Cyber Defense – Defense Engineering Service Lead

POSITION SUMMARY

Zoetis is seeking a Defense Engineering Service Lead, you will lead hands-on detection engineering and Security Operations Center (SOC) operations to rapidly identify, contain, and resolve security threats for enterprise clients. Your expertise in MITRE ATT&CK, adversary tradecraft, and security technologies (SIEM, EDR, NDR) will drive the creation and tuning of high-quality detections, complex investigations, and proactive threat hunting. You’ll automate response playbooks and integrate tools to build a cohesive defense ecosystem, partnering closely with cross-functional teams to improve signal fidelity, reduce false positives, and accelerate detection and response. In addition, you will mentor analysts, manage client relationships, and ensure programs meet industry frameworks and compliance standards, delivering operational excellence in a fast-paced environment. 

POSITION RESPONSIBILITIES  

Manage Log Ingestion and Data Normalization:  

• Oversee the onboarding and integration of log sources across enterprise environments, ensuring reliable data ingestion, parsing, and enrichment.  

• Maintain adherence to a Common Information Model (CIM) to standardize event fields, promote interoperability among security tools, and maximize detection fidelity and coverage. 

Engineering & Automation: 

• Design, develop, and maintain incident response playbooks, orchestrations, and automation for rapid response and evidence collection. 

• Integrate and script security tools to create an efficient, cohesive, and automated defense ecosystem. 

• Continually optimize detection logic and playbooks based on ongoing threat intelligence and operational feedback. 

Threat Hunting & Readiness:   

• Lead hypothesis-driven threat hunting across endpoints, identity, network, and cloud infrastructure to uncover unknown threats.  

• Conduct continuous detection QA and tuning to enhance signal fidelity, reduce false positives, and improve analyst efficiency.  

• Stay current on evolving threats, leveraging new detection and hunting methodologies as needed. 

Incident Response & Purple Teaming:  

• Serve as a hands-on incident responder, focusing on rapid containment and translating lessons learned into improved detections and processes.  

• Partner with Red Team and IR colleagues on purple team exercises to validate detection coverage and address identified gaps. 

Metrics & Continuous Improvement:  

• Develop, track, and report on detection metrics (coverage, fidelity, alert volumes, MTTA, MTTR) and use data-driven insights to inform backlog and roadmap priorities.  

• Lead post-incident reviews and drive continuous improvement initiatives for the detection and response program. 

Mentorship & Leadership:  

• Mentor, coach, and manage SOC analysts and detection engineers, providing guidance on triage techniques, detection logic, threat hunting, and automation while supporting career growth and development. 

• Lead team performance by setting clear expectations and goals, monitoring outcomes, delivering regular feedback, and conducting performance reviews and improvement plans as needed. 

• Foster a culture of excellence, knowledge sharing, and continuous learning through training, enablement, and cross-functional collaboration. 

Strategic & Client Partnership:  

• Guide clients in building and maturing cyber defense and detection programs aligned with industry frameworks and regulatory requirements (e.g., NIST CSF, ISO 27001, PCI-DSS).  

• Communicate complex technical and operational issues effectively with both technical teams and executive stakeholders. 

EDUCATION AND EXPERIENCE  

Education: 

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or relevant professional experience. 
• 5+ years hands-on experience or equivalent demonstrated proficiency building/maintaining automation using Python and REST APIs in production environments. 
• 8+ years hands-on experience or equivalent depth of expertise in SOC operations, with emphasis on incident response, detection engineering, and security automation. 

• Preferred Certifications 

• GSEC (GIAC Security Essentials)  

• GCIH (GIAC Certified Incident Handler)  

• GCIA (GIAC Certified Intrusion Analyst)  

• GSOC (GIAC Security Operations Certification)  

• GCED (GIAC Cybersecurity Expert Defense) 

CISSP / CISM 

TECHNICAL SKILLS REQUIREMENTS 

• Deep familiarity with MITRE ATT&CK, attacker TTPs, and the ability to translate behaviors into high-fidelity detections, preventive safeguards, and response controls across cloud, endpoint, identity, network, email, OT, and SaaS. 

• Skilled in hypothesis-driven hunting, rapid triage, and end-to-end investigations using telemetry from SIEM/EDR/NDR and cloud-native logs; strong grasp of forensics fundamentals (host, network, and identity). 

• Hands-on experience designing, implementing, and tuning security controls including hardening baselines, logging/telemetry standards, segmentation, access controls, and compensating controls for regulated and hybrid environments. 

• Strong knowledge of security logging pipelines, normalization/enrichment, data quality, and integration patterns to support detection, hunting, and response at scale. 

• Proven ability to standardize and automate repeatable security operations through SOAR, scripting, and workflow design; builds playbooks/runbooks that reduce MTTR and operational toil. 

• Applies advanced analytics to improve detection and response outcomes (signal-to-noise reduction, anomaly detection, prioritization), with emphasis on operationally usable results. 

• Strong working knowledge of modern security platforms such as SIEM, SOAR, EDR, and network/email security controls; experience developing content and integrations within SIEM/SOAR ecosystems. 

• Designs and operationalizes incident response playbooks, escalation paths, and communications; coordinates cross-functional response and delivers executive-ready updates and post-incident improvements. 

• Expertise in securing and administering enterprise platforms (e.g., Windows Server and/or Linux/UNIX), with solid understanding of enterprise architecture patterns and operational constraints. 

• Communicates complex defensive risk clearly to technical and non-technical audiences; influences stakeholders through credibility and professionalism and enables collaborative decision-making. 

• Strong project/program execution skills—manages competing priorities, drives outcomes in fast-paced environments, and contributes hands-on to troubleshooting and implementation. 

• Build and maintain SOPs, playbooks, and automation-first processes; standardize repeatable workflows. 

• Define, measure, and improve SOC KPIs (e.g., detection coverage, alert quality, MTTD/MTTR, containment effectiveness). 

• Own technical delivery and lifecycle management of security infrastructure, tooling, and detection/response capabilities. 

• Develop and mentor teams across skill levels. 

• Partner with risk/strategy and business stakeholders to align defensive engineering priorities to enterprise risk, including regulated industry requirements. 

PHYSICAL POSITION REQUIREMENTS  

• Primarily office-based work involving sitting, computer use, and meetings. 

• Ability to work flexible hours as needed to coordinate with global teams and support response activities. 

• Occasional travel may be required. 

• No unusual physical demands or attendance requirements expected. 

Travel Requirements: 5%-10% 

 

 

Full time

 

 

Regular

 

 

Colleague

 

 

Any unsolicited resumes sent to Zoetis from a third party, such as an Agency recruiter, including unsolicited resumes sent to a Zoetis mailing address, fax machine or email address, directly to Zoetis employees, or to Zoetis resume database will be considered Zoetis property. Zoetis will NOT pay a fee for any placement resulting from the receipt of an unsolicited resume.

Zoetis will consider any candidate for whom an Agency has submitted an unsolicited resume to have been referred by the Agency free of any charges or fees. This includes any Agency that is an approved/engaged vendor but does not have the appropriate approvals to be engaged on a search.

 

 

Notice: Zoetis Recruiters will contact candidates via email from an address ending in @zoetis.com and may also initially connect with candidates through LinkedIn, including LinkedIn InMail. Zoetis does not use Gmail, Outlook, Yahoo, or other web-based/generic email domains to communicate about job opportunities, interviews, or offers of employment. If you receive a recruitment-related email message claiming to be from Zoetis that does not come from @zoetis.com, please treat it as suspicious. For your security, do not reply, click links, open attachments, share personal or financial information, or send money in response to unexpected or questionable recruitment communications.

 

 

Zoetis is committed to equal opportunity in the terms and conditions of employment for all employees and job applicants without regard to race, color, religion, sex, sexual orientation, age, gender identity or gender expression, national origin, disability or veteran status or any other protected classification. Disabled individuals are given an equal opportunity to use our online application system. We offer reasonable accommodations as an alternative if requested by an individual with a disability. Please contact Zoetis Colleague Services at [email protected] to request an accommodation. Zoetis also complies with all applicable national, state and local laws governing nondiscrimination in employment as well as employment eligibility verification requirements of the Immigration and Nationality Act. All applicants must possess or obtain authorization to work in the US for Zoetis. Zoetis retains sole and exclusive discretion to pursue sponsorship for the acquisition or maintenance of nonimmigrant status and employment eligibility, considering factors such as availability of qualified US workers. Individuals requiring sponsorship must disclose this fact. Please note that Zoetis seeks information related to job applications from candidates for jobs in the U.S. solely via the following: (1) our company website at www.Zoetis.com/careers site, or (2) via email to/from addresses using only the Zoetis domain of “@zoetis.com”. In addition, Zoetis does not use Google Hangout for any recruitment related activities. Any solicitation or request for information related to job applications with Zoetis via any other means and/or utilizing email addresses with any other domain should be disregarded. In addition, Zoetis will never ask candidates to make any type of personal financial investment related to gaining employment with Zoetis.