Security Engineer (Cyber Defence)

Location: Open — Dublin, Belgrade, Gibraltar or remote within EU.

Department: Product & Technology — Cyber Security

Reports to: Head of Cyber security

Job type: Full time. On-call rotation.

Role purpose

The Security Engineer in the Cyber Defence team is the senior hands-on defender working alongside the Head of Cyber security. They build, tune and operate the detection and response capability that protects BoyleSports against active threat. They write detection's, run hunts, investigate alerts that the MSSP escalates, and stand on the bridge during incidents.

This is an engineering role inside the Cyber function. It is distinct from the Security Engineers in the CCoE, who build platform security capability. This role builds defensive capability — the rules, automation's, integrations and tooling that let BoyleSports see and stop attacks.

Key responsibilities

Detection engineering

• Design, write, test and tune detections across Cortex XDR / XSIAM, cloud telemetry (AWS CloudTrail, GuardDuty, EKS audit logs), identity telemetry (Entra ID, on-premises AD), endpoint, network and application logs.

• Treat detections as code. Version-control rules, peer-review changes, write tests, measure coverage against MITRE ATT&CK, and retire detections that no longer earn their keep.

• Own log onboarding and parsing for new sources. Work with platform and application engineering teams to make sure new services produce useful telemetry on day one, not retro-fitted six months later.

Threat hunting and investigation

• Run structured threat hunts against hypotheses derived from threat intelligence, recent incidents and attacker tradecraft relevant to online gambling (account takeover, bonus abuse-adjacent fraud rings, payments-targeted intrusion, ransomware operator TTPs).

• Lead deep-dive investigations on alerts escalated from the Palo Alto MSSP. Determine root cause and full scope before handing back for containment.

• Document findings well enough that the next analyst, six months later, can pick up the trail.

Incident response

• Stand on the bridge during P1 and P2 incidents. Drive containment and eradication actions personally, in concert with platform, infrastructure and product engineering teams.

• Own the technical timeline, the indicators of compromise, the evidence trail and the artefacts needed for regulator notification and post-incident review.

• Deputise for the Head of Cybersecurity as Incident Commander when required.

Automation and SOAR

• Build and maintain SOAR playbooks. Automate the repetitive parts of triage, enrichment, containment and notification so the team’s attention goes to the parts that need a human.

• Integrate detection and response tooling with the wider stack — ticketing, chat, identity, cloud control planes — using clean, supportable code.

MSSP partnership

• Be the team’s primary technical interface to the Palo Alto managed SOC. Review their detections, challenge their analysis, give feedback that improves quality, and escalate when it doesn’t.

• Run regular detection and response exercises with the MSSP. Make sure playbooks survive contact with reality.

Purple teaming and validation

• Work with offensive security partners to run purple-team exercises. Translate red findings into hardened detections and tested response procedures.

• Use breach-and-attack-simulation tooling to continuously validate detection coverage.

Experience and qualifications

Required

• Demonstrable hands-on experience as a SOC analyst (senior / tier 3), detection engineer, threat hunter or incident responder. Candidates must be able to talk in concrete terms about detections they have written, hunts they have led, and incidents they have worked.

• Strong working knowledge of at least one major SIEM/XDR platform and the query language behind it. Palo Alto Cortex XDR / XSIAM and XQL are ideal. Splunk, Sentinel, Elastic or Chronicle backgrounds are entirely acceptable provided the candidate can clearly cross over.

• Practical experience investigating in AWS — CloudTrail, GuardDuty, VPC flow logs, EKS audit logs, IAM analysis. Comfortable reading JSON event data and reasoning about API-call chains.

• Scripting competence in Python or an equivalent — enough to parse evidence, write SOAR steps, and build small tools without waiting for someone else.

• Solid grounding in MITRE ATT&CK, the diamond model and a structured approach to investigation. Able to write a clear incident timeline.

• Calm under pressure. Comfortable on a bridge call at 03:00.

Strongly preferred

• Experience in online gambling, payments, financial services or another high-volume consumer environment with active fraud and account takeover pressure.

• Exposure to retail or distributed-endpoint estates (point-of-sale-like devices, SD-WAN, Intune-managed fleets).

• Experience working with or inside an outsourced SOC arrangement.

Certifications and education

• Practitioner certifications such as GCIA, GCIH, GCFA, GNFA, BTL1 or equivalent are valued. Vendor certifications in the relevant detection stack are a plus.

• A relevant degree is welcome but not required.