Role based in Barcelona - 3 days onsite office / 2 days at home

This role operates as the primary technical escalation point for all cyber threats identified by our Security Operations Center (SOC) and is responsible for validating, investigating, and directing responses to escalated security incidents. This role provides a unique blend of technical detection engineering with threat-informed cyber defense strategy ownership.

This position is ideal for technically skilled cybersecurity professionals who thrive in fast paced global organizations and enjoy solving complex operational challenges with innovative approaches. In addition to supporting the Cyber Defense pillar, this role will have daily exposure across our entire cybersecurity function and working collaboratively to secure Evinova´s Digital Health Suite.

This position will report directly to the Evinova Head of Cybersecurity with a dotted line to the Head of Cybersecurity Engineering and will have several peers to collaborate with; ensuring adequate leadership visibility and cross-functional exposure across adjacent cyber domains. If you are a cyber defense pro looking to gain cyber leadership experience, this is the perfect role for you.

Due to the business critical nature of this role, there may be times where after-hours support is needed to address cybersecurity incidents. Evinova cybersecurity is a globally distributed team with team members located in both the United States and Spain.

Key Responsibilities:

SIEM Platform Management (Splunk Focus)

- Oversee the work of our outsourced service provider who provides SIEM maintenance support

- Provide architectural and operational ownership of Splunk ES as the enterprise detection platform

- Design data ingestion strategies covering cloud telemetry, identities, SaaS services, and system audit logs

- Engineer compliant data models to normalize security telemetry and enable scalable detection use case development

- Build operational dashboards supporting SOC monitoring, incident tracking, regulatory reporting, and executive cyber risk metrics

- Optimize search performance, indexing strategies, and storage utilization to balance detection depth with cost efficiency

- Integrate third-party and native security tooling into Splunk via APIs, forwarders, and data pipeline engineering

Cloud Detection and Response Architectures (AWS-focused)

- Provide cyber defense telemetry requirements into security architecture reviews for new platforms, applications, and cloud services

- Engineer and operationalize detections leveraging native AWS telemetry sources such as Cloud Trail, Guard Duty, Security Lake, VPC Flow Logs, Cloud Watch, EKS Logs, and others

- Develop detection use cases for IAM privilege escalation, federated identity abuse, cross-account compromise, API misuse, and serverless exploitation

- Monitor containerized and Kubernetes workloads for runtime threats, suspicious process execution, and anomalous network communication patterns

- Partner with Cloud Security peers to define cloud logging standards, retention requirements, and forensic readiness controls

Detection Engineering and Threat Analytics

- Architect, engineer, and operationalize advanced threat detections within Splunk Enterprise Security, including correlation searches, risk-based alerting frameworks, behavioral detections, and anomaly signals aligned to cloud computing threat scenarios

- Design detection logic mapped to the MITRE ATT&CK techniques, cloud threat kill chains, and identity compromise attack paths to ensure comprehensive adversary coverage

- Build security telemetry correlation across cloud control planes, SaaS platforms, and identity providers such as Microsoft EntraID to detect multi-stage intrusion attempts

- Collaborate with our outsourced SOC to continuously tune log sources / detection content to reduce false positives, eliminate alert fatigue, and improve "signal-to-noise" ratios within the SOC escalation pipelines

- Utilize threat intelligence feeds to translate emerging adversary Tactics, Techniques, and Procedures (TTPs) into actionable detection use cases and SIEM content updates

- Establish detection lifecycle governance including use case design documentation, testing validation, and performance monitoring

- Develop "detection-as-code" pipelines leveraging version control and CI/CD processes to ensure repeatable and auditable deployment of correlation logic

Threat Detection, Analysis, and Response

- Serve as the Tier 2 / Tier 3 escalation path for all relevant security alerts and suspicious activity escalated by our SOC

- Conduct deep technical investigations spanning SIEM telemetry, adjacent platforms, cloud logs, identity activity, audit trails, and other forensic artifacts

- Perform threat actor behavior analysis to determine initial access vectors, persistence mechanisms, privilege escalation paths, and lateral movement patterns

- Lead threat hunting initiatives leveraging hypothesis-driven and intelligence-driven methodologies to proactively identify hidden threats

- Function as a Technical Lead / Incident Responder for confirmed cybersecurity incidents and directing containment actions that are proportionate with the incident severity

- Coordinate cross-functional response activities across Product Engineering / Platform Operations and Cybersecurity stakeholders

- Maintain the Cybersecurity Incident Response Playbooks and developing new playbooks for emerging incident types / technologies

- Produce formal investigation reports documenting incident timelines, impacted assets, regulatory exposure risk, and remediation recommendations

- Provide incident briefings summarizing incident severity, business impact, and containment posture to the Head of Cybersecurity, Head of Cybersecurity Engineering, and other relevant leadership stakeholders (including the Evinova Chief Technology Officer)

- Collaborate with Cybersecurity Assurance to document incident root causes, specifically focusing on control failures, detection gaps, and posture improvement actions

- Lead cyber crisis simulations and tabletop exercises with adjacent teams in Product Engineering and Platform Operations to ensure operational readiness

HIGHLIGHT THE SKILLS AND CAPABILITIES NEEDED

Minimum Qualifications:

- University degree in Cybersecurity, Information Security, Computer Science, Information Systems, or a related technical discipline.

- 6-8+ years of progressive experience in Cybersecurity Operations, Detection Engineering, Cybersecurity Incident Response, or Threat Intelligence functions within global enterprises

- Demonstrated hands-on engineering and operational experience administering and developing detection use cases in Splunk Enterprise Security, including correlation searchers, notable event frameworks, risk-based alerting, and data model utilization

- Hands on security monitoring and threat detection experience across Amazon Web Services (AWS) environments

- Operational familiarity with cloud native attack vectors including IAM privilege escalation, credential misuse, token compromise, API abuse, and cross-account persistence mechanisms

- Familiarity with SOAR platforms and automation engineering supporting incident response orchestration and alert enrichment

- Demonstrated experience leading or coordinating incident response activities, including containment execution, stakeholder coordination, forensic triage, and post-incident lessons learned

- Proficiency in SIEM query languages (e.g., SPL, KQL) and log analysis methodologies across various log sources

- Working knowledge of the MITRE ATT&CK framework and its application to detection engineering and threat actor simulation

Desired Qualifications:

- Professional certifications in Cybersecurity, Digital Forensics, Information Assurance or related technical field (e.g., CISSP, CCSP, Splunk Certified, GIAC)

- Proven experience operating as an escalation path within a Security Operations or Incident Response function, including leading technical investigations over advanced threats, account compromise, malware intrusions, and cloud security incidents

- Experience operating within hybrid SOC delivery models that include managed service providers or outsourced Tier 1 monitoring functions

- Deep engineering expertise within Splunk Enterprise Security, including detection-as-code pipelines, SIEM optimization, data onboarding, and search performance tuning

- Experience conducting proactive threat hunting operations

- Experience presenting incident findings and detection maturity metrics to security leadership, auditors, and other interested stakeholders

- Experience working within regulated environments such as Financial Services, Life Sciences / Pharmaceutical, and Healthcare

- While not required, having prior experience with the Microsoft security ecosystem is an added plus (e.g., Purview, Sentinel, Defender)