Tier 3 Security & Infrastructure Engineer

Mechanicus LLC is a managed service provider with a security-forward practice — Microsoft Sentinel, Blackpoint MDR, and a real SOC workflow rather than a "we forward alerts to a third party" arrangement. Roughly a quarter of our monthly ticket volume is security work: targeted phishing investigations, malicious login attempts, SIEM triage, and MDR collaboration. We need a senior engineer who can own that work end-to-end.

We’re looking for a Tier 3 Security & Infrastructure Engineer who will serve as the senior technical escalation point for complex infrastructure, cloud, and security issues across client environments.

You'll be the person Tier 2 calls when the impossible-travel alert turns out to be real, when the AVD environment needs re-architecting, when a client's M365 tenant has been compromised at 2am. You'll also drive the proactive work — hardening, detection engineering, post-incident reviews — that keeps the volume from getting worse.

We don't expect you to be in the office. We do expect you to be reachable during a P1.

What You’ll Be Doing

Security Operations & Incident Response

• Investigate phishing attacks, suspicious login activity, and account compromise incidents

• Perform threat hunting, log analysis, containment, and remediation

• Lead response efforts for Microsoft 365 and Azure-related security events

• Collaborate with security partners and vendors during active incidents

• Conduct post-incident reviews and improve prevention strategies

Microsoft 365 & Identity Security

• Design and improve Conditional Access policies and identity security controls

• Manage and optimize Microsoft Defender and Entra ID security features

• Implement security baselines and hardening standards across client environments

• Improve MFA, privileged access, and identity governance workflows

Cloud & Infrastructure Engineering

• Support and troubleshoot Azure infrastructure and Azure Virtual Desktop environments

• Handle complex escalations involving networking, virtualization, storage, and authentication

• Lead migrations involving Microsoft 365, Azure, servers, and cloud infrastructure

• Assist with automation and infrastructure-as-code initiatives

Technical Leadership

• Serve as the Tier 3 escalation point for advanced technical issues

• Mentor junior engineers and contribute to technical standards

• Create documentation, operational runbooks, and repeatable processes

• Identify recurring problems and build long-term solutions

What We’re Looking For

• 5+ years of progressive IT experience, with at least 2 years focused on security operations (SOC analyst, security engineer, or senior engineer at a security-focused MSP).

• Deep working knowledge of Microsoft Sentinel — KQL is not optional. You should be able to write a hunt query without searching examples first.

• Strong Microsoft 365 security stack experience: Defender for Office 365, Defender for Endpoint, Defender for Identity, Entra ID Protection, Conditional Access at scale.

• Solid Azure fundamentals — Entra ID, AVD, networking (VNets, NSGs, Private Endpoints), RBAC, and at least familiarity with IaC (Bicep or Terraform).

• Incident response experience — you've worked a real BEC, a real ransomware incident, or a real account takeover end-to-end and can talk through the timeline, the decisions, and what you'd do differently.

• PowerShell at a scripting level — you can write a Graph API runbook to pull sign-in logs, parse them, and produce a report.

• Excellent written communication — incident reports, RCA documents, client-facing summaries that don't make a non-technical CFO panic.

Important: You will participate in a senior-level on-call rotation (1 week every 4 weeks) for critical P1 incidents.

Nice To Have

• Certifications: SC-200, SC-300, AZ-500 (mapped directly to our Microsoft Sentinel / Entra ID / Azure security work)
• Operational experience with Blackpoint Cyber MDR — incident handoff, isolation decisions, post-incident workflow with their SOC.
• Hands-on with our full operational stack:
  • HaloPSA (PSA/ticketing)
  • NinjaOne / NinjaRMM (RMM)
  • CIPP (M365 multi-tenant admin)
  • Hudu (documentation)
• Barracuda Email Protection policy management and incident response (BEC, mass-quarantine events).
• Experience designing CIS or NIST CSF-aligned baselines for SMB clients running Microsoft 365 and Azure.
• Background contributing to detection engineering content (KQL hunt queries, Sigma rules, custom Sentinel analytics rules, public write-ups).

HR Information:

• Full-time, permanent role
• Salary: $80,000 – $110,000 depending on experience and certifications
  • Annual performance bonus tied to security KPIs (mean time to detect, mean time to contain, recurring-incident reduction)
  • Senior on-call rotation pays an additional differential
• Health insurance (dental and vision included)
• 401K with 3% match
• 12 days PTO to start (accrual increases with tenure) + 8 paid holidays + your birthday
• Remote position (US based)
• Schedule: Mondays-Fridays, 8 AM – 5PM (with paid on-call rotation)
• Home office stipend