A major European public sector organisation runs a central CSIRT that protects operational services and sensitive infrastructure. The team is expanding to improve detection, forensic capability and automation, with a focus on SIEM tuning and Python automation for incident response.
The mission
The CSIRT operates across security operations, threat intelligence and incident response for a large estate of servers, endpoints and mobile applications. The technical landscape includes a SIEM (Splunk Enterprise Security), SOAR and CTI feeds, a pipeline of open-source tooling, and a requirement to meet strict compliance and audit standards.
You will lead a growing team of security engineers and act as the technical owner for detection, triage and forensic analysis. Day-to-day you will design and maintain the CSIRT infrastructure, implement monitoring SLAs and KPIs, author and improve playbooks and automate repetitive tasks with Python to reduce mean time to detect and mean time to respond.
Your responsibilities
- Lead the technical delivery of the CSIRT platform, ensuring the SIEM, SOAR and CTI integrations reliably surface high-confidence alerts.
- Drive improvements to detection logic and automation, reducing manual triage through Python scripting and open-source tooling.
- Execute and oversee incident response and forensic investigations, producing root-cause analysis and post-incident reports.
- Define, track and report on SLAs and KPIs for the CSIRT, and present operational performance to stakeholders.
- Mentor and coordinate the CSIRT team on priorities, knowledge sharing and on-call rotations.
- Maintain clear technical documentation, runbooks and change-control support for escalations and remediation activities.
Your profile
Essential skills
- Minimum 7 years in security operations or incident response, with hands-on leadership experience.
- Proven capability with SIEM platforms, in particular Splunk Enterprise Security, including detection rule development and tuning.
- Practical experience automating security tasks with Python, including scripting for log parsing and alert enrichment.
- Working knowledge of SOAR, CTI ingestion, open-source security tooling and vulnerability management.
- Strong forensic and malware analysis skills, and experience conducting root-cause analysis and log-based investigations.
- Comfortable designing and reporting against monitoring SLAs and KPIs, and communicating results to technical and non-technical stakeholders.
- Solid Linux administration skills (Enterprise Linux) and familiarity with mobile application security concepts.
Preferred skills
- Certifications such as OSCP, GCIH, GCIA, GNFA, CISSP.
- Familiarity with MITRE ATT&CK and NIST security frameworks, and experience with ITIL/change management processes.
Languages
- Dutch or French, C1.
- English, C1.
Education
- Bachelor degree in Computer Science, Cyber Security or equivalent practical experience.
Additional requirement: eligible for national, NATO and EU security clearance at SECRET level.