duty, Security Lake, VPC Flow Logs, Cloud Watch, EKS Logs, and others
Develop detection use cases for IAM privilege escalation, federated identity abuse, cross-account compromise, API misuse, and serverless exploitation
Monitor containerized and Kubernetes workloads for runtime threats, suspicious process execution, and anomalous network communication patterns
Partner with Cloud Security peers to define cloud logging standards, retention requirements, and forensic readiness controls
Detection Engineering and Threat Analytics
Architect, engineer, and operationalize advanced threat detections within Splunk Enterprise Security, including correlation searches, risk-based alerting frameworks, behavioral detections, and anomaly signals aligned to cloud computing threat scenarios
Design detection logic mapped to the MITRE ATT&CK techniques, cloud threat kill chains, and identity compromise attack paths to ensure comprehensive adversary coverage
Build security telemetry correlation across cloud control planes, SaaS platforms, and identity providers such as Microsoft EntraID to detect multi-stage intrusion attempts
Collaborate with our outsourced SOC to continuously tune log sources / detection content to reduce false positives, eliminate alert fatigue, and improve "signal-to-noise" ratios within the SOC escalation pipelines
Utilize threat intelligence feeds to translate emerging adversary Tactics, Techniques, and Procedures (TTPs) into actionable detection use cases and SIEM content updates
Establish detection lifecycle governance including use case design documentation, testing validation, and performance monitoring
Develop "detection-as-code" pipelines leveraging version control and CI/CD processes to ensure repeatable and auditable deployment of correlation logic
Threat Detection, Analysis, and Response
Serve as the Tier 2 / Tier 3 escalation path for all relevant security alerts and suspicious activity escalated by our SOC
Conduct deep technical investigations spanning SIEM telemetry, adjacent platforms, cloud logs, identity activity, audit trails, and other forensic artifacts
Perform threat actor behavior analysis to determine initial access vectors, persistence mechanisms, privilege escalation paths, and lateral movement patterns
Lead threat hunting initiatives leveraging hypothesis-driven and intelligence-driven methodologies to proactively identify hidden threats
Function as a Technical Lead / Incident Responder for confirmed cybersecurity incidents and directing containment actions that are proportionate with the incident severity
Coordinate cross-functional response activities across Product Engineering / Platform Operations and Cybersecurity stakeholders
Maintain the Cybersecurity Incident Response Playbooks and developing new playbooks for emerging incident types / technologies
Produce formal investigation reports documenting incident timelines, impacted assets, regulatory exposure risk, and remediation recommendations
Provide incident briefings summarizing incident severity, business impact, and containment posture to the Head of Cybersecurity, Head of Cybersecurity Engineering, and other relevant leadership stakeholders (including the Evinova Chief Technology Officer)
Collaborate with Cybersecurity Assurance to document incident root causes, specifically focusing on control failures, detection gaps, and posture improvement actions
Lead cyber crisis simulations and tabletop exercises with adjacent teams in Product Engineering and Platform Operations to ensure operational readiness
Requirements
University degree in Cybersecurity, Information Security, Computer Science, Information Systems, or a related technical discipline.
6-8+ years of progressive experience in Cybersecurity Operations, Detection Engineering, Cybersecurity Incident Response, or Threat Intelligence functions within global enterprises
Demonstrated hands-on engineering and operational experience administering and developing detection use cases in Splunk Enterprise Security, including correlation searchers, notable event frameworks, risk-based alerting, and data model utilization
Hands on security monitoring and threat detection experience across Amazon Web Services (AWS) environments
Operational familiarity with cloud native attack vectors including IAM privilege escalation, credential misuse, token compromise, API abuse, and cross-account persistence mechanisms
Familiarity with SOAR platforms and automation engineering supporting incident response orchestration and alert enrichment
Demonstrated experience leading or coordinating incident response activities, including containment execution, stakeholder coordination, forensic triage, and post-incident lessons learned
Proficiency in SIEM query languages (e.g., SPL, KQL) and log analysis methodologies across various log sources
Working knowledge of the MITRE ATT&CK framework and its application to detection engineering and threat actor simulation
Desired Qualifications:
Professional certifications in Cybersecurity, Digital Forensics, Information Assurance or related technical field (e.g., CISSP, CCSP, Splunk Certified, GIAC)
Proven experience operating as an escalation path within a Security Operations or Incident Response function, including leading technical investigations over advanced threats, account compromise, malware intrusions, and cloud security incidents
Experience operating within hybrid SOC delivery models that include managed service providers or outsourced Tier 1 monitoring functions
Deep engineering expertise within Splunk Enterprise Security, including detection-as-code pipelines, SIEM optimization, data onboarding, and search performance tuning
Experience conducting proactive threat hunting operations
Experience presenting incident findings and detection maturity metrics to security leadership, auditors, and other interested stakeholders
Experience working within regulated environments such as Financial Services, Life Sciences / Pharmaceutical, and Healthcare
While not required, having prior experience with the Microsoft security ecosystem is an added plus (e.g., Purview, Sentinel, Defender)
