Security Operations Engineer

About Ledger

We’re a team of experts pushing the limits of what’s possible, united by our common goal to unlock true freedom through digital ownership, making technology accessible for all. We believe in a world where users, creators and enterprises manage their value with ownership and freedom. Our curiosity drives us to innovate, empowering individuals on a global scale. We believe change is constant and our team moves forward as one, with a culture of problem-solving where every employee is empowered and supported to challenge tradition and create solutions. Our mission is simple: to make self-custody accessible and give people the keys to their own financial futures. If you want to make a true impact, we want you to join us at Ledger.

At Ledger, we’re proud to be the global platform for digital assets and Web3, with over 20% of the world’s crypto assets secured through our Ledger devices. With our headquarters in Paris, and offices in Vierzon, Grenoble, Montpellier, London, Portland, Geneva, Zurich and Central Singapore, we have a team of around 600 professionals developing a variety of products and services to enable individuals and companies to securely buy, store, swap, grow and manage crypto assets – including the Ledger hardware wallets line with more than 7.5 millions units already sold in 200 countries.

The team

You’ll join the Security Operations team, responsible for protecting Ledger’s corporate, cloud, SaaS, and data center environments. Its mission: to anticipate, detect, investigate, and respond to cyber threats—including monitoring, alert triage, incident response, detection, visibility, automation, exposure tracking, and continuous process improvement. The scope is distinct from that of the Donjon (product security): SecOps covers the operational security of internal environments, the cloud, endpoints, workloads, identities, and infrastructure.

As a close-knit and experienced team—technically demanding and committed to knowledge sharing—we’re also continuously building the SOC itself: integrating new log sources, ensuring data quality, expanding detection coverage, and developing reliable dashboards and operational workflows.

What you’ll be doing:

As a Security Operations Engineer, you’re a talented and self-reliant engineer on the front lines of the SOC. You investigate alerts and incidents, contribute to our detection and automation efforts, and help expand our visibility (cloud, endpoints, identities, SaaS, infrastructure)—in practice, you’ll perform the same core responsibilities as our senior engineers, with their support on the most complex cases. You’ll work independently within your area of responsibility, tailor your focus to your strengths and interests—just like the rest of the team—and quickly build expertise in our tech stack and our in-house Agentic SOC, as part of a team that values initiative.

Operate the SOC

• Analyze, prioritize, and investigate alerts (from Splunk, CrowdStrike, Wiz, AWS, and other sources), conducting your own investigations into incidents affecting endpoints, the cloud, identities, SaaS, workloads, and infrastructure.

• Provide clear and actionable context, determine next steps, and bring in senior engineers for the most complex cases.

• Leverage the Agentic SOC, which investigates weak signals and enriches alerts, so you can focus on the cases that matter.

Visibility & Detection

• Help integrate and maintain the log sources on which the SOC relies (cloud, endpoints, identities, SaaS, infrastructure, Kubernetes) and improve data quality.

• Write and optimize Splunk queries for your investigations, contribute to the team’s detection rules and catalog, and help reduce noise and improve signal quality.

Incident Response

• Play an active role in investigations: collecting evidence, reconstructing timelines, and documenting actions taken.

• Help oversee containment, remediation, and post-incident measures by rigorously applying our processes and turning lessons learned into detections, runbooks, or automations.

Contribute to automation and our Agentic SOC

• Build and maintain automations (Torq/SOAR, GitHub Actions, scripts) that accelerate triage, enrichment, and response.

• Contribute to the continuous improvement of our internal Agentic SOC—new investigation workflows, better correlation, and tighter integration with detection and response—and document playbooks and procedures.

What we’re looking for

• 1 to 3 years of experience in security operations, SOC, IT, infrastructure, or a related technical role (an outstanding cybersecurity internship or an entry-level SOC position counts). You are a talented engineer who learns quickly and is eager to take on responsibilities.

• An interest in Web3 and blockchain security is a plus (Ledger operates in the world of digital assets).

• A solid grasp of SecOps fundamentals: triage, investigation, incident response, log analysis, and documentation.

• Practical experience with an SIEM (ideally Splunk), including writing and refining queries and detection logic; and with an EDR (ideally CrowdStrike).

• A good understanding of the cloud (ideally AWS): IAM, audit logs, workloads, containers, and Kubernetes.

• The ability to automate using Python, Bash, APIs, GitHub Actions, a SOAR platform, or equivalent.

• An interest in AI applied to security, agent-based workflows, and SOC automation.

• Independence, proactivity, thoroughness, and attention to detail: you take on responsibilities, follow our processes carefully, and know when to seek support from senior colleagues.

• Ability to conduct in-depth investigations, document findings clearly, and escalate issues with the appropriate level of context; awareness of confidentiality and the proper handling of sensitive information.

• Professional-level English; Ledger operates in an international environment.