Security Operations Engineer II

StubHub is on a mission to redefine the live event experience on a global scale. Whether someone is looking to attend their first event or their hundredth, we’re here to delight them all the way from the moment they start looking for a ticket until they step through the gate. The same goes for our sellers. From fans selling a single ticket to the promoters of a worldwide stadium tour, we want StubHub to be the safest, most convenient way to offer a ticket to the millions of fans who browse our platform around the world.

• Incident Response
  • Lead and coordinate security incident response end-to-end: detection, triage, containment, eradication, recovery, and post-incident review
  • Develop and maintain incident response playbooks
  • Drive root cause analysis and translate findings into durable improvements to detection and prevention capabilities
  • Act as an escalation point for complex or high-severity incidents across the organization
• Threat Detection
  • Design, build, and tune detection rules, event correlation logic, and behavioral analytics across cloud, endpoint, network, and application data sources
  • Assist in maintaining a threat model for StubHub's environment and mapping detection coverage to the MITRE ATT&CK framework
  • Proactively hunt for threats and indicators of compromise across the environment
  • Collaborate with red team and pen test partners to validate detection coverage and identify gaps
• SIEM & Log Engineering
  • Continually improve SIEM capabilities including data ingestion pipelines, normalization, enrichment, and alerting workflows
  • Own log collection strategy: define what gets collected, at what fidelity, and for how long across cloud providers, SaaS applications, endpoints, and internal services
  • Write and maintain parsers, ETL pipelines, and data transformation logic to ensure high-quality signal in the SIEM
  • Own and operate security tooling where needed (SIEM, SOAR, EDR, etc.)
• Security Automation & Tooling
  • Write internal software in Python, Go, or similar  to automate detection, response, enrichment, and reporting workflows
  • Build integrations between security tools, internal APIs, and third-party services to accelerate analyst workflows and reduce mean time to respond
  • Develop dashboards, metrics, and reporting to communicate operational health and coverage to security leadership
  • Contribute to shared security infrastructure and internal libraries used across the security engineering organization
• Third-Party Security
  • Support the third-party security program by evaluating vendor security posture, reviewing assessments, and triaging risk findings
  • Build or maintain tooling to automate third-party risk intake, tracking, and reporting
  • Collaborate with Legal, Procurement, and Engineering to ensure third-party risks are identified and remediated appropriately

What You've Done:

• 3+ years of experience in security engineering, security operations, or a related discipline
• Demonstrated, hands-on experience leading incident response efforts, including complex, multi-system investigations
• Strong threat detection engineering experience: writing detection rules, tuning alerts, building correlation logic, and reducing false positive rates at scale
• Proficiency in at least one programming or scripting language (Python strongly preferred; Go, Ruby, or Bash also relevant) — you regularly write code to solve security problems, not just configure tools
• Deep familiarity with SIEM platforms (e.g., Splunk, ELK, Chronicle, Panther, or similar) including query languages and datra data onboarding.
• Experience with cloud environments (AWS, GCP, or Azure) and the associated log sources, threat models, and detection strategies
• Strong understanding of attacker tactics, techniques, and procedures (TTPs); experience mapping detections to MITRE ATT&CK
• Excellent written and verbal communication skills; able to convey technical risk clearly to non-technical stakeholders

Preferred Experience: