Security Engineer, Operations / Incident Response Headline

Ondo Finance is building institutional-grade financial infrastructure for tokenized real-world assets, operating at the intersection of traditional finance and on-chain systems.

This is a hands-on Senior Security Engineer — Operations / Incident Response role, responsible for owning the day-to-day defense of Ondo. You will serve as technical lead for the SIEM, EDR, email security, and SOAR stack — writing detections, tuning them, running incidents, building automations, and deciding what tooling stays, gets replaced, or retired. Partnering closely with IT, Infrastructure, Product Security, and the Security Incident Response Team (SIRT), you will mature how Ondo detects and responds to threats across SaaS, endpoints, cloud, and identity.

• Own the detection engineering lifecycle in a SIEM (Splunk, Panther, or equivalent) — write detections, tune for noise, version in code, and measure performance.
• Manage EDR (CrowdStrike, SentinelOne) deployment, policy tuning, exclusions hygiene, and response playbooks across macOS and Linux fleets.
• Own the email security stack: tune detections, investigate phishing, run takedowns, and drive user reporting workflows.
• Build and operate SOAR/response automation to eliminate repetitive analyst work.
• Lead incident response: triage, contain, eradicate, recover, and write post-mortems; run tabletop exercises with engineering and exec stakeholders.
• Build and maintain the on-call rotation, runbooks, and severity definitions for the SIRT.
• Build AI-native SecOps workflows including LLM-assisted triage, alert summarization, and analyst copilots, with appropriate guardrails.
• Define detection coverage for AI-driven attacks (deepfake, AI phishing, prompt injection in shared tooling) and monitor internal AI usage.

• 3–5+ years in security operations, detection engineering, or incident response as a senior IC at a fast-moving company.
• Deep, hands-on experience with at least one SIEM (Splunk, Panther, Elastic, Sentinel, Chronicle).
• Production experience with EDR tuning and IR (CrowdStrike, SentinelOne, Defender, or equivalent).
• Working knowledge of email security tooling and modern phishing TTPs (BEC, OAuth consent phishing, vendor impersonation, callback phishing).
• SOAR/automation experience and strong scripting skills in Python; treats detections as code in Git.
• Working fluency with cloud security telemetry in AWS, GCP, or Azure.
• Practical experience integrating AI/LLMs into security workflows, or a track record of rigorously evaluating and shipping new tooling into production.