Has run a SOC, not just consulted to one.
Time spent on call, paged at 3am, owning a queue. The operating model is built by people who carried the pager — not by people who diagrammed the pager.
▸IronSOC/Team
Team
Operator DNA, not generic AI pivot.
The AI-SOC field is full of teams retrofitting models onto detection problems. IronSOC is built by people who have run security operations and now operate them at the AI layer too. This page describes who we hire, the advisory thesis, and the open roles.
Operator DNA
The bar to operate this SOC.
These are the traits we hire for and the traits the operating model assumes are present. They are not aspirational; they are the floor.
Builds detections, not slides.
Detection-as-code is the day job: Sigma, KQL, SPL, eBPF, custom analytics. Engineers who can read a CloudTrail event, an EDR process tree, and a model trace in one sitting.
Reads model traces like packets.
The AI surface is part of the attack graph now. Operators here know prompts, retrieved context, tool calls, and MCP scopes the way a network engineer knows a TCP handshake.
Threat-led, not vendor-led.
We hunt against MITRE ATT&CK and ATLAS, not vendor severity columns. Engineers who can map a campaign before they map a product.
Recovery-minded.
The discipline to ask 'how do we restore this' before the incident — and to design containment paths that do not destroy evidence.
Publishes work.
Open-source detections, CVE coordination, conference talks, written research. The bar is not 'famous' — it is 'has produced something the field can read.'
Hiring bar
Floors, signals, and disqualifiers.
We publish the bar so the people we want to hear from self-select. Pedigree matters less than reps and a public technical artifact we can read.
Reach the founding teamFloor
Hands-on incident experience or production detection-engineering experience. No theory-only hires.
Signal
Public artifact: detection rule, talk, paper, CVE, open-source tool, blog with technical depth.
Disqualifier
Cannot describe a real incident in detail end-to-end, including the human decisions that shaped the outcome.
Bonus
Has built or operated AI/agent systems in production, or has done adversarial AI testing with real findings.
Advisory thesis
Who we ask to advise — and what they ask of us.
An advisor list is only as good as the reference calls behind it. We do not list anyone who has not approved the language used to describe their role and is willing to take a call from an enterprise prospect or a serious investor.
Practicing CISOs, not retired ones.
We optimize for sitting CISOs of regulated mid-enterprise, AI-heavy SaaS, or cloud-native firms. They tell us what is actually failing this quarter — not what was failing five years ago.
Detection and AI-security researchers.
Adversarial ML, LLM red-team, exploit research, CTI. Advisors who push the eval set forward, not just the slideware.
Reference-takers.
An advisor on this site will take a reference call. We do not list anyone who has not signed off on the language used to describe their role.
Open roles
Where we are hiring now.
These are the seats the operating model needs filled before Series A. If one of them describes you, send a public artifact you are proud of and a one-paragraph note on the incident or detection you are most known for.
Founding detection engineer
Apply ▸Owns the cross-surface detection backlog: identity, cloud, AI, exploited-vuln. Ships detection-as-code with eval coverage.
AI security researcher
Apply ▸Adversarial work against LLM and agent systems. Findings ship as runtime detections, not PDFs.
Incident commander
Apply ▸Leads live incidents, owns the customer-facing recovery path, runs tabletop exercises during onboarding.
Threat intelligence lead
Apply ▸Curates CTI feeds, runs adversary tracking, writes the weekly briefings that wire back into detections.
Field engineering lead
Apply ▸Onboards customers, integrates SIEM and EDR sources, owns the time-to-first-detection metric.
Why this page does not name founders or advisors yet.
Cybersecurity is a field where claimed pedigree is checked. Listing a name before that name has signed off — or before they would actually take a reference call — damages every other claim on the site. So we do not.
When the founding leadership and advisory board are public, this section is replaced with names, roles, and links to their public work. Not before.
Operating principles for this page
We do not name leadership or advisors on this page until they have signed off on the language. Empty surfaces are better than misleading ones.
When a leadership hire closes or an advisor agrees to be public, they appear here within the same week — with the role described in their own words.
References on hires are taken before any name is published. We will not list a name we cannot independently verify.
Investor or buyer reference call? Reach hello@ironsoc.com.