Technical Lead

Ensign is hiring !

The Technical Lead, IOC & Cyber Range is a senior leadership role with dual accountability — for the technical direction and the end-to-end delivery of two distinct but complementary functions: the Intelligence & Operations Centre (IOC) and the Cyber Range.

You will be accountable for what gets built, what gets delivered, and how well both functions perform — owning outcomes across technical architecture, service delivery, client commitments, and team execution. You will set the technical bar, drive delivery discipline, and ensure both environments consistently meet the expectations of the clients and stakeholders who depend on them.

This is a role for someone who thrives in complex, high-stakes environments — equally comfortable making architectural decisions and holding the team accountable to delivery timelines, SLAs, and quality standards.

Key Responsibilities

IOC — Technical Direction & Service Delivery

• Own end-to-end accountability for IOC service delivery — ensuring threat monitoring, detection, incident response, and client reporting consistently meet agreed SLAs and quality standards.
• Define and drive the technical architecture and tooling roadmap for the IOC, including SIEM, SOAR, EDR, and threat intelligence platforms — ensuring platforms are optimally configured, continuously improved, and operationally resilient.
• Lead detection engineering initiatives — developing, tuning, and validating detection rules, playbooks, and automated response workflows to improve detection fidelity and reduce analyst burden.
• Establish and own operational standards, SOPs, escalation frameworks, and governance structures that ensure consistent, measurable service quality across all client engagements.
• Track and drive improvement in key delivery metrics — MTTD, MTTR, alert fidelity, and client satisfaction — and provide clear performance reporting to senior leadership.
• Act as the senior technical and delivery escalation point for complex incidents — providing decisive direction under pressure and ensuring appropriate client communication throughout.
• Identify and resolve delivery risks, resourcing gaps, or operational bottlenecks proactively — before they impact clients or commitments.
• Collaborate with threat intelligence and red team functions to continuously validate and strengthen detection capabilities against real-world threat scenarios.

Cyber Range — Technical Design & Programme Delivery

• Own the full delivery lifecycle of the Cyber Range — from technical environment design and build through to programme execution, client debrief, and continuous improvement.
• Lead the technical design, build, and maintenance of the Range environment — including virtualised infrastructure, attack simulation platforms, scenario libraries, and range management tooling.
• Develop and deliver a portfolio of realistic, scenario-based training exercises and red-blue team engagements for clients and internal capability development — ensuring programmes are delivered on time, on scope, and to a high standard.
• Ensure the Cyber Range environment is stable, secure, isolated, and capable of supporting concurrent client programmes with no degradation in quality or safety.
• Manage programme delivery across multiple concurrent client engagements — coordinating exercise design, resource scheduling, and client stakeholder management throughout.
• Drive continuous improvement of the Range's technical realism, scenario depth, and assessment capability — incorporating emerging threat techniques and new attack vectors into the exercise library.
• Support pre-sales and business development by demonstrating Range capabilities, scoping bespoke exercise programmes, and contributing to commercial proposals.

Delivery Governance & Performance Management

• Own the delivery framework across both functions — establishing clear milestones, review cadences, risk tracking, and quality assurance processes that hold the team accountable.
• Maintain visibility of all active client commitments across IOC and Cyber Range — ensuring nothing falls through the gaps and escalations are managed swiftly.
• Produce clear, accurate reporting on delivery performance, operational health, and programme status for internal leadership and client stakeholders.
• Manage capacity and resource planning across both functions — ensuring the right people are in the right places to meet current and upcoming commitments.
• Identify process gaps and implement improvements that increase delivery predictability, reduce rework, and raise quality standards across both functions.

Stakeholder Engagement & Collaboration

• Serve as the primary point of accountability for IOC and Cyber Range delivery — managing expectations, communicating proactively, and resolving issues with clients and internal stakeholders.
• Engage with managed services, consulting, and Ensign Labs teams to align IOC and Cyber Range capabilities with broader business and client needs.
• Contribute to Ensign's thought leadership through internal publications, client workshops, and industry engagements where relevant.

Job requirements

• At least 8 years of experience in cybersecurity, with significant hands-on depth in security operations, incident response, or offensive/defensive security.
• Proven experience leading or managing a SOC, IOC, or security operations function — with direct accountability for both technical quality and delivery outcomes.
• Demonstrated track record of owning end-to-end delivery — managing timelines, client commitments, SLAs, and team performance simultaneously.
• Strong technical proficiency across core security operations domains: SIEM/SOAR platforms, detection engineering, threat intelligence, and incident response.
• Experience designing, operating, or delivering cyber range environments, attack simulation platforms, or technical training programmes.
• Ability to lead and develop technical teams — with the credibility to set the technical direction and the discipline to hold the team accountable to delivery.
• Excellent communication skills — able to translate technical complexity into clear, actionable language for both technical teams and senior stakeholders.

Technical Skills

• Deep familiarity with SIEM platforms (e.g. Splunk, Microsoft Sentinel, IBM QRadar) and SOAR tooling.
• Experience with endpoint detection platforms (e.g. CrowdStrike, SentinelOne, Carbon Black) and network security monitoring.
• Understanding of adversary TTPs, the MITRE ATT&CK framework, and threat-informed detection approaches.
• Hands-on experience with virtualisation, cloud infrastructure, or range platforms (e.g. VMware, AWS, Azure, Cyberbit, SimSpace, or equivalent).
• Scripting and automation capability (Python, PowerShell, or equivalent) for detection and operational workflow improvement.