Role Summary

Forcepoint is expanding and maturing its internal SOC and needs a hands-on technical leader to design and operate it. This is not a team oversight role. The SOC Manager will personally author detection rules, develop and own response playbooks, own SOAR and automation workflows end-to-end, and work directly alongside our agentic AI SOC platform to extend and operationalize its capabilities. You will manage a small team of analysts, but your primary value is what you build alongside that team — not what you delegate.

The right candidate is a builder by instinct: someone who looks at a new log source and immediately sees what detections can be written from it, has built SOAR playbooks in environments with little to no prior automation, and is genuinely excited about what an AI-native SOC platform makes possible.

Key Responsibilities

SOC Build and Team Leadership

• Build out Forcepoint’s internal SOC — processes, tooling, detection coverage, and analyst workflows.

• Hire, onboard, and develop a small, growing team of SOC analysts.

• Define and own SOC operating procedures, escalation paths, and performance metrics (MTTD, MTTR, false positive rates), and report to senior leadership.

Detection Engineering

• Personally author detection rules at field-logic level; set thresholds, tune for false positives, and iterate — not review or approve what others write.

• Survey available log sources across SIEM, EDR, cloud, identity, and network, and independently identify detection opportunities.

• Maintain a detection library mapped to MITRE ATT&CK with clear coverage tracking and gap remediation plans.

Automation, SOAR, and AI Platform

• Own SOAR implementation and playbook development hands-on — you build the workflows, not an engineer you assign the work to.

• Operate and extend our agentic AI SOC platform: configure use cases, author AI-assisted detection and response logic, and drive adoption across the team.

• Continuously identify opportunities to reduce analyst toil and improve the ratio of automated to manual response actions.

Incident Response and Collaboration

• Lead incident response as a process owner — containment, investigation, remediation, recovery, and post-incident review.

• Partner with the CISO, Security Architecture, and internal teams to align SOC priorities and improve security posture.

Required Qualifications

• 5+ years in security operations, with 3+ years in a SOC leadership or senior SOC engineer role that included hands-on technical output alongside people management.

• Proven, personal detection authorship at field-logic level in a SIEM (Splunk, Microsoft Sentinel, Elastic, QRadar, or equivalent). Tuning pre-built content or managing a team that writes detections does not qualify.

• Hands-on SOAR build experience — you have configured playbooks and automated workflows yourself (Splunk SOAR, Palo Alto XSOAR, Swimlane, or equivalent). Overseeing an implementation does not qualify.

• Demonstrated ability to build SOC processes, workflows, and playbooks in early-stage or greenfield environments.

• Strong log source fluency: given available data sources, you can independently identify detection opportunities without being prompted.

• Working knowledge of cloud security in at least one major provider (AWS, Azure, or GCP), including cloud-native log sources and common attack techniques.

Preferred Qualifications

• Experience with AI-native or agentic SOC platforms and genuine enthusiasm for building on emerging security automation technologies.

• Hands-on incident response experience in cloud-native environments.

• Experience with vulnerability management tools (Tenable, Qualys, Rapid7) integrated into detection or ticketing workflows.

• MSSP or MDR background with demonstrated transition to single-enterprise ownership.

• Relevant certifications: CISSP, GCIA, GCIH, GDAT, or CySA+. Positive signal, but not a substitute for demonstrated hands-on capability.

What This Role Is Not

• This is not a strategic or advisory role. If you have spent recent years in governance or vendor management without personally writing detection content, this role will not be a good fit.

• This is not a role that inherits a mature, fully operational SOC. The expectation is that you build — detection coverage, playbook catalog, and automation workflows are yours to define and develop.

• This is not a legacy SIEM environment. The role is centered on our agentic AI SOC platform. Candidates who are not curious about AI-native security operations will struggle to succeed here.

Location and Work Model

• Primary location: Austin, TX. Hybrid work model with occasional travel (less than 10%).

• Candidates in the Austin metro area or willing to relocate are strongly preferred.