A global technology company runs a Cyber Center in Prague — around 270 people, with roughly 80 in security operations. They're looking for a Security Operations Engineer who can run SIEM platforms, tune detections, and own the work end-to-end.
Salary 90 000–130 000 CZK gross per month. Hybrid setup in Prague or fully remote is also possible.
Good fit if you have 3–4 years working hands-on with Splunk or Microsoft Sentinel, you're comfortable on Linux, and you'd rather build reliable detections than produce daily PowerPoint reports.
Our client is a global technology and professional services company with a Cyber Center in Prague. The team serves enterprise clients across multiple industries and operates as a mature, production-grade security operation — not a lab, not a pilot.
The Prague team is around 270 professionals. The security operations unit has ~80 people, including roughly 27 engineers who own the technical layer — SIEM platforms, detection pipelines, incident response tooling. English is the language of client-facing work; Czech is day-to-day inside the team.
Why This Role Exists Now:
The security operations team is expanding. Two new engineers are joining — this is one of two roles being filled at the same time. The other role goes deeper on cloud SIEM (separate ad).
The team has experienced engineers who know the detection architecture well, and now is a good moment to join — the knowledge transfer opportunity is real and accessible from day one.
If you've been in an MSSP environment where detection ownership stays with the vendor or a central content team — this role is built differently. Most MSSP setups give you the SIEM. This one gives you the rules.
Job description
Role / Mission:
Your job is to keep the SIEM infrastructure healthy and make sure the detections it runs actually catch things worth catching.
Day-to-day: monitoring and triaging alerts, maintaining log source pipelines, tuning correlation rules, and working with analysts when something escalates. You'll also write and maintain playbooks so the team doesn't reinvent the wheel during incidents.
Tech context: the team runs Splunk and Microsoft Sentinel as primary platforms. QRadar and ArcSight in the mix from legacy clients. Chronicle/Google SecOps is present in some environments — knowledge there is a plus.
Success in 12 months: you own your detection playbooks, you've added at least one meaningful improvement to the ingestion or detection layer, and when someone has a question about platform behavior, they come to you first.
Key Responsibilities:
— Monitor, triage, and investigate alerts across SIEM platforms (primarily Splunk and Microsoft Sentinel)
— Build, tune, and maintain detection rules and correlation logic — SPL, KQL, or both
— Maintain SIEM infrastructure: log sources, ingestion pipelines, platform health, onboarding new data feeds
— Write and update incident response playbooks; support L1/L2 analysts during active investigations
— Participate in on-call rotation; contribute to post-incident documentation and lessons learned
What This Role Is NOT:
— Not a pure L1 analyst position — you're here to engineer and improve, not just watch dashboards
— Not a client-facing sales or advisory role — this is delivery, inside the engine room
— Not a solo build-from-scratch project — you're joining an existing team with live infrastructure
Operating Model:
Standard working hours, no shift work. On-call is a shared rotation across the engineering team. Hybrid setup in Prague or fully remote is also possible. Reports to: Head of Security Engineering. English for client documentation; Czech for internal team communication. Travel is minimal.
Requirements
What Matters Most:
We're not looking for someone who ticked every checkbox on a certification list. Three things actually matter:
— SIEM hands-on time — you've worked with Splunk (SPL queries, correlation searches) or Microsoft Sentinel (KQL, analytics rules) for at least 2 years in a production environment
— Linux system knowledge — you understand how logs are generated, how syslog works, what endpoint telemetry looks like
— Detection thinking — you can write a correlation rule from scratch, explain why it's tuned the way it is, and recognize when a low-severity alert is worth investigating
English needs to be solid for reading technical documentation and writing client-facing reports.
If your background is primarily QRadar or ArcSight — that's a valid starting point. We care more about your engineering instincts than the vendor logo.
Nice to Have:
— Experience with Chronicle/Google SecOps — YARA-L rules, UDM data model
— Familiarity with QRadar or ArcSight from client or previous employer environments
— Security certifications: GCIA, CEH, CompTIA Security+, Microsoft SC-200, or Splunk Core Certified
— Scripting for automation — Python, PowerShell, or bash for log parsing or playbook triggers
Don't let the nice-to-haves stop you. If you have the three core things, the rest can be learned.
Offer & Terms
Compensation & role impact:
— Salary 90 000–130 000 CZK gross / month, based on seniority and experience
— Access to top-tier enterprise projects not available to individual contractors
— Strong project governance and architectural standards
— International environment – not a ticket factory
— Real opportunity to influence and strengthen Prague-based technical leadership
Investing in your future:
— Individual training roadmap prepared for every engineer — paid certifications included (Splunk Core/ES, Microsoft SC-200, SANS and others)
— Support for technical bootcamps
— Employee share purchase program (up to 10% of salary)
— Mentoring and coaching
— Private healthcare
— Contributions to life and pension insurance
Work & flexibility:
— 5 weeks of vacation + sick days
— Company mobile phone
— Employee referral program
Interested? Let's Talk
If this sounds like your kind of challenge, apply now — let's build something great together.
Throughout the process, you'll be guided by a senior recruiter with hands-on IT experience. Straightforward, technically grounded, without unnecessary recruitment overhead.
Send your CV or LinkedIn profile to or reach out via linkedin.com/in/jirisoljak
Interview process:
— Intro call with SITEQ recruiter — 30 minutes, we'll explain the role and client context
— First interview with the team lead — get to know each other, talk about the team and day-to-day
— Technical interview with a senior engineer from the security operations team — hands-on discussion, no trick questions
— Offer
Please note: this position is open only to candidates eligible to work in the EU without visa sponsorship, able to reside and work in the Czech Republic.
