Security Engineer; SIEM

Opening:
Join the Mission

At ByDesign Secure, we design and deliver secure-by-default digital platforms for high‑assurance environments. We are currently building a new secure cloud platform based on Google Distributed Cloud (GDC) and are looking for a Security Engineer (SIEM) to lead the design and implementation of its security monitoring and observability capabilities.

This role offers the opportunity to build a SIEM capability from the ground up, influence security architecture decisions, and directly support SOC operations protecting critical public‑sector services.

As a Security Engineer (SIEM) at ByDesign Secure, you will be responsible for building and enhancing our security monitoring and detection capabilities across complex environments. You will design and maintain SIEM use cases, onboard and normalise data sources, and continuously tune detections to improve threat visibility and response.

Working closely with incident response and platform teams, you will turn security data into actionable insight, helping to strengthen detection coverage, reduce noise, and advance the organisation’s overall security maturity.

As a Security Engineer, you will be responsible for designing, building, and operating the Security Information and Event Management (SIEM) and security observability stack for a new GDC‑based platform.

You will:

• Define how security logs, metrics, alerts, and telemetry are collected, processed, retained, and visualised.
• Establish a cloud‑native SIEM tool and monitoring capability.
• Integrate cloud‑native monitoring with existing on‑premise SOC tooling.
• Enable SOC analysts by providing reliable, actionable security insights.
• Work closely with cloud engineers, security architects, SOC teams, and external vendors to ensure the solution meets security, operational, and compliance requirements.

• Work with security and solution architects to design the end‑to‑end SIEM architecture for a secure Google Distributed Cloud (GDC) environment.
• Define log, event and telemetry standards across platform, infrastructure, Kubernetes, and application layers.
• Decide which data sources are monitored locally versus forwarded to an existing on‑prem SIEM.

• Deploy Elastic SIEM using standard or shared Kubernetes clusters where appropriate.
• Configure secure log forwarding from GDC components to an on‑prem SIEM over dedicated, encrypted network links.
• Integrate cloud audit logs, Kubernetes logs, workload logs, and security tooling into Elastic and on‑prem platforms.

• Implement detections‑as‑code, version‑controlled and automated through CI/CD pipelines.
• Create and tune detection rules, alerts, and dashboards for SOC analysts.
• Align detections with threat intelligence and playbooks (e.g. Mandiant‑aligned SOC workflows).

• Support monitoring of logs, metrics, and security signals to aid both security response and operational debugging.
• Enable Platform Admins and Application Operators to self‑serve diagnostics while maintaining security boundaries.

Produce clear guidance for:

• Platform Administrators configuring SIEM integrations
• Application teams onboarding workloads and logs
• SOC analysts using dashboards, alerts, and queries

Contribute to runbooks, operational procedures, and incident response documentation.

• Ensure logging and monitoring meet UK Government and high‑assurance security requirements.
• Support audits, assurance activities, and continuous improvement of the monitoring posture.

• Strong experience as a Security Engineer, Detection Engineer, or SIEM Engineer.
• Hands‑on experience designing or operating SIEM solutions in cloud or hybrid environments.
• Practical knowledge of Elastic SIEM / Elastic Stack, including: