Security Operations Engineer

Yellow Card is the largest and first licensed stablecoin-based infrastructure provider, operating in 20 African countries and the emerging markets. Our mission is to empower businesses of all sizes, making it easier for them to make international payments, protect their financial assets, manage their treasury function, and access hard currency liquidity.

We are creating “financial infrastructure that works”, disrupting the financial services industry by offering innovative solutions designed to meet the distinct needs of – and real-world challenges faced on a daily basis by – our customers. Leveraging the power of stablecoins pegged 1:1 to the U.S. dollar (e.g., USDC, USDT, and PYUSD), we deliver our innovative solutions through our commercial trading function, our B2B products (i.e., our Payments API & Treasury Portal).

The Security Operations Engineer is the operational backbone of the Security Operations Centre (SOC). It is a fully remote, hands-on, technical role that owns three tightly integrated domains: security alert design, triaging, and automated response, cloud security posture management across EKS and AWS environments, and posture tracking and reporting.

Reporting to the Associate Director, Product & Infrastructure Security, the engineer works alongside a mature Application Security team and collaborates closely with DevOps, Engineering, and Security GRC functions. The role sits within the First Line of Defense and is expected to progressively drive down manual effort through detection-as-code and SOAR automation.

This is not a perimeter-security or scan-and-report role. The right candidate must be comfortable writing detection logic, triaging cloud misconfigurations at the infrastructure level, and owning end-to-end vulnerability remediation cycles in containerised environments.

Key responsibilities 

Duties include, but are not limited to.

1. Security Operations

The engineer owns the full lifecycle of security detection and response inside the SOC, from signal design through to automated containment. This is the primary domain of the role.

Alert design and coverage

• Design and maintain SIEM detection rules covering cloud, container, identity, and application layers, using both signature-based and behavioural logic
• Map detection coverage against the MITRE ATT&CK framework and identify gaps relevant to the organisation's AWS and EKS attack surface
• Integrate threat intelligence feeds to refresh rule logic for emerging threats and TTPs
• Maintain a detection backlog, prioritised by risk, with defined review cadences

Alert triage

• Daily SIEM alert triage following defined response timing standard
• Classify, investigate, and resolve security signals; 
• Reduce false-positive rates through structured tuning cycles, with documented rationale for rule changes
• Maintain triage runbooks for key production detection rules

 Automated response workflows (SOAR)

• Build and maintain SOAR playbooks for common alert types including IAM anomalies, misconfiguration alerts, exposed secrets, and container runtime events
• Automate enrichment steps (asset lookup, threat intel correlation, ownership resolution) to reduce analyst time-to-context
• Document automation logic and maintain version control for all playbooks
• Measure and report automation coverage rate as a standing KRI

2. Cloud Security Posture Management

Cloud posture management is the infrastructure-facing domain of the role, covering vulnerability management, identity governance, and configuration and change control. AWS EKS and Serverless resources are the primary environments.

Vulnerability management

• Own the end-to-end vulnerability triage process for cloud and container environments, prioritising findings by business impact using CVSS scoring, asset criticality, and exploitability context
• Manage EKS-specific vulnerability coverage: base image currency, workload scanning results, pod security standards compliance, and node group patching cadence
• Coordinate remediation with engineering teams by opening well-scoped tickets, tracking progress, and escalating SLA breaches
• Maintain MTTR and SLA compliance data by severity tier
• Oversee CSPM posture score targets; triage new Critical findings within defined SLA windows

Identity and access governance

• Review and approve IAM policy changes, enforcing least-privilege and flagging over-permissioned roles or service accounts
• Execute scheduled IAM hygiene reviews: unused credentials, stale access keys, overly broad policies, and cross-account trust boundaries
• Govern workload identity configurations in EKS, ensuring service accounts carry only the permissions required
• Support the secrets rotation program and enforce zero hardcoded credentials across the estate

Configuration and change management

• Review and approve cloud network security changes: security group modifications, network ACL changes, and routing updates
• Own container image security: base image update cadence, scanning results review, and image ownership classification
• Investigate and remediate misconfiguration alerts surfaced by CSPM tooling within defined SLA windows
• Maintain a configuration baseline for critical cloud resources and flag drift
  
  

3. Posture Tracking and Reporting

The engineer is the primary data owner for security posture metrics across both SOC and cloud domains. Reporting outputs feed executive dashboards, GRC compliance evidence, and quarterly risk reviews.

KRI data collection

• Collect and maintain Key Risk Indicator data across all three KRA domains on defined cadences
• SOC KRIs: MTTA (Mean Time to Acknowledge), MTTR, false-positive rate, automation coverage rate, detection coverage score
• VM KRIs: Critical/High finding counts, SLA compliance rate by severity, MTTR by tier, overdue remediation count
• Posture KRIs: CSPM score, under-protected asset count, misconfiguration closure rate, IAM hygiene score, log source coverage

Recurring control reviews

• Execute infrastructure security control checks on weekly (CSPM critical findings), monthly (IAM hygiene, secrets rotation status), and quarterly (posture benchmark, detection coverage review) cadences
• Produce structured findings reports for each review cycle, flagging control failures for escalation

Reporting

• Provide SOC and cloud posture metrics, including trends, at the required reporting cycles
• Support external audit and due diligence processes by providing evidence artefacts
  
  

Requirements for the role:

• Co-own the shared vulnerability backlog (infrastructure side) with the Application Security team, ensuring consistent prioritisation methodology across domains
• Serve as the infrastructure and identity SME for the AppSec team during application security assessments and architecture reviews
• Own infrastructure containment during incidents that span application and infrastructure layers, working alongside AppSec for root cause analysis
• Provide infrastructure, identity, and network security review for new third-party integrations prior to deployment
• Collaborate with the Security GRC function on control evidence and compliance mapping, particularly for SOC 2, ISO 27001, and GDPR requirements

Experience and Skills

• Fluency in English, both written and verbal
• Ability to collaborate with cross-functional teams and across different time zones
• 3 to 5 years of experience in security operations, cloud security, or infrastructure security engineering
• Hands-on AWS security experience: IAM policy design, virtual network architecture, cloud-native security services, CloudTrail, GuardDuty
• Kubernetes and EKS security experience: pod security standards, network policy enforcement, workload identity, image scanning
• SIEM operations: alert triage, detection rule authoring (signature-based and behavioural), log analysis and correlation
• Vulnerability management: CSPM tooling, risk-based prioritisation, CVSS scoring, SLA framework operation
• IaC security: ability to read and review Terraform or CloudFormation for misconfigurations
• Incident response: investigation, containment, and post-incident reporting
• Experience in a regulated environment (FinTech, payments, banking, or crypto preferred)
• Ability to author and tune detection rules without relying on vendor-supplied defaults
• Structured written communication for triage reports, post-incident write-ups, and stakeholder metrics
• Ability to coordinate remediation across engineering teams without direct authority
• Comfort operating in a lean team where domain boundaries are broader than in large enterprise security functions

Qualifications:

• Professional certifications: AWS Security Specialty (highly valued)
• Experience with CSPM and SIEM platforms: Datadog, Wiz, Orca Security
• Experience with secrets management platforms: AWS Secrets Manager
• Familiarity with compliance frameworks: SOC 2, ISO 27001, GDPR, DORA
• Scripting ability in Python or Bash for detection-as-code and operational automation
• Experience with SOAR or workflow automation platforms
• Understanding of cryptocurrency or blockchain security considerations
• Experience in a startup or scale-up environment
• AI tooling familiarity and interest in applying AI to operational workflows

What We Offer

• Ownership of the SOC and cloud security posture function from day one, in a high-growth FinTech environment
• Broad domain exposure: detection engineering, cloud security, container security, incident response, and compliance
• Collaborative team culture with a mature AppSec function and strong leadership support
• Regulated, multi-geography environment with real-world impact on financial inclusion
• Remote-First Flexibility: We embrace a fully remote work environment.
• Learning & Development: Access to resources, support, and autonomy to grow professionally.
• Mental Health Support Services: Your mental well-being matters to us.
• Compensation & Benefits: We offer competitive compensation and meaningful health coverage, and all full-time employees are participants in our stock option plan.

Ready to Join Us?

Are you up for the challenge? Apply today and be part of shaping the future of FinTech. Let's innovate, disrupt, and lead together!