We’re a team of experts pushing the limits of what’s possible, united by our common goal to unlock true freedom through digital ownership, making technology accessible for all. We believe in a world where users, creators and enterprises manage their value with ownership and freedom. Our curiosity drives us to innovate, empowering individuals on a global scale. We believe change is constant and our team moves forward as one, with a culture of problem-solving where every employee is empowered and supported to challenge tradition and create solutions. Our mission is simple: to make self-custody accessible and give people the keys to their own financial futures. If you want to make a true impact, we want you to join us at Ledger.

At Ledger, we’re proud to be the global platform for digital assets and Web3, with over 20% of the world’s crypto assets secured through our Ledger devices. With our headquarters in Paris, and offices in Vierzon, Grenoble, Montpellier, London, Portland, Geneva, Zurich and Central Singapore, we have a team of around 600 professionals developing a variety of products and services to enable individuals and companies to securely buy, store, swap, grow and manage crypto assets – including the Ledger hardware wallets line with more than 7.5 millions units already sold in 200 countries.

The team

You will join the Security Operations team, which is responsible for protecting Ledger’s corporate, cloud, SaaS, and data center environments. Its mission is to anticipate, detect, investigate, and respond to cyber threats—including monitoring, alert triage, incident response, detection, visibility, automation, exposure tracking, and continuous process improvement. This scope is distinct from that of the Donjon (product security): SecOps covers the operational security of internal environments, the cloud, endpoints, workloads, identities, and infrastructure.

As a close-knit and experienced team—technically rigorous and committed to knowledge sharing—we are also continuously building the SOC itself: integrating new log sources, ensuring data quality, expanding detection coverage, and developing reliable dashboards and operational workflows.

Our technical stack includes:

• Splunk for SIEM, investigations, and dashboards;

• CrowdStrike for EDR and endpoint/workload security;

• Wiz for cloud security and exposure management;

• Torq for SOAR and automation;

• AWS, including modern environments such as EKS/Kubernetes;

• An in-house, internally developed Agentic SOC for alert enrichment, correlation, investigation support, reporting, and automation.

AI is at the heart of how we work: investing in AI applied to security is a strategic priority for Ledger this year. We’ve built our own in-house Agentic SOC, which autonomously investigates weak signals—the large volume of unreliable alerts that a human team couldn’t sort through manually—and enriches them, so our engineers can focus on what matters most and resolve incidents faster: high-quality detection, reduced noise, and accelerated investigations.

What you’ll be doing:

As a Senior Security Operations Engineer, you are at the heart of the SOC: you lead investigations from start to finish, manage the lifecycle of detections, dashboards, and automations, and continuously expand our visibility (cloud, endpoints, identities, SaaS, infrastructure). You work independently on complex issues, decide on the next steps – investigation, containment, remediation, or escalation – serve as a technical resource and point of escalation for more junior analysts (whose work you review and with whom you share your knowledge), and make a tangible contribution to improving our internal Agentic SOC.

Operate the SOC

• Analyze, classify, and prioritize alerts (from Splunk, CrowdStrike, Wiz, AWS, and other sources), and conduct in-depth investigations into incidents affecting endpoints, the cloud, identities, SaaS, workloads, and infrastructure.

• Provide clear, actionable context to inform next steps, and serve as an escalation point for less experienced analysts.

• Leverage the Agentic SOC, which investigates weak signals and enriches alerts, so you can focus your time on the incidents that matter.

Visibility & Detection

• Build and tune cloud detection use cases (AWS, IAM activity, EKS/Kubernetes, container workloads), and use Wiz to track and prioritize cloud exposure as part of your detection work.

• Integrate and maintain the necessary log sources (cloud, endpoints, identities, SaaS, infrastructure, Kubernetes) and improve data quality: completeness, parsing, normalization, relevance, and usability.

• Identify visibility blind spots and work with the IT, Cloud, Infrastructure, and Engineering teams to reduce them.

• Design, write, and optimize Splunk queries; develop new detection use cases based on available logs, refine them, and document their logic; reduce noise and improve signal quality.

Incident Response

• Play a leading role in investigations: gathering evidence, reconstructing timelines, and documenting actions taken.

• Monitor containment, remediation, and post-incident measures.

• Turn lessons learned into sustainable improvements and formalize processes: detection mechanisms, runbooks, dashboards, and automations.

Contribute to automation and our Agentic SOC

• Build and maintain automations (Torq/SOAR, scripts, APIs) that accelerate triage, enrichment, and response.

• Contribute to the design and continuous improvement of the internal Agentic SOC—the AI system that investigates weak signals, enriches alerts, and assists with investigations—and expand its capabilities: new investigation workflows, better correlation, and tighter integration with detection and response.

What we’re looking for:

• Solid & proven experience in SecOps, SOC, cloud security, incident response, or infrastructure security, with a track record of building and improving SOC capabilities (logs, detections, dashboards, automations, runbooks, workflows) and conducting independent investigations.

• Comfortable working in cloud and SaaS environments and with rapidly evolving technologies.

• Proficiency in SecOps fundamentals: triage, investigation, incident response, log analysis, and documentation.

• Strong, hands-on cloud security skills (ideally AWS): investigating IAM and identity activity, analyzing cloud audit logs (e.g. CloudTrail, GuardDuty), securing workloads, containers, and Kubernetes (EKS), and scoping cloud incidents end-to-end. Comfortable with exposure/CSPM tooling (ideally Wiz).

• SIEM (ideally Splunk) with the ability to write queries for investigation and detection; EDR (ideally CrowdStrike).

• Automation using Python, Bash, APIs, GitHub Actions, SOAR, or equivalent.

• Interest in—or experience with—AI applied to security, agent-based workflows, and SOC automation.

• Diligence, independence, technical curiosity, and attention to detail.

• Ability to conduct in-depth investigations, document findings clearly, and escalate issues with the appropriate level of context; awareness of confidentiality and the proper handling of sensitive information.

• Professional-level English; Ledger operates in an international environment.