Lead Security Engineer – Incident Response Defensive Operations (Remote, DEU)

About the Role:

The Incident Response Defensive Operations (IRDO) team is seeking a highly experienced, technically strong Lead Security Engineer to drive the design, development, and evolution of our Cybersecurity Incident Response capabilities. This role is intended for a hands-on leader who operates at the intersection of incident response, detection engineering, and security architecture.

You will partner closely with Incident Response, and the Threat Detection and Engineering (TIDE) teams to build scalable solutions that improve detection, response, and containment across the enterprise. In addition to leading high-impact engineering initiatives, you will play a critical role in shaping strategy, defining technical standards, and ensuring the IR program can effectively defend against evolving threats.

As part of this role, you will also be a key contributor to the CSIRT Defense Profiling program, driving improvements in detection coverage, response capability, and defensive maturity across core domains including email, applications, networks, and endpoints.

What You'll Do:

• Lead the design and implementation of scalable incident response capabilities, including detection, containment, and response automation.

• Architect and develop advanced automation frameworks to reduce response time, eliminate manual effort, and improve consistency across IR workflows.

• Identify systemic gaps in detection, visibility, and response capabilities; drive engineering efforts to close them.

• Own and deliver complex, cross-functional initiatives that enhance IR tooling, telemetry, and operational effectiveness.

• Partner closely with TIDE to define detection requirements, improve signal quality, and operationalize new detections within IR workflows.

• Establish and enforce engineering standards, best practices, and design patterns for IR tooling and automation.

• Contribute to and help evolve the CSIRT Defense Profiling program, including modeling detection and response coverage across key attack surfaces.

• Serve as the EU-based lead for CSIRT activities subject to data sovereignty constraints, directly supporting investigations that require EU presence and designing processes, controls, and automations to ensure compliant handling, analysis, and storage of sensitive data.

• Provide technical leadership and mentorship to engineers and analysts, elevating overall team capability.

• Act as a senior escalation point for complex incidents requiring deep technical expertise or custom response solutions.

• Continuously evaluate emerging threats, tools, and techniques to ensure IR capabilities remain effective and forward-looking.

What You'll Need:
Education & Experience:

• Bachelor’s Degree (or equivalent experience) in Computer Science, Cybersecurity, or a related field

• 7+ years of experience in cybersecurity engineering, incident response, or detection engineering (or equivalent combination of education and experience)

• Proven experience designing and building security tooling, automation, or detection systems at scale

Technical Expertise:

• Strong experience with incident response processes, including detection, triage, containment, and remediation

• Deep understanding of operating systems (macOS, Linux, Windows), networking, and attacker tradecraft

• Hands-on experience building automation using tools such as TINES, SOAR platforms, AWS Lambda, or custom scripting frameworks

• Experience integrating and leveraging SIEM/XDR platforms (e.g., Splunk, LogScale, Falcon, etc.)

• Ability to translate operational needs into scalable technical solutions and architectures

• Strong software engineering fundamentals (clean code, modular design, maintainability)

Analytical & Communication Skills:

• Excellent problem-solving skills with the ability to operate in complex, ambiguous environments

• Strong communication skills with the ability to influence technical and non-technical stakeholders

• Ability to lead initiatives, align cross-functional teams, and drive outcomes independently

• High level of ownership, accountability, and attention to detail

Bonus Points:

• Strong scripting or programming experience (e.g., Python, Go, PowerShell, Bash)

• Experience with detection engineering frameworks (e.g., MITRE ATT&CK) and coverage modeling

• Familiarity with attack surface management concepts and methodologies

• Experience with cloud security (AWS, GCP, Azure) and modern infrastructure environments

• Experience mentoring or leading engineers in a technical environment

• Familiarity with data sovereignty and privacy frameworks (e.g., GDPR) and their impact on incident response operations

• Relevant security certifications (e.g., GCIA, GCIH, CISSP)

#LI-Remote

#LI-EV1

Benefits of Working at CrowdStrike:

• Market leader in compensation and equity awards

• Comprehensive physical and mental wellness programs

• Competitive vacation and holidays for recharge

• Paid parental and adoption leaves

• Professional development opportunities for all employees regardless of level or role

• Employee Networks, geographic neighborhood groups, and volunteer opportunities to build connections

• Vibrant office culture with world class amenities

• Great Place to Work Certified™ across the globe

CrowdStrike is proud to be an equal opportunity employer. We are committed to fostering a culture of belonging where everyone is valued for who they are and empowered to succeed. We support veterans and individuals with disabilities through our affirmative action program.

CrowdStrike is committed to providing equal employment opportunity for all employees and applicants for employment. The Company does not discriminate in employment opportunities or practices on the basis of race, color, creed, ethnicity, religion, sex (including pregnancy or pregnancy-related medical conditions), sexual orientation, gender identity, marital or family status, veteran status, age, national origin, ancestry, physical disability (including HIV and AIDS), mental disability, medical condition, genetic information, membership or activity in a local human rights commission, status with regard to public assistance, or any other characteristic protected by law. We base all employment decisions--including recruitment, selection, training, compensation, benefits, discipline, promotions, transfers, lay-offs, return from lay-off, terminations and social/recreational programs--on valid job requirements.

If you need assistance accessing or reviewing the information on this website or need help submitting an application for employment or requesting an accommodation, please contact us at [email protected] for further assistance.