Job Description
The Moveworks Security team at ServiceNow is not looking for a traditional SOC analyst to watch a dashboard. We are looking for a Security Automation Disruptor. Your goal is to automate the SOC out of existence. As a member of our Blue Team, you will treat the incident response lifecycle as an engineering problem—designing, building, and deploying autonomous workflows that handle detection, triage, and remediation at machine speed. You will be at the intersection of core Security Operations and AI-driven defense. What you get to do in this role: E2E IR Automation: Design and implement end-to-end automation for the IR lifecycle (Detection -> Triage -> Containment -> Recovery). Detection Engineering: Build and tune high-fidelity detections in our SIEM, EDR, and AI SOC platforms AI-Driven Ops: Leverage LLMs, Prompt Engineering, and MCP (Model Context Protocol) servers to build "Agentic" security workflows that scale our defensive capabilities. Purple Teaming: Detect and disrupt our internal red team. You will work closely with the Red team to detect their attacks, disrupt their attack path, and close vulnerabilities. Validate the Defense: Don’t just build it—prove it works. Design and execute automated tests to validate that our detections and playbooks actually fire when they should. Decide with Data: Be data driven, when faced with difficult or complex decisions, you quickly gather data to make informed decisions Incident Response: Support active incidents as an incident responder, using each event as data to build better future automation. To be successful in this role you have: U.S. Citizenship required The Mindset: You hate manual work. You see a repetitive task and immediately think about how to write a script or build an Agent to do it for you. Technical Foundation: 1–5 years of experience in Security Operations or Security Engineering. Automation Fluency: Proficiency in Python. You should be comfortable working with APIs, webhooks, and version control systems (
