Security & Detection Engineering Manager

Rule execution frequencyEstablish structured SOC-to-Engineering feedback loop.Define tiered automation model (manual / assisted / autonomous).Define detection engineering competency framework.Establish certification roadmap (Elastic, Microsoft, Google).The Security & Detection Engineering Manager is responsible for owning and leading the detection engineering and security platform strategy across a multi-SIEM, multi-tenant MSSP environment.This role governs detection architecture, ATT&CK coverage, platform interoperability, multi-tenant isolation, cost engineering, quality assurance and automation governance across a hybrid tooling environment.RequirementsDetection Strategy & ArchitectureDefine and maintain a 12-24 month Detection Engineering Roadmap.Own adversary-aligned detection strategy mapped to MITRE ATT&CK.Establish detection maturity targets per platform and service tier.Maintain a centralized detection content abstraction model (e.g., Sigma/internal DSL).Govern detection lifecycle: design → validation → deployment → tuning → retirement.Prevent detection sprawl and duplication across platforms.MITRE ATT&CK Coverage GovernanceMaintain formal ATT&CK coverage matrix.Track and report coverage percentage by tactic and technique.Conduct quarterly coverage gap analysis.Validate detection coverage through simulation and adversary emulation exercises.Produce ATT&CK coverage reporting for executive leadership and audit functions.Multi‑Tenant Detection GovernanceDefine detection inheritance and baseline models across tenants.Govern tenant‑level tuning while preserving engineering consistency.Enforce strict cross‑tenant rule isolation and data scoping controls.Maintain metadata‑only forwarding controls where required for sovereignty models.Prevent cross‑tenant configuration contamination.Maintain version control and tenant‑level detection lineage.Platform Interoperability & Schema GovernanceOwn cross‑platform detection portability strategy.Govern schema alignment across a multi‑SIEM environmentDefine translation and normalisation pipelines.Ensure detection parity across supported platforms.Govern ingestion mapping and telemetry integrity.Cost Engineering & OptimisationOwn ingestion efficiency model and cost per GB governance.Monitor cost per alert generated.Optimise: Retention tiers (hot/warm/cold), Query performance, Rule execution frequency.Define and track detection efficiency (signal‑to‑noise ratio).Contribute to platform licensing and cost optimisation decisions.Detection Quality Assurance FrameworkEstablish formal Detection QA process including: Peer review prior to deployment, Pre‑production validation environment, False positive regression testing, Simulation‑based testing.Implement detection health scoring system.Track detection decay and stale logic.Maintain detection change traceability.Continuous Service ImprovementEstablish structured SOC‑to‑Engineering feedback loop.Conduct regular analyst review sessions.Track false positive patterns and alert fatigue metrics.Maintain closed‑loop improvement tracking.Continuously improve detection fidelity and SOC effectiveness.Conduct post‑incident detection and control gap analysis.Automation & Response Engineering GovernanceGovern SOAR and response automation across platforms.Define tiered automation model (manual / assisted / autonomous).Establish human‑in‑the‑loop controls for high‑risk actions.Enforce automation regression testing and version control.Monitor automation success and failure rates.Preventative Control Operationalisation & ValidationImplement Security Architect‑approved hardening baselines (CIS‑aligned).Operationalise secure configuration standards across: Endpoints, Identity platforms, Cloud environments, Network security controls.Monitor configuration drift and control degradation.Integrate preventative control telemetry into SIEM and detection pipelines.Validate control effectiveness using detection and incident data.Provide structured feedback to the Security Architect on control performance gaps.Support exposure reduction initiatives through engineering execution.Compliance & Audit Evidence OwnershipMaintain full audit trail for detection changes.Provide evidence for ISO 27001, NIST CSF and regional regulatory audits.Maintain detection version history.Ensure automated response actions are logged and traceable.Maintain control compliance dashboards and operational metrics.Provide ATT&CK coverage documentation to auditors.Engineering Leadership & Capability DevelopmentDefine detection engineering competency framework.Mentor and develop Detection Engineers and SIEM Engineers.Establish certification roadmap (Elastic, Microsoft, Google).Implement technical performance scorecards.Develop succession planning and redundancy controls.Maintain backlog governance and engineering delivery cadence.Technical RequirementsPlatform Expertise (Required)Elastic Security (EQL, index lifecycle, ECS governance)Microsoft Defender XDR & Sentinel (KQL, ASIM)Platfo