Security Engineer (SIEM)

Duration: 12+ Months

Start Date: ASAP

Clearance: Active SC-Clearance and willing to go through DV

This role is delivered within secure environments. Candidates must have an active Security Clearance (SC) and be willing to undergo Developed Vetting (DV).

Join the Mission: We design and deliver secure-by-default digital platforms for high-assurance environments. We're currently building a new secure cloud platform based on Google Distributed Cloud (GDC) and are looking for a Security Engineer (SIEM) to lead the design and implementation of security monitoring and observability capabilities. This role offers the opportunity to build a SIEM capability from the ground up, influence security architecture decisions, and directly support SOC operations protecting critical public sector services.

About the Opportunity: As a Security Engineer (SIEM), you'll be responsible for building and enhancing security monitoring and detection capabilities across complex environments. You will design and maintain SIEM use cases, onboard and normalise data sources, and continuously tune detections to improve threat visibility and response. Working closely with incident response and platform teams, you'll turn security data into actionable insight-strengthening detection coverage, reducing noise, and advancing overall security maturity.

Role Purpose: As a Security Engineer, you will be responsible for designing, building, and operating the Security Information and Event Management (SIEM) and security observability stack for a new GDC-based platform. You will:

• Define how security logs, metrics, alerts, and telemetry are collected, processed, retained, and visualised.
• Establish a cloud-native SIEM tool and monitoring capability.
• Integrate cloud-native monitoring with existing on-premise SOC tooling.
• Enable SOC analysts by providing reliable, actionable security insights.
• Work closely with cloud engineers, security architects, SOC teams, and external vendors to ensure the solution meets security, operational, and compliance requirements.

What You'll Be Doing:

• Work with security and solution architects to design the end-to-end SIEM architecture for a secure Google Distributed Cloud (GDC) environment.
• Define log, event, and telemetry standards across platform, infrastructure, Kubernetes, and application layers.
• Decide which data sources are monitored locally versus forwarded to an existing on-prem SIEM.

SIEM Implementation & Integration:

• Deploy Elastic SIEM using standard or shared Kubernetes clusters where appropriate.
• Configure secure log forwarding from GDC components to an on-prem SIEM over dedicated, encrypted network links.
• Integrate cloud audit logs, Kubernetes logs, workload logs, and security tooling into Elastic and on-prem platforms.

Detection Engineering & SOC Enablement:

• Implement detection-as-code, version controlled and automated through CI/CD pipelines.
• Create and tune detection rules, alerts, and dashboards for SOC analysts.
• Align detections with threat intelligence and playbooks (e.g., Mandiant-aligned SOC workflows).

Observability & Troubleshooting:

• Support monitoring of logs, metrics, and security signals to aid both security response and operational debugging.
• Enable Platform Admins and Application Operators to self-serve diagnostics while maintaining security boundaries.

Documentation & Guidance:

• Produce clear guidance for:
• Platform Administrators configuring SIEM integrations
• Application teams onboarding workloads and logs
• SOC analysts using dashboards, alerts, and queries
• Contribute to runbooks, operational procedures, and incident response documentation.

Security & Compliance:

• Ensure logging and monitoring meet UK Government and high-assurance security requirements.
• Support audits, assurance activities, and continuous improvement of the monitoring posture.

What You'll Bring:

• Strong experience as a Security Engineer, Detection Engineer, or SIEM Engineer.
• Hands-on experience designing or operating SIEM solutions in cloud or hybrid environments.
• Practical knowledge of Elastic SIEM / Elastic Stack, including:
• Indexing and ingest pipelines
• Detection rules and alerts
• Dashboards and visualisations
• Experience working with Kubernetes environments and their logging/monitoring patterns.
• Familiarity with secure log forwarding, encryption, and network-restricted environments.
• Ability to work closely with SOC teams and translate security requirements into technical implementations.
• Experience with Google Cloud Platform (GCP) or Google Distributed Cloud (GDC).
• Understanding of cloud audit logs, identity logs, and platform-level telemetry.
• Experience deploying tools through cloud marketplaces or CI/CD pipelines.

Ways of Working:

• Comfortable working in high-assurance, regulated environments.
• Strong documentation and communication skills.
• Able to work independently and take ownership of complex security integrations.

Bonus Points For:

• Existing UK Government Security Clearance (SC or above)
• Hands-on experience with Elastic Cloud on Kubernetes (ECK)
• Experience implementing detections as code using Git, CI/CD, and infrastructure-as-code
• Knowledge of threat frameworks
• Familiarity with UK Government security standards and assurance processes

Clearance Requirements: This role requires either an existing SC clearance or SC to be passed before commencement, with a willingness to undergo DV.

Work Pattern & Contract Type: Hybrid working (on-site presence required when needed; typically, ~3 days per week). Contract: Temporary / Fixed-term contract.