At Sabio Group, we build and operate AI-powered customer experience platforms for some of the world’s most demanding enterprise brands. Our environment spans our own internal corporate estate, the SaaS products we build, and the live production solutions we run on behalf of customers — across multiple clouds, identity domains and AI services. Keeping that surface safe is a 24/7 discipline, and we’re investing in the people and automation to do it well.
We’re hiring a Security Operations Centre (SOC) Analyst to join our Information Security & Cyber Security team in South Africa. You’ll be the defensive heartbeat of our operation — triaging alerts, hunting for threats, running incidents to ground, and partnering with platform and engineering teams to make sure the same issue doesn’t bite us twice. You’ll work across both our internal platforms and the customer environments we operate, with visibility across cloud, identity, endpoint, application and AI workloads.
This is a hands-on role for someone who is genuinely curious about how attackers operate, comfortable writing code and scripts to amplify their own impact, and excited about using AI as a force multiplier — not just another tool in the stack. We don’t need you to be a contact centre expert; we do need you to be a strong defender who can learn our environments quickly and automate relentlessly.
Key Responsibilities
Reactive Event Handling & Incident Response
- Monitor, triage and investigate security alerts across our internal estate and customer-operated solutions — covering cloud, identity, endpoint, network, application and AI workloads.
- Drive incidents end-to-end: scoping, containment, eradication, recovery and post-incident review, working to clearly defined SLAs and rules of engagement.
- Produce high-quality incident write-ups and lessons-learned for both technical and executive audiences, and feed findings back into detections, runbooks and engineering backlogs.
- Act as an escalation point for first-line alerts and partner with on-call engineering when an incident crosses into platform reliability or customer impact.
Proactive Threat Hunting
- Develop and execute hypothesis-driven threat hunts across cloud telemetry, identity signals, endpoint data and application logs — looking for what alerts won’t catch.
- Map adversary behaviour to frameworks such as MITRE ATT&CK, and turn confirmed findings into durable detections, dashboards and automated playbooks.
- Track emerging threats, CVEs and threat-actor TTPs relevant to our stack and customer base, and translate them into concrete hunts and detections.
- Partner with our Red Team and AI Ethics functions on purple-team exercises to validate and improve coverage.
Detection Engineering & Automation
- Treat automation as a core part of the role — use code, scripts and AI to remove repetitive toil and free up time for the work only humans should do.
- Build, tune and maintain detections in our SIEM and XDR tooling (e.g. Microsoft Sentinel, Defender XDR), keeping a tight handle on signal-to-noise.
- Develop SOAR playbooks and enrichment pipelines that turn one-off investigations into repeatable, measured workflows.
- Contribute to internal tooling — log normalisation, alert enrichment, case-management integrations, threat-intel feeds — in Python or similar.
AI-Augmented Operations
- Use AI and agentic workflows as a force amplifier on day-to-day SOC work — triage summarisation, log analysis, hypothesis generation, drafting reports and playbooks.
- Help shape how we monitor and defend the AI services we operate — LLM workloads, RAG pipelines, agent integrations — alongside our AI Ethics and engineering teams.
- Stay close to evolving guidance on AI security (e.g. OWASP Top 10 for LLMs, NIST AI RMF) and translate it into practical monitoring, detection and response patterns.
Cloud & Platform Security Monitoring
- Operate detections and investigations across cloud workloads — primarily Microsoft 365 and Azure, with meaningful coverage of AWS and GCP and the wider enterprise IT stack.
- Understand the security signals that matter in IAM, network, container, serverless and data-layer services, and how attackers actually move through them.
- Work closely with platform engineering and SRE teams on misconfiguration, exposure and identity hygiene — not just incidents.
Collaboration & Continuous Improvement
- Work alongside the Head of Information Security, Red Team, AI Ethics leads, platform engineering and product teams to embed defensive thinking early.
- Partner with customer-facing teams when incidents or hunts touch the solutions we operate on behalf of customers — with care for production stability, customer data and contractual obligations.
- Contribute to runbooks, detection libraries, threat-intel notes and post-incident reviews so the whole team gets better with every engagement.
- Operate within strict rules of engagement and a strong ethical compass around evidence handling, privacy and disclosure.
Skills Knowledge and Expertise
Required
- Demonstrable hands-on experience in a SOC, CSIRT, MDR or equivalent defensive security role — triage, investigation, incident response and threat hunting against modern cloud-based environments.
- Strong understanding of common attacker techniques (MITRE ATT&CK), modern intrusion patterns, and the telemetry needed to detect and investigate them.
- Solid grasp of cloud security and operations in at least one major provider — ideally Microsoft 365 and Azure — including IAM, networking, logging/telemetry, common misconfigurations and attack paths.
- Working knowledge of SIEM, EDR/XDR and SOAR tooling (e.g. Microsoft Sentinel, Defender XDR, or equivalents) — writing and tuning detections, building playbooks, managing signal quality.
- Coding capability in at least one of Python, PowerShell, Go, JavaScript/TypeScript or similar — comfortable writing scripts, automations and integrations, not just running other people’s tools.
- Practical understanding of AI/LLM systems — how they work, where they fail, and the new risks they introduce (prompt injection, insecure tool use, training/RAG data exposure) — and an interest in defending them.
- An automation-first mindset: you instinctively look for the repeatable pattern, the script, the playbook — and you measure improvement, not effort.
- Comfort with agentic development workflows — using AI coding assistants and AI co-work / pair-development models (Claude Code, Copilot, Cursor or equivalent) as part of your day-to-day delivery.
- Awareness of the wider AI ecosystem — major model providers, agent frameworks, vector stores, MCP-style tool integrations — and an instinct for where defenders need to pay attention.
- Clear written and verbal communication in English: able to brief engineers, executives and (where relevant) customers on incidents, hunts and risk.
- A strong ethical compass and discipline around scope, evidence handling, customer data and responsible disclosure.
Desirable
- Industry certifications such as GCIA, GCIH, GCFA, GCDA, GNFA, BTL1/BTL2, CySA+, AZ-500/SC-200, AWS/Azure/GCP security specialties or equivalent.
- Hands-on experience defending or monitoring AI / LLM workloads in production — detections for prompt injection, tool abuse, data exfiltration via agents, or anomalous model usage.
- Meaningful exposure to AWS and/or GCP security operations alongside Microsoft 365 / Azure.
- Experience with identity-centric detections across Entra ID / Azure AD, Active Directory, OAuth/OIDC and federated environments.
- Detection engineering experience: writing and maintaining content in KQL, Sigma, YARA or equivalent, with version control and test coverage.
- Familiarity with CI/CD, containers and IaC (Docker, Kubernetes, Terraform or equivalent) and how to monitor and defend them.
- Purple-teaming experience: working with offensive colleagues to validate and improve detections from real attacker behaviour.
- Familiarity with regulatory and standards contexts relevant to enterprise customers — ISO 27001, SOC 2, PCI DSS, GDPR, POPIA.
- Threat-intel experience: consuming, producing or operationalising CTI in a way that actually changes what the SOC does day-to-day.
Nice to Have
- Prior experience in a SaaS, cloud platform or AI/ML company where production systems were the thing being defended — useful context, but not required.
- Public research, conference talks, blog posts or community contributions in detection engineering, threat hunting or AI security.
- Experience contributing to or running CTFs, blue-team exercises, or open-source defensive tooling.
- Exposure to emerging agent interoperability and security standards (e.g. MCP, A2A) and their defensive implications.
Benefits
This is your chance to join and friendly and passionate team that will motivate you to learn and develop your career in the company.
Benefits may include:
Benefits may include:
- Remote/Flexible work
- Discovery Medical Aid
- Connectivity Allowance
- 15 days paid holiday a year- (this includes three Sabio days)
- Momentum EAP
The Small Print
Strictly No Agencies; any submission of resumes without prior request from Sabio Group will not be deemed as an introduction and therefore will not warrant an introduction fee. All applicants must have the right to work in the territory to which the role relates (UK & EU). Sabio Group are unable to offer sponsorship on any roles advertised.