XSoar Security Automation Engineer

Job Title: XSoar Security Automation Engineer

Duration: 12 weeks

Location: Remote - one travel day into San Diego for the kick-off, then fully remote. travel is paid up to 2k

Job Description

Seeking a hands-on XSOAR Security Automation Engineer to own the implementation, optimization, and operationalization of Palo Alto Networks Cortex XSOAR within an enterprise Security Operations Center (SOC). This role is narrowly focused on the XSOAR platform and playbook delivery and will work in close partnership with a Lead Architect, Security Architect, and dedicated LLM developer. The engineer will be the day-to-day execution owner for XSOAR playbooks, integrations, and SOC automation reliability, ensuring solutions are production-ready, auditable, and aligned to analyst workflows.

Core Responsibilities (XSOAR Ownership)

• Design, build, and optimize Cortex XSOAR playbooks aligned to defined SOC use cases.
• Implement and maintain XSOAR ingestion and response workflows for incidents originating from Splunk Enterprise Security.
• Configure and manage bidirectional incident mirroring and field mapping between XSOAR and Splunk Enterprise Security.
• Develop and maintain XSOAR automations and scripts (Python-based) to support enrichment, routing, and response actions.
• Integrate XSOAR with Microsoft Defender and Proofpoint for phishing and security event enrichment.
• Implement workflow logic for phishing triage, investigation, and response actions within XSOAR.
• Ensure error handling, retries, idempotency, and audit logging are implemented to support production SOC operations.
• Tune incident layouts, task structures, and playbook UX based on SOC analyst feedback.
• Participate in sprint demos, working sessions, and feedback cycles focused on XSOAR functionality.
• Produce XSOAR-specific operational documentation including playbook runbooks and configuration notes.
• Provide post-deployment tuning and hyper-care support for XSOAR workflows.

Explicitly Out of Scope for This Role

• Overall solution architecture and platform-wide design decisions (owned by Lead Architect).
• Security control definition, compliance interpretation, and governance (owned by Security Architect).
• LLM prompt engineering, AI model development, or summarization logic (owned by LLM Developer).
• Program management, stakeholder management, or delivery leadership responsibilities.

Required Qualifications:

• 3 7 years of experience in Security Operations, Security Engineering, or SOAR-focused roles.
• Hands-on, production experience with Palo Alto Networks Cortex XSOAR including playbook development and integrations.
• Experience integrating XSOAR with SIEM platforms, preferably Splunk Enterprise Security.
• Proficiency in Python for XSOAR automations and API-based integrations.
• Experience implementing phishing response workflows and email security automations.
• Strong understanding of SOC workflows, incident triage, and analyst operations.
• Experience working in agile or sprint-based delivery models.
• Ability to operate independently as the sole XSOAR-focused engineer while collaborating with adjacent roles.

Preferred Qualifications:

• Prior experience acting as the primary XSOAR engineer on an enterprise SOC implementation.
• Experience supporting regulated or compliance-driven environments.
• Consulting or professional services delivery background.
• Experience stabilizing and supporting SOAR platforms in production environments.