At Sword, we’re building AI to heal billions and unlock humanity’s full potential. In doing so, we’re pioneering AI Care, a fundamentally new approach to healthcare built for medical reasoning, safety, and real-time treatment, not generic technology applied after the fact. As both a clinical-centric frontier AI lab and an applied AI platform, Sword is reimagining how care is delivered at scale, removing traditional barriers like appointments, waiting rooms, and stigma so more people can access the care they need—and ultimately get back to lives lived in full.

Since 2020, Sword has expanded across physical therapy, women’s health, cardiometabolic, and mental health, and is now moving beyond the session to a fully AI-native, 24/7 care program that brings physical activity, therapeutic exercise, psychotherapy, nutrition, and behavior change into one connected experience. More than 700,000 members across three continents have completed over 10 million AI sessions, helping 1,000+ enterprise clients avoid more than $1 billion in unnecessary healthcare costs. Backed by 42 clinical studies, 44+ patents, and more than $500 million raised from leading investors including Khosla Ventures, General Catalyst, and Founders Fund, Sword is defining a new standard for healthcare.

As Security Operations Lead, you'll lead our SecOps squad and own how Sword detects, investigates, and responds to threats. You'll help structure how this function operates — setting the direction on SIEM architecture, detection engineering, and incident response — and use automation and AI to scale a focused team across a fast-growing, multi-continent footprint. You'll be a core voice in our security strategy, and the systems, processes, and culture you build will set the bar for how Sword protects 700,000+ members.

If Tech role: To get to know more about our Tech Stack, check here.

What you’ll be doing

• Set the strategy and technical direction for Sword’s Security Operations Center — defining the operating model, SIEM and detection architecture, incident response capability, and the roadmap to scale them as the company grows.
• Drive an AI- and automation-first transformation of security operations: design SOAR playbooks, agentic and LLM-assisted triage workflows, and ML-driven detection to reduce MTTD/MTTR, expand coverage, and let a lean team operate at enterprise scale.
• Lead the SOC/CSIRT team technically — mentoring detection and response engineers, raising the bar on investigations, running on-call and escalation models, and acting as commander for major incidents.
• Own the SIEM end-to-end (architecture, data sources, normalization, retention, cost, and tuning) and evolve detection-as-code content aligned to MITRE ATT&CK and Sword’s threat model.
• Lead high-severity incident response from detection through containment, eradication, recovery, and post-incident review, partnering with engineering, IT, legal, and executive stakeholders during critical events.
• Run the threat intelligence and threat hunting programs, converting emerging TTPs into new detections, proactive hardening, and informed risk decisions.
• Define and report on SOC performance — MTTD, MTTR, coverage, automation rate, false-positive rate, on-call health — and use those metrics to drive measurable, continuous improvement.
• Influence security architecture and engineering decisions across the company, ensuring detection, response, and recovery are built into new products, platforms, and infrastructure from day one.
• Establish and continuously improve incident response playbooks, runbooks, and tabletop exercises to ensure organizational readiness.

What you need to have

• Bachelor’s degree in Computer Science, Cybersecurity, or equivalent professional experience.
• Proven experience scaling a SOC through automation and AI — SOAR, hyperautomation, LLM-assisted triage, agentic workflows, or ML-driven detection — with measurable impact on MTTR, coverage, or analyst leverage.
• Hands-on experience structuring a SOC, either building one from the ground up or maturing one through significant transformation — SIEM selection, implementation or migration, detection engineering practice, runbook libraries, on-call rotations, and operating metrics.
• Deep SIEM expertise (Splunk, Sentinel, Chronicle, Elastic, or similar) — ingestion architecture, detection-as-code, query optimization, and coverage-versus-cost tradeoffs.
• Prior experience as the technical lead of a SOC or CSIRT team — owning the full incident response lifecycle, mentoring analysts and engineers, and acting as on-call/incident commander during major incidents.
• Strong incident response track record — leading high-severity investigations, root cause analysis, digital forensics, and post-incident reviews that produced durable improvements.
• Solid experience in cloud environments (AWS and/or GCP), with strong understanding of cloud-native threats and controls.
• Strong scripting and development skills (Python, Go, Bash, or similar) for building automation, integrations, and internal tooling.
• Working knowledge of EDR/XDR, identity, and network detection telemetry, and how to combine signals into high-fidelity detections.
• Fluency with security frameworks and standards (NIST 800-61, CIS Controls, MITRE ATT&CK, ISO 27001) and the judgment to apply them pragmatically.
• Background in threat modeling, adversary emulation, and risk-based alert tuning.
• Excellent communicator — able to brief executives during a Sev1, write a clear post-mortem, and translate technical risk into business language for non-technical audiences.