Cyber Defense - Defense Engineering Service Lead

POSITION SUMMARY

Zoetis is seeking aDefense EngineeringServiceLead,you will lead hands-on detection engineering and Security Operations Center (SOC) operations to rapidlyidentify,contain, and resolve security threats for enterprise clients. Yourexpertisein MITRE ATT&CK, adversary tradecraft, and security technologies (SIEM, EDR, NDR) will drive the creation and tuning of high-quality detections, complex investigations, and proactive threat hunting.You'llautomate response playbooks and integrate tools to build a cohesive defense ecosystem, partnering closely with cross-functional teams to improve signal fidelity, reduce false positives, and accelerate detection and response. In addition, you will mentor analysts, manage client relationships, and ensure programs meet industry frameworks and compliance standards, delivering operational excellence in a fast-paced environment.

POSITIONRESPONSIBILITIES

Manage Log Ingestion and Data Normalization:

• Oversee the onboarding and integration of log sources across enterprise environments, ensuring reliable data ingestion, parsing, and enrichment.

• Maintain adherence to a Common Information Model (CIM) to standardize event fields, promote interoperability among security tools, and maximize detection fidelity and coverage.

Engineering & Automation:

• Design, develop, andmaintainincident response playbooks, orchestrations, and automation for rapid response and evidence collection.

• Integrate and script security tools to create an efficient, cohesive, and automated defense ecosystem.

• Continuallyoptimizedetection logic and playbooks based on ongoing threat intelligence and operational feedback.

Threat Hunting & Readiness:

• Lead hypothesis-driven threat hunting across endpoints, identity, network, and cloud infrastructure to uncover unknown threats.

• Conduct continuousdetectionQA and tuning to enhance signal fidelity, reduce false positives, and improve analyst efficiency.

• Stay current on evolving threats,leveragingnewdetectionand hunting methodologies as needed.

Incident Response & Purple Teaming:

• Serve as a hands-on incident responder, focusing on rapid containment and translating lessons learned into improved detections and processes.

• Partner with Red Team and IR colleagues on purple team exercises tovalidatedetection coverage and addressidentifiedgaps.

Metrics & Continuous Improvement:

• Develop, track, and report ondetectionmetrics (coverage, fidelity, alert volumes, MTTA, MTTR) and use data-driven insights to inform backlog and roadmap priorities.

• Lead post-incident reviews and drive continuous improvement initiatives for the detection and response program.

Mentorship & Leadership:

• Mentor, coach, and manage SOC analysts and detection engineers, providing guidance on triage techniques, detection logic, threat hunting, and automation while supporting career growth and development.

• Lead team performance by setting clear expectations and goals,monitoringoutcomes, delivering regular feedback, and conducting performance reviews and improvement plans as needed.

• Foster a culture of excellence, knowledge sharing, and continuous learning through training, enablement, and cross-functional collaboration.

Strategic & Client Partnership:

• Guide clients in building and maturing cyber defense and detection programs aligned with industry frameworks and regulatory requirements (e.g., NIST CSF, ISO 27001, PCI-DSS).

• Communicate complex technical and operational issues effectively with both technical teams and executive stakeholders.

EDUCATION AND EXPERIENCE

Education:

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or relevant professional experience.
• 5+ years hands-on experience or equivalent demonstratedproficiencybuilding/maintainingautomation using Python and REST APIs in production environments.
• 8+ years hands-on experience or equivalent depth ofexpertisein SOC operations, with emphasis on incident response, detection engineering, and security automation.

• Preferred Certifications

• GSEC(GIAC Security Essentials)

• GCIH (GIAC Certified Incident Handler)

• GCIA (GIAC Certified Intrusion Analyst)

• GSOC (GIAC Security Operations Certification)

• GCED (GIAC Cybersecurity Expert Defense)

CISSP / CISM

TECHNICAL SKILLS REQUIREMENTS

• Deep familiarity with MITRE ATT&CK, attacker TTPs, and the ability to translate behaviors into high-fidelity detections, preventive safeguards, and response controls across cloud, endpoint, identity, network, email, OT, and SaaS.

• Skilled in hypothesis-driven hunting, rapid triage, and end-to-end investigations using telemetry from SIEM/EDR/NDR and cloud-native logs;stronggrasp offorensicsfundamentals (host, network, and identity).

• Hands-on experience designing, implementing, and tuning security controls including hardening baselines, logging/telemetry standards, segmentation, access controls, and compensating controls for regulated and hybrid environments.

• Strong knowledge of security logging pipelines, normalization/enrichment, data quality, and integration patterns to support detection, hunting, and response at scale.

• Proven ability to standardize and automate repeatable security operations through SOAR, scripting, and workflow design; builds playbooks/runbooks that reduce MTTR and operational toil.

• Applies advanced analytics to improve detection and response outcomes (signal-to-noise reduction, anomaly detection, prioritization), with emphasis on operationally usable results.

• Strong working knowledge of modern security platforms such as SIEM, SOAR, EDR, and network/email security controls; experience developing content and integrations within SIEM/SOAR ecosystems.

• Designs and operationalizes incident response playbooks, escalation paths, and communications; coordinates cross-functional response and delivers executive-ready updates and post-incident improvements.

• Expertisein securing and administering enterprise platforms (e.g., Windows Server and/or Linux/UNIX), withsolidunderstanding of enterprise architecture patterns and operational constraints.

• Communicates complex defensiveriskclearly to technical and non-technical audiences; influences stakeholders through credibility and professionalism and enables collaborative decision-making.

• Strong project/program execution skills-manages competing priorities, drives outcomes in fast-paced environments, and contributes hands-on to troubleshooting and implementation.

• Build andmaintainSOPs, playbooks, and automation-first processes; standardize repeatable workflows.

• Define, measure, and improve SOC KPIs (e.g., detection coverage, alert quality, MTTD/MTTR, containment effectiveness).

• Own technical delivery and lifecycle management of security infrastructure, tooling, and detection/response capabilities.

• Develop and mentor teams across skill levels.

• Partner with risk/strategy and business stakeholders to align defensive engineering priorities to enterprise risk, including regulated industry requirements.

PHYSICALPOSITIONREQUIREMENTS

• Primarily office-based workinvolvingsitting, computer use, and meetings.

• Ability to work flexible hours as needed to coordinate with global teams and supportresponseactivities.

• Occasional travel may berequired.

• No unusual physical demands or attendance requirementsexpected.

Travel Requirements: 5%-10%

Any unsolicited resumes sent to Zoetis from a third party, such as an Agency recruiter, including unsolicited resumes sent to a Zoetis mailing address, fax machine or email address, directly to Zoetis employees, or to Zoetis resume database will be considered Zoetis property. Zoetis will NOT pay a fee for any placement resulting from the receipt of an unsolicited resume.

Zoetis will consider any candidate for whom an Agency has submitted an unsolicited resume to have been referred by the Agency free of any charges or fees. This includes any Agency that is an approved/engaged vendor but does not have the appropriate approvals to be engaged on a search.

Notice: Zoetis Recruiters will contact candidates via email from an address ending in @zoetis.com and may also initially connect with candidates through LinkedIn, including LinkedIn InMail. Zoetis does not use Gmail, Outlook, Yahoo, or other web-based/generic email domains to communicate about job opportunities, interviews, or offers of employment. If you receive a recruitment-related email message claiming to be from Zoetis that does not come from @zoetis.com, please treat it as suspicious. For your security, do not reply, click links, open attachments, share personal or financial information, or send money in response to unexpected or questionable recruitment communications.