← All verified jobs

Security Operations Lead (SecOps)

Sword Health PortoRemote

See all open roles at Sword Health

Ghost-risk verdict

Likely real

  • open for 61 days (60–89 days is elevated risk)
  • 54 open roles at this company in 30 days (mass-hiring blitz)

How we score ghost risk →

See your fit for this role and apply with a truthfully tailored résumé.

See my fit, free

About the role

AI Proficiency at Sword Health

AI fluency is a core expectation at Sword Health. Every candidate is assessed against our three-level framework — be ready to share real examples of how AI is already part of how you work.

Explorer (Level 1) — Uses AI daily to boost personal productivity

Builder (Level 2) — Creates workflows and tools that elevate the whole team

Integrator (Level 3) — Embeds AI into products and processes at scale

Every hire must demonstrate at least Level 1. The expected level will vary depending on the seniority of the role.

What you’ll be doing

Set the strategy and technical direction for Sword’s Security Operations Center — defining the operating model, SIEM and detection architecture, incident response capability, and the roadmap to scale them as the company grows.

Drive an AI- and automation-first transformation of security operations: design SOAR playbooks, agentic and LLM-assisted triage workflows, and ML-driven detection to reduce MTTD/MTTR, expand coverage, and let a lean team operate at enterprise scale.

Lead the SOC/CSIRT team technically — mentoring detection and response engineers, raising the bar on investigations, running on-call and escalation models, and acting as commander for major incidents.

Own the SIEM end-to-end (architecture, data sources, normalization, retention, cost, and tuning) and evolve detection-as-code content aligned to MITRE ATT&CK and Sword’s threat model.

Lead high-severity incident response from detection through containment, eradication, recovery, and post-incident review, partnering with engineering, IT, legal, and executive stakeholders during critical events.

Run the threat intelligence and threat hunting programs, converting emerging TTPs into new detections, proactive hardening, and informed risk decisions.

Define and report on SOC performance — MTTD, MTTR, coverage, automation rate, false-positive rate, on-call health — and use those metrics to drive measurable, continuous improvement.

Influence security architecture and engineering decisions across the company, ensuring detection, response, and recovery are built into new products, platforms, and infrastructure from day one.

Establish and continuously improve incident response playbooks, runbooks, and tabletop exercises to ensure organizational readiness.

What you need to have

Bachelor’s degree in Computer Science, Cybersecurity, or equivalent professional experience.

Proven experience scaling a SOC through automation and AI — SOAR, hyperautomation, LLM-assisted triage, agentic workflows, or ML-driven detection — with measurable impact on MTTR, coverage, or analyst leverage.

Hands-on experience structuring a SOC, either building one from the ground up or maturing one through significant transformation — SIEM selection, implementation or migration, detection engineering practice, runbook libraries, on-call rotations, and operating metrics.

Deep SIEM expertise (Splunk, Sentinel, Chronicle, Elastic, or similar) — ingestion architecture, detection-as-code, query optimization, and coverage-versus-cost tradeoffs.

Prior experience as the technical lead of a SOC or CSIRT team — owning the full incident response lifecycle, mentoring analysts and engineers, and acting as on-call/incident commander during major incidents.

Strong incident response track record — leading high-severity investigations, root cause analysis, digital forensics, and post-incident reviews that produced durable improvements.

Solid experience in cloud environments (AWS and/or GCP), with strong understanding of cloud-native threats and controls.

Strong scripting and development skills (Python, Go, Bash, or similar) for building automation, integrations, and internal tooling.

Working knowledge of EDR/XDR, identity, and network detection telemetry, and how to combine signals into high-fidelity detections.

Fluency with security frameworks and standards (NIST 800-61, CIS Controls, MITRE ATT&CK, ISO 27001) and the judgment to apply them pragmatically.

Background in threat modeling, adversary emulation, and risk-based alert tuning.

Excellent communicator — able to brief executives during a Sev1, write a clear post-mortem, and translate technical risk into business language for non-technical audiences.

Proven track record of leading cross-functional efforts in high-pressure situations and fostering collaboration across InfoSec, IT, and engineering.

Forensics experience, investigating incidents and preserving digital evidence.

Stop applying to ghosts.

OyaPilot surfaces only verified, real jobs, scores your fit, and tailors your application truthfully.