Principal Cyber Defense Operations

Our Mission:

Our mission is to SAVE AND IMPROVE LIVES BY EMPOWERING HEALTHCARE CONSUMERS.Come be part of remarkable.

Overview:

How you can make a difference

The Cyber Defense Operations Team Principal (CDOT) serves as the senior technical authority within the Cyber Defense Operations Team, responsible for ensuring the accuracy, quality, and threat‑informed rigor of all escalations and investigations. This role leads the review of high‑risk activity across CDOT Escalations, Insider Threat, and Cloud/AI Response queues, and ensures alignment with the organization’s detection, response, and visibility strategy. The Principal partners closely with ATR, Cyber Defense Engineering, and the Cyber Visibility Principal to strengthen detection fidelity, improve operational workflows, and drive continuous improvement across the Cyber Defense ecosystem. What you’ll be doing Operations* Lead validation of all CDOT escalations to ensure accuracy, completeness, and threat‑informed decision‑making.

• Own triage oversight for the CDOT Escalations, Insider Threat, and Cloud/AI Response queues, ensuring high‑risk activity receives appropriate scrutiny and routing.
• Coordinate response actions across CDOT, ATR, IR, and partner teams for high‑severity events.
• Ensure sensitive investigations follow legal, HR, and IR requirements.

Detection* Validate detection fidelity across traditional, cloud, and AI‑driven signals, ensuring alignment with ATR’s threat‑informed detection strategy.

• Review cloud‑specific detections (Azure AD, AWS, GCP, SaaS) for accuracy, coverage, and alignment to cloud attack paths.
• Validate AI‑generated detections and behavioral analytics for accuracy, bias, and operational usefulness.
• Identify and escalate visibility gaps—including cloud telemetry, identity logs, and AI anomaly signals—to the Cyber Visibility Principal.
• Partner with Cyber Defense Engineering and the Visibility Principal to refine detection logic, improve signal quality, and build new controls where systemic issues are identified.

Response* Lead triage and validation for cloud and AI‑driven escalations, including identity compromise, privilege escalation, token abuse, and anomalous workload activity.

• Serve as the escalation authority for determining when events require ATR deep‑dive analysis or CIRP activation.
• Ensure escalations involving cloud or AI signals include complete investigative context and meet elevated scrutiny standards.

Playbooks* Ensure operational playbooks accurately reflect CDOT response procedures, including cloud and AI‑driven scenarios.

• Collaborate with ATR, Cyber Defense Engineering, and the Visibility Principal to develop new playbooks where gaps exist or new capabilities emerge.
• Validate SOAR playbooks for correctness, safety, and alignment with escalation thresholds.
• Identify automation opportunities and partner with Cyber Defense Engineering to build safe, reliable automated controls.

Quality* Perform regular QA reviews of CDOT investigations, escalations, and triage decisions to track and improve CDOT performance.

• Define and uphold standards for investigative documentation, evidence handling, and escalation quality.
• Provide technical coaching to analysts to strengthen investigation quality, hypothesis development, and threat‑informed reasoning.

Threat Alignment* Maintain alignment between CDOT detection priorities and ATR’s threat‑informed roadmap, including cloud‑focused and AI‑enabled threats.

• Ensure CDOT workflows reflect current adversary tradecraft and MITRE ATT\&CK coverage (enterprise, cloud, and emerging AI‑related techniques).
• Surface systemic detection, tooling, or workflow gaps to ATR, CDE, and Detection Engineering.

Metrics \& Continuous Improvement* Define and track metrics for detection quality, false‑positive reduction, cloud/AI detection accuracy, and escalation fidelity.

• Provide leadership with insights on recurring detection failures, operational bottlenecks, and systemic issues.
• Lead post‑incident detection reviews to ensure lessons learned translate into improved cloud and AI detection logic.

Partnership* Partner with Cyber Defense Engineering and the Visibility Principal to identify and escalate opportunities for improvement in detection logic, telemetry coverage, and automation.

• Collaborate with ATR, CDE, and Detection Engineering to build new controls, refine detection content, and improve operational workflows.
• Support cross‑team coordination to ensure high‑severity issues receive appropriate leadership attention.

What you will need to be successful* 7\+ years of experience in Security Operations, Incident Response, Threat Detection, or related cyber defense functions.

• Deep expertise in cloud security (Azure, AWS, GCP) and identity‑centric attack patterns.
• Strong understanding of AI‑driven detection models, behavioral analytics, and anomaly‑based detection.
• Demonstrated ability to lead complex investigations and validate high‑risk escalations.
• Strong knowledge of MITRE ATT\&CK (enterprise and cloud matrices).
• Experience with SIEM, SOAR, EDR, and cloud telemetry sources.
• Excellent communication skills, with the ability to translate technical findings into clear, actionable guidance.

Preferred* Experience partnering with detection engineering, threat intelligence, or cyber visibility teams.

• Experience developing operational playbooks and automation workflows.
• Prior experience in a Principal, Lead Analyst, or senior escalation role within a SOC or Cyber Defense team.
• Relevant certifications (GCIA, GCED, GCTI, GCIH, Azure/AWS security certifications, etc.)

#LI-Remote

This is a remote position.

Salary Range: $137,500\.00 To $182,000\.00 / year Benefits \& Perks:

The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives as part of the total compensation package, in addition to a full range of benefits including:

• Medical, dental, and vision
• HSA contribution and match
• Dependent care FSA match
• Uncapped paid time off
• Paid parental leave
• 401(k) match
• Personal and healthcare financial literacy programs
• Ongoing education \& tuition assistance
• Gym and fitness reimbursement
• Wellness program incentives

Onboarding \& Travel

This is a remote role, with an in-person onboarding training component. New team members must participate in Trailhead, HealthEquity’s immersive onboarding experience Trailhead is designed to foster meaningful connections, support your integration into the organization, and equip you with a strong understanding of our business. Trailhead participation is a key expectation of this role. Trailhead is held onsite at our headquarters once per quarter. HealthEquity covers all required travel and accommodations.

This role may begin with a virtual, self-paced onboarding experience, followed by a mandatory onsite Trailhead session at a later date.

HealthEquity is committed to providing reasonable accommodations to team members with qualifying disabilities. Should you be selected for this role and require an accommodation, we will put you in touch with our Benefits Team so you can begin the accommodation request process.

Why work with HealthEquity :

HealthEquity has a vision that by 2030 we will make HSAs as wide-spread and popular as retirement accounts. We are passionate about providing a solution that allows American families to connect health and wealth. Join us and discover a work experience where the person is valued more than the position. Click here to learn more. You belong at HealthEquity!

HealthEquity, Inc. is an equal opportunity employer, and we are committed to being an employer where no matter your background or identity – you feel welcome and included. We ensure equal opportunity for all applicants and employees without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, status as a qualified individual with a disability, veteran status, or other legally protected characteristics. HealthEquity is a drug-free workplace. For more information about our EEO policy, or about HealthEquity’s applicant disability accommodation, drug-free-workplace, background check, and E-Verify policies, please visit our Careers page.

HealthEquity uses Microsoft Copilot to transcribe screening interviews between candidates and their direct Talent Partner for note taking and interview summaries. By scheduling a screening interview with us, you consent to Microsoft Copilot’s AI technology recording and transcribing your interview with your Talent Partner. This information will be reviewed for accuracy and then used by HealthEquity to summarize the interview, ensure accuracy, and facilitate our hiring process. We take privacy seriously. You have the option to opt out. If you wish to opt out of this Microsoft Copilot transcription, please notify your Talent Partner in advance of the interview. If we do not receive an opt-out request from you, we will assume that you consent to the use of Microsoft Copilot.

At HealthEquity, our goal is to save and improve lives by empowering healthcare consumers. This shared purpose inspires everything we do, including how we approach hiring. Our process is designed to get to know the real you: your skills, experiences, and potential to make a difference. We value honesty, originality, and the courage to do the right thing, even when it is not the easiest path. Showing up as your authentic self reflects these values and helps us build something truly remarkable together.

As AI is becoming a common tool throughout the application process, we want to be clear about its appropriate use at HealthEquity. Using AI to support resume writing, research, or interview preparation is perfectly acceptable, provided the content is accurate and genuinely represents your qualifications and skills. For other key parts of our interview process, however, it is important that the ideas, communication, and work you share reflect your own voice, experiences, and thinking. We ask that you participate in our live interviews and complete any assessments without AI assistance unless instructions explicitly indicate otherwise or a specific exception is discussed and approved in advance. This approach ensures fairness, celebrates your individuality, and allows your authentic perspective to shine. Behaviors that do not align with these guidelines may result in disqualification from the hiring process or termination of employment if later discovered. We appreciate your understanding and look forward to learning about the unique contributions only you can bring to HealthEquity.

HealthEquity is committed to your privacy as an applicant for employment. For information on our privacy policies and practices, please visit HealthEquity Privacy.