Director, Ransomware Detect & Respond Job Halcyon

Director, Ransomware Detect & Respond Job

The Role:

Halcyon is seeking an experienced Director, Ransomware Detect & Respond (RDR) to build, lead, and manage our 24/7/365 Security Operations Center. You will own all aspects of continuous monitoring of our anti-ransomware platform, ensuring real-time visibility into ransomware threats and guiding customers through detection and mitigation. This role requires a strategic thinker who can establish scalable processes, build a high-performing team of SOC analysts, and collaborate closely with product, engineering, and support functions to keep customers safe.

Responsibilities:

SOC Strategy & Operations

• Architect and implement a world-class, round-the-clock operations center focused exclusively on ransomware monitoring, detection, and customer support.
• Develop and maintain standard operating procedures (SOPs), runbooks, and escalation playbooks that ensure consistent, high-quality triage of alerts and customer engagements.
• Define and track key performance indicators (SLAs, MTTR, detection coverage, alert accuracy) to measure SOC effectiveness and drive continuous improvement.

Team Leadership & Development

• Recruit, mentor, and manage a team of SOC analysts—creating clear career paths, training programs, and certification goals.
• Foster a culture of accountability, collaboration, and continuous learning within the RDR team, ensuring analysts understand evolving ransomware tactics and our product’s telemetry.
• Conduct regular exercises (e.g., tabletop drills, alert-handling simulations) to validate readiness and refine processes.

Detection Engineering Coordination

• Partner with RISE (Research, Intelligence, Services, Engineering) to ensure that the latest threat intelligence and telemetry are integrated into our monitoring platform.
• Work closely with Product and Engineering to validate that endpoint, cloud, and network telemetry feed into the SOC’s analytics system and that alert thresholds are appropriately tuned.
• Collaborate with domain experts to translate new ransomware trends into actionable alert rules and automated workflows.

Customer Monitoring & Support

• Oversee real-time monitoring of customer environments—identifying suspicious activity and guiding customers through initial investigation steps.
• Serve as the primary escalation point for high-severity customer alerts: coordinate with Support, Engineering, and RISE to advise on containment, remediation, and recovery actions.
• Maintain a customer-facing incident log that captures timelines, root-cause analyses, and lessons learned—feeding insights back to Product for feature improvements.

Risk Management & Compliance

• Ensure SOC processes align with relevant security frameworks (NIST CSF, ISO 27001) and support customer compliance needs.
• Coordinate periodic reviews of detection controls (e.g., tuning alert thresholds, reviewing false-positive/false-negative rates) to maintain optimal coverage.
• Manage relationships with external vendors for threat intelligence feeds, monitoring tools, and log aggregation services.

Skills and Qualifications:

• 8+ years of hands-on experience in SOC leadership, security monitoring, or managed detection operations—ideally within a cybersecurity product organization.
• Demonstrated track record of building and scaling a 24/7/365 SOC, including staffing, process design, and performance measurement.
• Deep understanding of ransomware threat actor TTPs, attack chains, and typical enterprise telemetry (endpoint, network, cloud).
• Proven ability to translate threat intelligence into effective monitoring rules, dashboards, and alerting strategies.
• Strong leadership and people-management skills: coaching analysts, driving accountability, and fostering collaboration under pressure.
• Excellent written and verbal communication skills—able to convey technical findings and operational metrics to executives, product teams, and customers.
• High emotional intelligence, with a calm, decisive demeanor during high-stress situations.
• Proficiency with SIEM/analytics platforms (e.g., Splunk, Elastic, QRadar), log aggregation tools, and incident-tracking systems.
• Bachelor’s degree in Computer Science, Information Security, or a related field (or equivalent experience).

Bonus Skills and Qualifications:

• Prior experience working in or leading a SOC at a security-focused product company.
• Certifications such as CISSP, GCIH, or equivalent GIAC credentials.
• Familiarity with SOAR or automation platforms to streamline alert handling and triage workflows.
• Hands-on understanding of cloud security monitoring (AWS CloudWatch, Azure Sentinel, GCP Security Command Center).
• Demonstrated success developing and presenting SOC performance reports and post-incident analyses to leadership or customers.

How to Apply

Click Here to Apply