The Security & Detection Engineering Manager is responsible for owning and leading the detection engineering and security platform strategy across a multi-SIEM, multi-tenant MSSP environment.
  This role governs detection architecture, ATT&CK coverage, platform interoperability, multi-tenant isolation, cost engineering, quality assurance and automation governance across a hybrid tooling environment.
  1. Detection Strategy & Architecture  Define and maintain a 12–24 month Detection Engineering Roadmap.
  Own adversary-aligned detection strategy mapped to MITRE ATT&CK.
  Establish detection maturity targets per platform and service tier.
  Maintain a centralised detection content abstraction model (e.
g., Sigma/internal DSL).
  Govern detection lifecycle: design → validation → deployment → tuning → retirement.
  Prevent detection sprawl and duplication across platforms.
  2. MITRE ATT&CK Coverage Governance  Maintain formal ATT&CK coverage matrix.
  Track and report coverage percentage by tactic and technique.
  Conduct quarterly coverage gap analysis.
  Validate detection coverage through simulation and adversary emulation exercises.
  Produce ATT&CK coverage reporting for executive leadership and audit functions.
  3. Multi-Tenant Detection Governance  Define detection inheritance and baseline models across tenants.
  Govern tenant-level tuning while preserving engineering consistency.
  Enforce strict cross-tenant rule isolation and data scoping controls.
  Maintain metadata-only forwarding controls where required for sovereignty models.
  Prevent cross-tenant configuration contamination.
  Maintain version control and tenant-level detection lineage.
  4. Platform Interoperability & Schema Governance  Own cross-platform detection portability strategy.
  Govern schema alignment across a multi-SIEM environment  Define translation and normalisation pipelines.
  Ensure detection parity across supported platforms.
  Govern ingestion mapping and telemetry integrity.
  5. Cost Engineering & Optimisation  Own ingestion efficiency model and cost per GB governance.
  Monitor cost per alert generated.
  Optimise:  Retention tiers (hot/warm/cold)  Query performance  Rule execution frequency  Define and track detection efficiency (signal-to-noise ratio).
  Contribute to platform licensing and cost optimisation decisions.
  6. Detection Quality Assurance Framework  Establish formal Detection QA process including:  Peer review prior to deployment  Pre-production validation environment  False positive regression testing  Simulation-based testing  Implement detection health scoring system.
  Track detection decay and stale logic.
  Maintain detection change traceability.
  7. Continuous Service Improvement  Establish structured SOC-to-Engineering feedback loop.
  Conduct regular analyst review sessions.
  Track false positive patterns and alert fatigue metrics.
  Maintain closed-loop improvement tracking.
  Continuously improve detection fidelity and SOC effectiveness.
  Conduct post-incident detection and control gap analysis.
  8. Automation & Response Engineering Governance  Govern SOAR and response automation across platforms.
  Define tiered automation model (manual / assisted / autonomous).
  Establish human-in-the-loop controls for high-risk actions.
  Enforce automation regression testing and version control.
  Monitor automation success and failure rates.
  9. Preventative Control Operationalisation & Validation  Implement Security Architect–approved hardening baselines (CIS-aligned).
  Operationalise secure configuration standards across:  Endpoints  Identity platforms  Cloud environments  Network security controls  Monitor configuration drift and control degradation.
  Integrate preventative control telemetry into SIEM and detection pipelines.
  Validate control effectiveness using detection and incident data.
  Provide structured feedback to the Security Architect on control performance gaps.
  Support exposure reduction initiatives through engineering execution.
  10. Compliance & Audit Evidence Ownership  Maintain full audit trail for detection changes.
  Provide evidence for ISO 27001, NIST CSF and regional regulatory audits.
  Maintain detection version history.
  Ensure automated response actions are logged and traceable.
  Maintain control compliance dashboards and operational metrics.
  Provide ATT&CK coverage documentation to auditors.
  11. Engineering Leadership & Capability Development  Define detection engineering competency framework.
  Mentor and develop Detection Engineers and SIEM Engineers.
  Establish certification roadmap (Elastic, Microsoft, Google).
  Implement technical performance scorecards.
  Develop succession planning and redundancy controls.
  Maintain backlog governance and engineering delivery cadence.
  Technical Requirements  Platform Expertise (Required)  Elastic Security (EQL, index lifecycle, ECS governance)  Microsoft Defender XDR & Sentinel (KQL, ASIM)  Platform Expertise (Desired)  Google SecOps (UDM schema, detection engineering)  BindPlane (log routing and telemetry aggregation architecture)  Detection Engineering  Behaviour-based detection design  Correlation engineering  Sigma rule governance  Detection-as-code practices  ATT&CK mapping and coverage measurement  Automation & Engineering  SOAR workflow design  Python / PowerShell scripting  CI/CD for detection content  API integrations (REST/JSON)  Infrastructure-as-Code fundamentals  Preventative Control Engineering  Implement and operationalise architect-approved hardening baselines (CIS-aligned) across endpoints, identity, cloud and network environments.
  Monitor configuration drift and validate control effectiveness using telemetry integrated into SIEM platforms.
  Enforce tenant-level configuration isolation and prevent cross-tenant control contamination in multi-tenant environments.
  Translate architectural security controls into enforceable technical configurations and measurable compliance outcomes.
  Maintain automated control validation, regression testing and compliance-ready reporting for regulatory and audit purposes.
  Data & Schema Governance  Log normalisation and parsing  Schema conformity validation  Ingestion health monitoring  Data completeness validation  Experience Requirements  7+ years in security engineering or detection engineering  2+ years in technical leadership or management  Experience in MSSP or multi-tenant SOC environments  Proven experience with at least two of:  Elastic  Microsoft Security Suite  Google SecOps  Experience implementing ingestion frameworks (BindPlane or equivalent/ Native Collectors)  Key Performance Indicators   Detection Effectiveness  ATT&CK coverage percentage  Detection fidelity score  False positive rate  Missed detection rate  Detection decay rate  Operational Performance  Mean Time to Detect (MTTD)  Mean Time to Respond (MTTR)  Detection deployment lead time  Detection retirement cycle time  Cost & Efficiency  Cost per GB ingested  Cost per alert generated  Query efficiency score  Storage optimisation ratio  Quality & Governance  Detection QA pass rate  Automation success rate  Automation failure rate  Schema conformity percentage  Ingestion failure rate  Engineering Leadership  Backlog delivery velocity  Certification completion rate  Cross-platform detection parity percentage