Job Description
We’re a team of experts pushing the limits of what’s possible, united by our common goal to unlock true freedom through digital ownership, making technology accessible for all. We believe in a world where users, creators and enterprises manage their value with ownership and freedom. Our curiosity drives us to innovate, empowering individuals on a global scale. We believe change is constant and our team moves forward as one, with a culture of problem-solving where every employee is empowered and supported to challenge tradition and create solutions. Our mission is simple: to make self-custody accessible and give people the keys to their own financial futures. If you want to make a true impact, we want you to join us at Ledger.
At Ledger, we’re proud to be the global platform for digital assets and Web3, with over 20% of the world’s crypto assets secured through our Ledger devices. With our headquarters in Paris, and offices in Vierzon, Grenoble, Montpellier, London, Portland, Geneva, Zurich and Central Singapore, we have a team of around 600 professionals developing a variety of products and services to enable individuals and companies to securely buy, store, swap, grow and manage crypto assets – including the Ledger hardware wallets line with more than 7.5 millions units already sold in 200 countries.
The team:
You’ll join the Security Operations team, responsible for protecting Ledger’s corporate, cloud, SaaS, and data center environments. Its mission: to anticipate, detect, investigate, and respond to cyber threats—including monitoring, alert triage, incident response, detection, visibility, automation, exposure tracking, and continuous process improvement. The scope is distinct from that of the Donjon (product security): SecOps covers the operational security of internal environments, the cloud, endpoints, workloads, identities, and infrastructure.
As a close-knit and experienced team—technically demanding and committed to knowledge sharing—we’re also continuously building the SOC itself: integrating new log sources, ensuring data quality, expanding detection coverage, and developing reliable dashboards and operational workflows.
Our technical stack includes:
Splunk for SIEM, investigations, and dashboards;
CrowdStrike for EDR and endpoint/workload security;
Wiz for cloud security and exposure management;
Torq for SOAR and automation;
AWS, including modern environments such as EKS/Kubernetes;
An in-house developed Agentic SOC for alert enrichment, correlation, investigation support, reporting, and automation.
AI is at the heart of how we work: investing in AI applied to security is a strategic priority for Ledger this year. We’ve built our own in-house Agentic SOC, which autonomously investigates weak signals—the large volume of unreliable alerts that a human team couldn’t sort through manually—and enriches them, so our engineers can focus on what matters most and resolve incidents faster: high-quality detection, noise reduction, and accelerated investigations.
What you’ll be doing:
As a Staff Security Operations Engineer, you're one of the most senior technical voices on the team: a hands-on generalist who can dig deep into any layer of our stack, step back to see the whole picture, and bring clear, calm judgment when the stakes are highest.
Anchor critical-incident response (CSIRT)
Bring senior technical leadership to our most complex incidents — cloud, corporate, endpoints, identities, data center — working with the team, not in isolation.
Lead complex investigations end to end, alongside the team: root cause analysis, forensics, timeline reconstruction, and remediation that prevents recurrence.
Be a trusted escalation point, and keep our handling, escalation, and documentation rigorous and consistent.
Set the direction on detection & threat hunting
Set the direction of our detection strategy, architecture, and methodology — with the team — and bring a clear point of view on where to invest next.
Contribute to proactive threat hunting — turning CTI and OSINT into risks caught before they reach Ledger.
Take on our thorniest detection problems and translate threat intel into concrete posture improvements.
Evolve the architecture & the Agentic SOC
Drive how our Splunk and Torq (SOAR) setup evolves so detection, triage, and response keep getting better — focused on detection quality, data standardization (CIM, data models), and usability, not day-to-day platform administration.
Contribute to the architecture of our Agentic SOC and log/data pipeline, and help automate the team's reporting. (No need to arrive as a software/data engineer — an engineering mindset and the drive to build matter more.)
Bring cloud-security judgment (AWS, EKS/Kubernetes) and use Wiz to prioritize exposure at scale.
Raise the bar across the team
Define the standards, playbooks, and runbooks the team relies on.
Grow senior and junior engineers through review, pairing, and everyday knowledge sharing — a force multiplier through influence and example, not formal management.
Partner with Engineering, Infrastructure, IT, and Cloud to align operational security with where Ledger is heading.
What we’re looking for:
~9 years (or a track record that speaks for itself) in security operations, incident response, and CSIRT, with real depth in complex, end-to-end investigations.
The ability to lead technically under pressure and stay structured when things are ambiguous.
Hands-on SIEM experience (ideally Splunk): writing and refining queries for investigation and detection.
Solid cloud-security fundamentals (ideally AWS): IAM/identity, audit logs (CloudTrail, GuardDuty), and a working understanding of workloads, containers, and Kubernetes (EKS) — enough to scope and investigate a cloud or container incident, and go deeper as needed.
Comfort automating with Python, Bash, APIs, GitHub Actions, or a SOAR platform.
Clear communication of complex topics, strong documentation habits, and sound judgment with sensitive information.