Jobs at Morgan Stanley in United Kingdom

Embrace the challenge of maintaining robust digital security, driving operational excellence, and implementing cutting-edge solutions in cybersecurity.

As a Security Operations Vice President in Cybersecurity & Tech Controls, you will be a technical leader in our Cyber Defense function, enhancing our capabilities to detect, prevent, and disrupt sophisticated cyber threats across a complex hybrid enterprise. You will design scalable detection solutions and play a key role in our detection-as-code framework, ensuring comprehensive coverage across endpoints, networks, cloud infrastructure, and critical business systems. Collaborating closely with Security Operations Center (SOC) analysts, threat hunters, red team members, and internal security engineering teams, you will develop scalable, high-fidelity detections using logs, telemetry, and behavioral analytics from diverse data sources. The ideal candidate will have SOC experience, a passion for researching TTPs and the threat landscape, and the ability to translate this research into high-quality detections.
As a technical lead, your responsibilities will include advanced analysis, threat hunting, evaluating new security technologies, and ensuring the integration of larger technology projects into the Cyber Defense team and monitoring function. You will apply advanced analytical, technical, and problem-solving skills to achieve operational excellence and implement innovative solutions to tackle complex security challenges.

Job responsibilities

• Design, implement, and continuously refine advanced threat detection rules, logic, and models in SIEM, EDR, and cloud-native platforms (e.g., Splunk, Sentinel, CrowdStrike, AWS/Azure/GCP).
• Continuously refine detection strategies based on evolving TTPs (MITRE ATT&CK), threat intelligence, and red/purple team feedback.
• Utilize detection-as-code pipelines and SRE principles to build and maintain detections with appropriate versioning, QA, and testing workflows.
• Perform threat model reviews, architecture reviews and detection gap assessments.
• Operationalize MITRE ATT&CK mappings, threat intel insights, and adversary simulation results to develop precise detection logic.
• Map detection coverage against evolving threat landscapes aligning with industry frameworks and internal threat profiles.
• Partner with Threat Intelligence, Red Team, and Incident Response teams to close the feedback loop between detection hypotheses and real-world adversary behavior.
• Evaluate new telemetry sources and support the onboarding, normalization, and enrichment of log sources to ensure high-fidelity data for detection and analytics.
• Mentor junior analysts and engineers in detection logic design, telemetry analysis, and security operations best practices.

• Evaluate and enhance the organization's security posture by staying current with industry trends, emerging threats, and regulatory requirements, driving innovation and process improvements.

Required qualifications, capabilities, and skills

• Bachelor’s Degree in Computer Science, Cybersecurity, Data Science, or related disciplines
• 5+ years of experience in cybersecurity with a core focus on threat detection, security engineering, or SOC operations.
• Expertise in SIEM platforms (e.g., Splunk SPL, KQL, Elastic) with a strong command of query optimization, dashboarding, and alert logic development.
• Advanced understanding of attacker TTPs, malware behaviors, lateral movement techniques, and financial-sector-specific threat actors.
• Experience with threat hunting on a large, enterprise network both as an individual and leading hunting exercises with other team members.
• Deep familiarity with telemetry from EDRs, Cloud logging (e.g., AWS, Azure, GCP), Windows/Linux event logs, identity platforms (e.g., Azure AD), and public cloud services.
• Ability to research TTPs, analyze raw log and develop high fidelity detections in various tools/languages.
• Proven experience collaborating with SOC, IR, threat intel, or red teams in a fast-paced environment.
• Strong grasp of security frameworks and taxonomies including MITRE ATT&CK, Cyber Kill Chain, NIST, and SIGMA/YARA formats.
• Proficiency in scripting languages such as Python or PowerShell to support automation and enrichment tasks.

• Experience creating and working with Jupyter Notebooks to automate workflows and processes.

Preferred qualifications, capabilities, and skills

• Experience with detection-as-code methodologies and tools (e.g., Git-based pipelines, CI/CD for security content).
• Background in cloud security (AWS/GCP/Azure), particularly around detection and log correlation in IaaS and SaaS environments.
• Familiarity with SOAR platforms, and anomaly-based detection techniques.
• Experience leveraging Large Language Models (LLMs) for security use cases such as log parsing, alert triage, threat narrative generation, or threat intelligence summarization.
• Experience in integrating LLMs into detection workflows to enhance context enrichment, rule generation, or automated investigation support.