Job Description

The SOC Engineering Team Lead ensures that all SOC platform services and supporting technologies are effectively delivered, maintained, and continuously improved in a secure, reliable, and timely manner to meet the operational needs of the CSOC. The role is responsible for the development, lifecycle management, and optimisation of SOC engineering services and tooling, ensuring they are secure, scalable, and aligned with business needs. It plays a key role in enabling effective threat detection and incident response through the integration and maintenance of advanced security technologies.

The SOC Engineering Team Lead will work with the Head of Cyber Security Operations to develop the broader cyber security strategy and contribute to the improvement of long-term capability roadmaps. The role also partners with ICT suppliers and internal stakeholders to ensure SOC services are well-integrated, effectively managed, and compliant with relevant frameworks, including the NCSC Cyber Assessment Framework (CAF).

Principal Accountabilities

• Support the Head of Cyber Security Operations in aligning SOC engineering with strategic objectives.
• Contribute to long-term SOC capability planning, including resourcing, tooling evolution, and automation.
• Manage ICT supplier relationships to ensure SOC services and technologies are integrated and effective.
• Ensure availability, performance, and scalability of SOC platforms (e.g. Microsoft Sentinel, Defender suite, Log Analytics).
• Monitor and maintain log ingestion pipelines and integrations across hybrid environments.
• Lead deployment and lifecycle management of agents and sensors across endpoints, servers, and cloud workloads.
• Produce regular reports on platform health, ingestion volumes, agent coverage, and system performance.
• Define and track SLAs and KPIs for SOC platform performance and automation workflows.
• Oversee onboarding of new log sources, ensuring alignment with detection use cases and operational priorities.
• Collaborate with ICT and business units to prioritise log sources based on risk and coverage.
• Maintain documentation and standards for log onboarding, including validation and data quality checks.
• Work with detection engineers and threat hunters to define log source requirements.
• Support development and tuning of KQL-based analytics rules and workbooks in Microsoft Sentinel.
• Contribute to mapping detection logic to frameworks such as MITRE ATT&CK, NCSC CAF, and NIST CSF.
• Lead development and maintenance of automation workflows using Sentinel SOAR (Logic Apps, Playbooks).
• Integrate SOC tooling with enterprise systems (e.g. ServiceNow SecOps) to streamline alerting and response.
• Promote infrastructure-as-code for SOC engineering deployments.
• Manage Microsoft Sentinel and Azure security service costs within budget.
• Optimise log source prioritisation and detection coverage to maximise ROI.
• Review data ingestion volumes, retention policies, and analytics rules to reduce unnecessary spend.
• Provide technical leadership, mentoring, and performance management.
• Collaborate with Cyber Security Operations, ICT, and business stakeholders to ensure SOC engineering meets strategic and operational needs.

Authorities & Dimensions

• Budget responsibility: £1–3m (within Cyber Security Operations)
• Direct line management: 4-6 roles (Platform, Onboarding, and Detection Engineers)
• Technical leadership across SOC engineering initiatives.

Context and Challenges:
The SOC Engineering Team Lead is a newly established role within Sellafield Ltd’s cyber security organisation, created to strengthen the technical foundation of the Cyber Security Operations Centre (CSOC). This role is pivotal in ensuring that SOC platforms and supporting technologies are secure, scalable, and aligned with operational and strategic needs. It is responsible for the lifecycle management, optimisation, and continuous improvement of SOC engineering services, enabling effective threat detection and incident response across a complex hybrid environment. As a new function, the role faces the challenge of building foundational capabilities from the ground up—establishing robust engineering practices, integrating advanced security tooling, and embedding automation and performance monitoring across SOC services. It must also navigate the complexities of working across ICT, cyber operations, and supplier ecosystems to ensure seamless delivery and compliance with frameworks such as the NCSC Cyber Assessment Framework (CAF). The Team Lead will be instrumental in shaping long-term SOC capability roadmaps, managing a multi-disciplinary team, and driving innovation in log source onboarding, detection enablement, and automation. Balancing technical leadership with strategic alignment, the role must deliver high-performing, cost-effective solutions while fostering collaboration across internal and external stakeholders. Operating within a regulated environment, it must also ensure that engineering decisions support compliance, resilience, and continuous improvement in cyber defence.

Essential Skills

• Proven leadership and mentoring abilities, with a focus on technical excellence and team development.
• Strong attention to detail and a proactive, problem-solving mindset.
• Excellent communication skills, with the ability to engage both technical and non-technical stakeholders.
• Demonstrated passion for cyber security and a commitment to continuous improvement.
• Extensive experience in SOC engineering, security architecture, or related technical cyber security roles.
• In-depth knowledge of Microsoft Azure security services, including Sentinel, Defender for Endpoint, Defender for Cloud, and Log Analytics.
• Proficiency in scripting and automation using tools such as PowerShell, Python, and Logic Apps.
• Familiarity with cyber security frameworks including MITRE ATT&CK, NCSC CAF, and NIST CSF.
• Degree or equivalent qualification in computer science, cyber security, or a related field.

Desirable Skills

• SC-200: Microsoft Security Operations Analyst.
• AZ-500: Microsoft Azure Security Technologies.
• SC-100: Microsoft Cybersecurity Architect.
• Experience in regulated environments (e.g., nuclear, defence, critical infrastructure).
• Membership of CIISec, BCS, or other relevant professional bodies.

Additional Information

• Open VN
• Number of Vacancies: 1
• Contact/s: Andrew Shutak

The interviews for this vacancy are expected to be on 11th December 2025.

ASW’s may have the right to apply for internal Sellafield Ltd vacancies. Please note if you are an Agency Supplied Worker you are required to attach evidence of all qualifications obtained to support your application. We require a minimum of A*-C GCSE in English, Maths & Science/IT or equivalent / higher qualification.

If you choose to apply for this role and your application is shortlisted by the hiring manager, you will be invited to a competency based interview. In the interview, you will be assessed against the below competencies:

Behavioural:
1. Problem Solving 3.1.3
2. Resilience 3.2.2
3. Team Leadership 3.2.4

Technical:
1. 31.3 Using information technology at work
2. Information technology technical expertise – 38.3
3. 314.7 IT Security

Please see link to the competency framework for further information:
https://slportal.ssa-intra.net/pub/SC001/00027/Competency%20Framework/Forms/AllItems.aspx

If your technical competency is not in the above framework, please refer to the profession’s share point page for further information.

During the interview, you will also be expected to give a 10 minute presentation on ‘Building the Foundation of Detection and Response. Leading a Modern SOC engineering function.’

This presentation should be sent to recruitment@sellafieldcloud.co.uk via email at least two working days before your interview. You should also take four paper copies of your presentation to your interview in case of any IT issues on the day.

Sellafield Ltd are recognised as a Disability Confident Employer (Level 3). Disability Confident employers offer an interview to disabled applicants that meet the minimum criteria for a vacancy. Sellafield Ltd define the minimum criteria as the ‘essential skills’ which are listed on the vacancy notice. Whilst completing your application form, you will be able to indicate if you wish to be considered under the disability confident scheme. If you would prefer to discuss this directly with us, please contact the GBS Recruitment team on recruitment@sellafieldcloud.co.uk.

Please ensure that you save a copy of this advert for future reference if you make an application for this role.