Director of Security Operations

About FluidstackAt Fluidstack, we're building the infrastructure for abundant intelligence. We partner with top AI labs, governments, and enterprises - including Mistral, Poolside, Black Forest Labs, Meta, and more - to unlock compute at the speed of light.We're working with urgency to make AGI a reality. As such, our team is highly motivated and committed to delivering world-class infrastructure. We treat our customers' outcomes as our own, taking pride in the systems we build and the trust we earn. If you're motivated by purpose, obsessed with excellence, and ready to work very hard to accelerate the future of intelligence, join us in building what's next.About the RoleFluidstack operates the compute infrastructure that powers frontier AI, including some of the most demanding training and inference workloads on the planet. We are building a Security Operations function from the ground up, and we want to build it right: AI-native, highly automated, and designed for the scale and threat model of a company that sits at the intersection of critical infrastructure and frontier AI development.The threat model here is not a narrow one. We operate corporate infrastructure and data center sites across multiple geographies, complex IT and OT/ICS environments, and cloud infrastructure, all serving customers whose work attracts sophisticated, persistent, and well-resourced adversaries. State-nexus actors, insider risk, supply chain compromise, physical intrusion, and infrastructure disruption are all real considerations. The SOC you build has to be credible against all of them, and the operating model has to hold up in a multi-stakeholder environment that includes upstream and downstream customers and partners with their own security requirements, audit rights, and contractual SLAs.This is not a role for someone who wants to manage a room full of analysts watching dashboards. This is a role for someone who wants to architect an entirely different model, one where AI handles L1 at scale, agentic workflows close the loop on routine response, a real threat intelligence function that drives detection, and where human analysts spend their time on work that requires genuine expertise and judgment. You'll be a builder across three dimensions simultaneously: the technical architecture, the operating model, and the team. If you've been frustrated watching the industry default to "hire more people" when the answer is "build better systems," this is the role you've been waiting for.FocusSOC Architecture & Build: design and build FluidStack's security operations capability from scratch, including data architecture, detection logic, automation fabric, toolchain, and team model, using a modern stackAI-Native Detection & Triage: define and implement a detection philosophy that assumes AI handles L1; build the pipelines, enrichment logic, and triage automation that resolves high-volume, low-ambiguity alert classes without human interventionAgentic Response Workflows: design and deploy autonomous response workflows that contain, investigate, and remediate: not just notify; own and continuously push the boundary between machine-closed and human-required casesLLM-Assisted Investigation: integrate LLM-based tooling into the analyst workflow for case summarization, log interpretation, and hypothesis generation; define how AI augments analyst cognition as a genuine force multiplierDetection Engineering: own the detection content lifecycle end-to-end: MITRE ATT&CK coverage mapping, detection-as-code workflows, alert quality metrics, and continuous tuning across a heterogeneous environmentThreat Intelligence: build and operationalize a threat intelligence program that produces finished intelligence relevant to FluidStack's specific threat model and customer base, and connects directly to detection content and hunting hypothesesThreat Hunting: design and run a proactive hunting capability operating independently of the alert queue, covering cloud, OT/ICS, physical telemetry, and endpoint across a threat landscape that includes sophisticated, targeted actorsMulti-Site Physical + OT/ICS Coverage: build detection coverage across data center sites, security-instrumented OT/ICS systems, physical access telemetry, and BMS environments that don't look like a standard enterpriseOperating Model Design: define the coverage model, escalation logic, stakeholder interfaces, SLA architecture, and feedback loops that make the SOC function as a system, not just a teamTeam & Vendor Strategy: define the human layer of the SOC: size, structure, sourcing model, and skill profile; make the MSSP build-vs-buy call with data, not defaultsCustomer & Regulatory Obligations: ensure the SOC can reliably and demonstrably meet contractual incident notification SLAs and compliance obligations across FluidStack's customer baseAbout YouYou bring technical depth across the core disciplinesProven experience designing or substantially rebuilding a SOC, not just running one someone else builtDeep hands-on background in detection engineering, SIEM/data lake architecture, and SOAR automationGenuine experience with AI/ML applied to security operations, not familiarity with vendor marketingHands-on threat intelligence program development, including finished intel production and operationalizationActive threat hunting experience across heterogeneous environmentsExposure to OT/ICS environments or physical security telemetry at scaleTrack record of reducing MTTD and MTTR through automation and architecture, not headcountYou know how to design an operating model, not just run oneExperience structuring coverage models, escalation logic, and stakeholder interfaces in environments where the org chart doesn't make things simpleComfort navigating a multi-stakeholder environment with competing priorities and external accountability: customers, auditors, regulatorsExperience operating under contractual security obligations with defined incident response SLAsAbility to build processes that scale with automation rather than headcount, and to make that case crediblyYou can lead a team and build a cultureExperience hiring, developing, and retaining security operations talent across a range of specializationsAbility to define team structure that matches the operating model: not the one that came before itTrack record of building culture in a function that operates under pressureStrong differentiatorsExperience with LLM integration into security tooling, including prompt engineering and evaluating AI output reliability under adversarial conditionsData engineering fluency at the schema and query levelExperience designing SOC coverage for hyperscale or critical infrastructure environmentsThreat intelligence program experience targeting sophisticated or nation-state-adjacent actorsComfort in a compliance-adjacent environment (SOC 2, ISO 27001, FedRAMP-adjacent) without being compliance-drivenSalary & BenefitsCompetitive total compensation package (salary + equity).Retirement or pension plan, in line with local norms.Health, dental, and vision insurance.Generous PTO policy, in line with local norms.The base salary range for this position is $250,000- $350,000 per year, depending on experience, skills, qualifications, and location. This range represents our good faith estimate of the compensation for this role at the time of posting. Total compensation may also include equity in the form of stock options.We are committed to pay equity and transparency.Fluidstack is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans' status, or any other characteristic protected by law. Fluidstack will consider for employment qualified applicants with arrest and conviction records pursuant to applicable law.J-18808-Ljbffr