Sword
Healthcare
SecurityOperationsLead(SecOps)
Neural analysis suggests this role is
optimal for Lead candidates.
“Security Operations Lead (SecOps) at Sword. Skills: Security Operations Center (SOC) leadership, Automation and AI in SecOps, SIEM expertise, Incident Response, Cloud Security. Lead SecOps squad and own threat detection, investigation, and response. Structure SecOps function operations, setting direction for SIEM architecture, detection engineering, and incident response”
What You'll Achieve.
Reduce MTTD/MTTR; Expand coverage; Scale a lean team to operate at enterprise scale; Ensure organizational readiness; Drive measurable, continuous improvement
Industry & Context.
Investigating incidents; Root cause analysis; Risk-based alert tuning
Candidates must possess a valid EU visa and be based in Portugal, On-call responsibilities
What They're Looking For.
Must Have
Bachelor’s degree in Computer Science, Cybersecurity, or equivalent professional experience, Proven experience scaling a SOC through automation and AI — SOAR, hyperautomation, LLM-assisted triage, agentic workflows, or ML-driven detection — with measurable impact on MTTR, coverage, or analyst leverage, Hands-on experience structuring a SOC, either building one from the ground up or maturing one through significant transformation — SIEM selection, implementation or migration, detection engineering practice, runbook libraries, on-call rotations, and operating metrics, Deep SIEM expertise (Splunk, Sentinel, Chronicle, Elastic, or similar) — ingestion architecture, detection-as-code, query optimization, and coverage-versus-cost tradeoffs, Prior experience as the technical lead of a SOC or CSIRT team — owning the full incident response lifecycle, mentoring analysts and engineers, and acting as on-call/incident commander during major incidents, incident response track record — leading high-severity investigations, root cause analysis, digital forensics, and post-incident reviews that produced durable improvements, Solid experience in cloud environments (AWS and/or GCP), with understanding of cloud-native threats and controls, scripting and development skills (Python, Go, Bash, or similar) for building automation, integrations, and internal tooling, Working knowledge of EDR/XDR, identity, and network detection telemetry, and how to combine signals into high-fidelity detections, Fluency with security frameworks and standards (NIST 800-61, CIS Controls, MITRE ATT&CK, ISO 27001) and the judgment to apply them pragmatically, Background in threat modeling, adversary emulation, and risk-based alert tuning, Excellent communicator — able to brief executives during a Sev1, write a clear post-mortem, and translate technical risk into business language for non-technical audiences, Proven track record of leading cross-functional efforts in high-pressure situations and fostering collaboration across InfoSec, IT, and engineering, Forensics experience, investigating incidents and preserving digital evidence, AI fluency is a core expectation at Sword Health. Every candidate is assessed against our three-level framework — be ready to share real examples of how AI is already part of how you work. Explorer (Level 1) — Uses AI daily to boost personal productivity
Nice to Have
Builder (Level 2) — Creates workflows and tools that elevate the whole team, Integrator (Level 3) — Embeds AI into products and processes at scale
What You'll Do.
Lead SecOps squad and own threat detection
Structure SecOps function operations
setting direction for SIEM architecture
detection engineering
and incident response
Scale SecOps using automation and AI
Set strategy and technical direction for Sword’s Security Operations Center
Define operating model
SIEM and detection architecture
incident response capability
Drive AI- and automation-first transformation of security operations
Design SOAR playbooks
agentic and LLM-assisted triage workflows
and ML-driven detection
Lead the SOC/CSIRT team technically
Mentor detection and response engineers
Raise the bar on investigations
Run on-call and escalation models
Act as commander for major incidents
Own SIEM end-to-end (architecture
Evolve detection-as-code content aligned to MITRE ATT&CK and Sword’s threat model
Lead high-severity incident response from detection through containment
and post-incident review
Run threat intelligence and threat hunting programs
Convert emerging TTPs into new detections
and informed risk decisions
Define and report on SOC performance (MTTD
Use metrics to drive continuous improvement
Influence security architecture and engineering decisions across the company
and recovery are built into new products
Establish and continuously improve incident response playbooks
and tabletop exercises
How You'll Work.
Team & Collaboration
Partnering with engineering, IT, legal, and executive stakeholders during critical events; Fostering collaboration across InfoSec, IT, and engineering
Communication Scope
Able to brief executives during a Sev1; Able to write a clear post-mortem; Able to translate technical risk into business language for non-technical audiences
Process & Methodology
Structuring a SOC, Developing roadmaps, Leading cross-functional efforts
Full Job Description
## Description At Sword, we’re building AI to heal billions and unlock humanity’s full potential. In doing so, we’re pioneering AI Care, a fundamentally new approach to healthcare built for medical reasoning, safety, and real-time treatment, not generic technology applied after the fact. As both a clinical-centric frontier AI lab and an applied AI platform, Sword is reimagining how care is delivered at scale, removing traditional barriers like appointments, waiting rooms, and stigma so more people can access the care they need—and ultimately get back to lives lived in full. Since 2020, Sword has expanded across physical therapy, women’s health, cardiometabolic, and mental health, and is now moving beyond the session to a fully AI-native, 24/7 care program that brings physical activity, therapeutic exercise, psychotherapy, nutrition, and behavior change into one connected experience. More than 700,000 members across three continents have completed over 10 million AI sessions, helping 1,000+ enterprise clients avoid more than $1 billion in unnecessary healthcare costs. Backed by 42 clinical studies, 44+ patents, and more than $500 million raised from leading investors including Khosla Ventures, General Catalyst, and Founders Fund, Sword is defining a new standard for healthcare. As Security Operations Lead, you'll lead our SecOps squad and own how Sword detects, investigates, and responds to threats. You'll help structure how this function operates — setting the direction on SIEM architecture, detection engineering, and incident response — and use automation and AI to scale a focused team across a fast-growing, multi-continent footprint. You'll be a core voice in our security strategy, and the systems, processes, and culture you build will set the bar for how Sword protects 700,000+ members. If Tech role: To get to know more about our Tech Stack, check here. ## AI Proficiency at Sword Health AI fluency is a core expectation at Sword Health. Every candidate is assesse
Applying for this Security Operations Lead (SecOps) role?
Most applicants get filtered before a human reads their resume. See if yours makes the cut.
How to Apply on Lever
- Lever uses a streamlined one-page form — apply in under 5 minutes.
- LinkedIn import works well; review parsed data before submitting.
- The cover letter field is optional but visible to reviewers — use it to differentiate.
- Referral codes from employees can significantly boost visibility of your application.
ANONYMOUS · UNFILTERED
What do employees actually say about Sword?
Real rants from real employees. Read before you apply.