Staff Security Engineer, Security Operations - Moveworks

The Moveworks Security team at ServiceNow is not looking for a traditional SOC analyst to watch a dashboard. We are looking for a Staff Agentic Security Engineer. Our ultimate goal is to automate the SOC out of existence through autonomous systems.

At the IC4 level, you will not just execute workflows; you will define the architectural framework for our AI-driven defense. You will treat the incident response lifecycle as an advanced engineering problem—experimenting with, designing, and orchestrating complex, multi-agent frameworks and Model Context Protocol (MCP) systems that handle proactive threat hunting, triage, and remediation at machine speed. This is a role for a visionary engineer who wants to push the boundaries of what agentic AI can achieve in enterprise defense.

What you get to do in this role:

• Building and AI Orchestration: Move beyond basic tool configuration to build, code, design and research advanced, framework-level approaches for chaining MCP servers and AI agents. You will optimize agentic networks for maximum performance, multi-step reasoning accuracy, and deterministic outcomes in high-stress security scenarios.

• Proactive Threat Hunting Program: Architect and scale a proactive threat hunting program from scratch. You will leverage custom agents, MCP capabilities, and security tooling to proactively discover complex vulnerabilities, configuration drift, and hidden threats across the infrastructure network.

• Advanced Purple Team Synergies: Forge a cutting-edge feedback loop between the Blue Team and our internally developed AI Red Team Agent. You will seamlessly bridge automated offense and defense, turning threat hunting insights into self-healing infrastructure.

• Cross-Functional Influence & Leadership: Act as a strategic engineering partner across IT, Security Engineering, DevOps, DevSecOps, Compliance, Cloud, and Infrastructure teams to ensure corporate systems are natively "automation-ready."

• E2E IR Automation Architecture: Own the overarching engineering roadmap for the end-to-end incident response lifecycle (Detection → Triage → Containment → Recovery), replacing traditional SOAR workflows with resilient, agentic orchestration.

• Incident Commander Escalation: Serve as a high-tier technical escalation point for active, complex incidents. Use every incident as an adversarial data point to design superior automated immune responses.

• Validate the Defense: Design, execute, and validate automated simulation testing to systematically prove that agentic workflows and detection pipelines trigger reliably against real-world attack behaviors.

   

To be successful in this role you have:

• U.S. Citizenship Required: (Must meet strict compliance/FedRAMP criteria).

• Experience: 8–10 years of experience in Security Operations, Systems Engineering, or DevSecOps (Minimum 5 years of highly relevant engineering experience required).

• Cross-Functional Mastery: 3–5 years of proven track record working closely across multidisciplinary teams including Cloud Infrastructure, DevOps, DevSecOps, Compliance, and IT. Bonus points for direct collaboration experience with Product Security or Data Security teams.

• AI & Agentic Fluency: Deep familiarity with modern LLM agent frameworks, including active research into their application, performance trade-offs, and behavioral guardrails. You know how to deeply integrate LLMs, orchestrate custom MCP servers, and build autonomous technical workflows.

• Automation Engineering: High proficiency in Python and software engineering principles. You have extensive past experience with traditional workflow engines and legacy SOAR tooling, giving you the context needed to successfully replace them with AI-native alternatives.

• Cloud & Infrastructure Depth: Strong, hands-on architectural familiarity with AWS security ecosystems (IAM, CloudTrail, GuardDuty) and containerized environments (Kubernetes/EKS).

• FedRAMP & Trust Awareness: While an engineer first, you possess the communication skills and security compliance maturity to translate framework controls into automated, code-driven evidence generation pipelines.

• Team & Collaboration Dynamics: A high-autonomy, high-collaboration mindset. You thrive in a lean, elite, fast-moving team environment where you independently drive massive technical impact while mentoring and leveling up surrounding engineers.

   

Work Personas

We approach our distributed world of work with flexibility and trust. Work personas (flexible, remote, or required in office) are categories that are assigned to ServiceNow employees depending on the nature of their work and their assigned work location. Learn more here. To determine eligibility for a work persona, ServiceNow may confirm the distance between your primary residence and the closest ServiceNow office using a third-party service.

Equal Opportunity Employer

ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements. 

Accommodations

We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact globaltalentss@servicenow.com for assistance. 

Export Control Regulations

For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities. 

From Fortune. ©2025 Fortune Media IP Limited. All rights reserved. Used under license.