Security & Detection Engineering Manager

Overview

1. Detection Strategy & Architecture

• Define and maintain a 12 24 month Detection Engineering Roadmap.
• Own adversary-aligned detection strategy mapped to MITRE ATT&CK.
• Establish detection maturity targets per platform and service tier.
• Maintain a centralised detection content abstraction model (e.g., Sigma/internal DSL).
• Govern detection lifecycle: design validation deployment tuning retirement.
• Prevent detection sprawl and duplication across platforms.

2. MITRE ATT&CK Coverage Governance

• Maintain formal ATT&CK coverage matrix.
• Track and report coverage percentage by tactic and technique.
• Conduct quarterly coverage gap analysis.
• Validate detection coverage through simulation and adversary emulation exercises.
• Produce ATT&CK coverage reporting for executive leadership and audit functions.

3. Multi-Tenant Detection Governance

• Define detection inheritance and baseline models across tenants.
• Govern tenant-level tuning while preserving engineering consistency.
• Enforce strict cross-tenant rule isolation and data scoping controls.
• Maintain metadata-only forwarding controls where required for sovereignty models.
• Prevent cross-tenant configuration contamination.
• Maintain version control and tenant-level detection lineage.

4. Platform Interoperability & Schema Governance

• Own cross-platform detection portability strategy.
• Govern schema alignment across a multi-SIEM environment
• Define translation and normalisation pipelines.
• Ensure detection parity across supported platforms.
• Govern ingestion mapping and telemetry integrity.

5. Cost Engineering & Optimisation

• Own ingestion efficiency model and cost per GB governance.
• Monitor cost per alert generated.
• Optimise:
• Retention tiers (hot/warm/cold)
• Query performance
• Rule execution frequency
• Define and track detection efficiency (signal-to-noise ratio).
• Contribute to platform licensing and cost optimisation decisions.

6. Detection Quality Assurance Framework

• Establish formal Detection QA process including:
• Peer review prior to deployment
• Pre-production validation environment
• False positive regression testing
• Simulation-based testing
• Implement detection health scoring system.
• Track detection decay and stale logic.
• Maintain detection change traceability.

7. Continuous Service Improvement

• Establish structured SOC-to-Engineering feedback loop.
• Conduct regular analyst review sessions.
• Track false positive patterns and alert fatigue metrics.
• Maintain closed-loop improvement tracking.
• Continuously improve detection fidelity and SOC effectiveness.
• Conduct post-incident detection and control gap analysis.

8. Automation & Response Engineering Governance

• Govern SOAR and response automation across platforms.
• Define tiered automation model (manual / assisted / autonomous).
• Establish human-in-the-loop controls for high-risk actions.
• Enforce automation regression testing and version control.
• Monitor automation success and failure rates.

9. Preventative Control Operationalisation & Validation

• Implement Security Architect approved hardening baselines (CIS-aligned).
• Operationalise secure configuration standards across:
• Endpoints
• Identity platforms
• Cloud environments
• Network security controls
• Monitor configuration drift and control degradation.
• Integrate preventative control telemetry into SIEM and detection pipelines.
• Validate control effectiveness using detection and incident data.
• Provide structured feedback to the Security Architect on control performance gaps.
• Support exposure reduction initiatives through engineering execution.

10. Compliance & Audit Evidence Ownership

• Maintain full audit trail for detection changes.
• Provide evidence for ISO 27001, NIST CSF and regional regulatory audits.
• Maintain detection version history.
• Ensure automated response actions are logged and traceable.
• Maintain control compliance dashboards and operational metrics.
• Provide ATT&CK coverage documentation to auditors.

11. Engineering Leadership & Capability Development

• Define detection engineering competency framework.
• Mentor and develop Detection Engineers and SIEM Engineers.
• Establish certification roadmap (Elastic, Microsoft, Google).
• Implement technical performance scorecards.
• Develop succession planning and redundancy controls.
• Maintain backlog governance and engineering delivery cadence.

Platform Expertise (Required)

• Elastic Security (EQL, index lifecycle, ECS governance)
• Microsoft Defender XDR & Sentinel (KQL, ASIM)

Platform Expertise (Desired)

• Google SecOps (UDM schema, detection engineering)
• BindPlane (log routing and telemetry aggregation architecture)

Detection Engineering

• Behaviour-based detection design
• Correlation engineering
• Sigma rule governance
• Detection-as-code practices
• ATT&CK mapping and coverage measurement