Cortex XSIAM Security Engineer
Posted 2026-05-06<div class="benefits">
<div><strong>Benefits:</strong></div>
<ul>
<li>401(k)</li>
<li>Competitive salary</li>
<li>Dental insurance</li>
<li>Health insurance</li>
<li>Paid time off</li>
<li>Vision insurance</li>
</ul>
</div>
<div class="trix-content">
<div>
<strong>Position Summary</strong><br>Celestial Innovations Group (CIG) is seeking a skilled Cortex XSIAM Security Engineer to deploy, configure, and operationalize Palo Alto Networks Cortex XSIAM for federal and enterprise clients. This role is at the center of CIG's AI-driven Security Operations practice, enabling clients to modernize their SOC by consolidating SIEM, XDR, SOAR, UEBA, ASM, and TIP capabilities into a single, converged platform.<br><br>The Cortex XSIAM Engineer will serve as a subject-matter expert (SME) throughout the full platform lifecycle: from requirements gathering and architecture design through deployment, integration, and continuous optimization — driving measurable improvements in threat detection and incident response times for our government and commercial clients.<br><br>
</div><div><strong><u>Key Responsibilities</u></strong></div><div><strong>Platform Deployment & Integration</strong></div><ul>
<li>Lead end-to-end deployment of Cortex XSIAM for federal and enterprise clients, including data source onboarding, log ingestion, and normalization.</li>
<li>Integrate XSIAM with existing security ecosystem tools including firewalls, endpoints, cloud platforms, identity providers, and ticketing systems.</li>
<li>Configure data pipelines to ingest and normalize telemetry from diverse sources (endpoints, network, cloud, identity) into XSIAM's unified data model.</li>
<li>Migrate clients from legacy SIEM platforms to Cortex XSIAM, ensuring continuity of detection coverage and compliance reporting.</li>
</ul><div><strong>Detection Engineering & Analytics</strong></div><ul>
<li>Build and tune correlation rules, behavioral analytics, and ML-based detection models within XSIAM to reduce false positive rates and improve detection fidelity.</li>
<li>Develop and maintain XSIAM analytics leveraging XQL (Extended Query Language) to extract actionable insights from security telemetry.</li>
<li>Map detection content to MITRE ATT&CK framework, ensuring coverage across all relevant tactics, techniques, and procedures (TTPs).</li>
<li>Configure AI SmartScoring and technique-based incident grouping to reduce alert fatigue and prioritize analyst workload effectively.</li>
</ul><div><strong>Automation & Playbook Development</strong></div><ul>
<li>Design, build, and maintain SOAR automation playbooks within XSIAM to automate triage, enrichment, and remediation workflows.</li>
<li>Leverage Cortex Marketplace content packs and develop custom integrations as needed to support client-specific security processes.</li>
<li>Implement dev/prod playbook lifecycle management to ensure safe testing and controlled promotion of automation content.</li>
<li>Continuously improve automation coverage, targeting measurable reductions in manual analyst workload.</li>
</ul><div><strong>Incident Response & Threat Management</strong></div><ul>
<li>Serve as escalation point for complex incident investigations, using XSIAM causality chains and full attack-story visualizations to support rapid remediation.</li>
<li>Coordinate with client SOC teams during active incidents, leveraging XSIAM's embedded automation and enrichment capabilities.</li>
<li>Support Attack Surface Management (ASM) functions to proactively identify and remediate client exposure.</li>
<li>Utilize integrated Threat Intelligence Platform (TIP) capabilities, including Unit 42 threat feeds, to enrich alerts and inform response priorities.</li>
</ul><div><strong>Client Engagement & Advisory</strong></div><ul>
<li>Serve as a trusted technical advisor to federal and commercial clients on XSIAM capabilities, roadmap, and SOC modernization strategy.</li>
<li>Produce SOC performance dashboards, compliance reports, and executive summaries within XSIAM to support client governance requirements.</li>
<li>Conduct training and knowledge transfer sessions to build client SOC team proficiency on the XSIAM platform.</li>
<li>Support CIG business development efforts by contributing to proposals, demos, and technical capability briefings for prospective clients.</li>
</ul><div><br></div><div><strong><u>Required Qualifications</u></strong></div><ul>
<li>3+ years of hands-on experience with Palo Alto Networks Cortex XDR or Cortex XSIAM in an enterprise or federal environment.</li>
<li>Demonstrated experience deploying or administering SIEM platforms (Splunk, Microsoft Sentinel, IBM QRadar, or equivalent).</li>
<li>Proficiency with XQL or comparable query languages for log analysis and threat hunting.</li>
<li>Working knowledge of SOAR concepts and experience building security automation playbooks.</li>
<li>Understanding of EDR, NDR, and UEBA technologies and how they feed into a converged SOC platform.</li>
<li>Familiarity with MITRE ATT&CK framework and its application to detection engineering.</li>
<li>Active Secret clearance (minimum); TS/SCI preferred for federal engagements.</li>
<li>Bachelor's degree in Cybersecurity, Computer Science, Information Systems, or related field, OR equivalent professional experience.</li>
</ul><div><br></div><div><strong><u>Preferred Qualifications</u></strong></div><ul>
<li>Palo Alto Networks Certified Security Automation Engineer (PCSAE) or Cortex XSIAM-specific certification.</li>
<li>Experience with federal compliance frameworks including NIST SP 800-53, RMF, DISA STIGs, and CDM program requirements.</li>
<li>Familiarity with Zero Trust Architecture principles (NIST SP 800-207, CISA ZT Maturity Model) and how XSIAM supports ZTA adoption.</li>
<li>Experience integrating Cortex XSIAM with Palo Alto Networks NGFW, Prisma Cloud, or Zscaler platforms.</li>
<li>Knowledge of cloud security telemetry sources (AWS, Azure, GCP) and their ingestion into XSIAM.</li>
<li>Exposure to Python or JavaScript for custom XSIAM integration development or automation scripting.</li>
<li>Prior experience supporting federal SOC operations or DHS CDM program environments.</li>
<li>CISSP, CEH, CompTIA Security+, or equivalent security certification.</li>
</ul><div><br></div><div><strong><u>Technical Skills & Tools</u></strong></div><div><strong>SOC Platforms</strong></div><ul>
<li>Cortex XSIAM / XDR</li>
<li>Cortex XSOAR</li>
<li>SIEM platforms</li>
<li>XQL query language</li>
<li>EDR / NDR / UEBA</li>
</ul><div><strong>Security Frameworks</strong></div><ul>
<li>MITRE ATT&CK</li>
<li>NIST SP 800-53 / RMF</li>
<li>NIST SP 800-207 (Zero Trust Architecture)</li>
<li>CISA Zero Trust Maturity Model</li>
<li>DISA STIGs</li>
</ul><div><strong>Integrations & Tools</strong></div><ul>
<li>Palo Alto NGFW / Prisma</li>
<li>Zscaler ZIA / ZPA</li>
<li>Microsoft Sentinel / Azure</li>
<li>ServiceNow / Ticketing systems</li>
<li>AWS / Azure / GCP</li>
</ul>
</div>
<p>Flexible work from home options available.</p>