Senior Manager - Cloud Security Engineer (CrowdStrike)

Kroll Cyber & Data Resilience Manager or Senior Manager

At Kroll, we provide reactive, advisory, transformation, and managed security services to support clients at every stage of their path toward cyber and data resilience maturity. Our experts bring decades of experience in cyber risk consultancy, helping organizations across the world simplify and reduce the complexity of implementing, transforming, and managing their cyber programs. Through our strategic multi-year partnership with CrowdStrike, we combine world-class investigative expertise with an AI-native platform to redefine the future of managed detection and response, delivering faster outcomes, stronger protection, and greater resilience for organizations worldwide.

The Cyber & Data Resilience capability is hiring a Manager or Senior Manager to build and lead Kroll's CrowdStrike Falcon Cloud Security deployment practice. Falcon Cloud Security is the industry's first unified Cloud-Native Application Protection Platform (CNAPP), spanning CSPM, CWP, CIEM, KSPM, ASPM, DSPM, IaC scanning, and container and Kubernetes runtime protection across AWS, Azure, and Google Cloud — delivered through one sensor and one console, with both agent-based and agentless coverage.

Kroll clients need a partner who can deploy, configure, integrate, and tune Falcon Cloud Security end-to-end inside their Falcon tenant — registering cloud accounts at scale across AWS Organizations, Azure tenants, and GCP projects; rolling out runtime protection across VMs, containers, and Kubernetes; wiring cloud log telemetry into Falcon Next-Gen SIEM for detection engineering; building Fusion SOAR playbooks for cloud-native response; and tuning IOM (Indicators of Misconfiguration) and IOA (Indicators of Attack) policies to maximize signal and minimize noise in each client's cloud estate.

This is a player-coach role. The "Manager" or "Senior Manager" title does not mean hands-off oversight. You will personally lead engagement delivery — onboarding cloud accounts, deploying sensors and admission controllers, configuring CNAPP modules, building detection content, and integrating with the broader Falcon stack — while mentoring junior consultants and partnering with CrowdStrike account teams on scoping.

This role reports into the Engineered Defense / Tech Transformation leadership team and partners closely with Kroll's Identity, Next-Gen SIEM, AIDR, and CrowdStrike Services delivery teams.

Deploy

• Onboard client AWS, Azure, and GCP environments to Falcon Cloud Security at scale — using AWS CloudFormation StackSets across AWS Organizations, Bicep / Entra ID integrations for Azure tenants and management groups, and service account patterns for GCP projects and folders.
• Deploy the Falcon sensor across cloud workloads — EC2 / Azure VMs / GCE instances, container hosts, Kubernetes nodes — and stand up agentless snapshot-based scanning to fill coverage gaps.
• Deploy the Kubernetes Admission Controller to enforce pre-runtime policy on workload admission across EKS, AKS, GKE, and self-managed Kubernetes.
• Roll out container image registry scanning and IaC scanning (Terraform, CloudFormation, ARM/Bicep, Kubernetes manifests, Helm) into client CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).
• Enable serverless protection for AWS Lambda, Azure Functions, and GCP Cloud Functions.
• Stand up CIEM across cloud identity providers (IAM users, roles, service accounts, managed identities) for least-privilege analysis.

Configure

• Configure CSPM policies — IOM rules, custom misconfiguration detections, compliance frameworks (CIS Benchmarks, NIST, PCI-DSS, HIPAA, SOC 2), and exception management.
• Configure CWP runtime policies — IOA detections, prevention policies, container runtime protection, drift detection.
• Configure KSPM policies — Kubernetes posture, pod security standards, admission control rules, RBAC analysis.
• Configure ASPM and DSPM policies for application-security posture and data-security posture across cloud data stores.
• Configure CIEM — effective permission analysis, toxic combinations, privilege right-sizing, service-account hygiene.
• Configure ExPRT.AI risk prioritization to surface attack paths and toxic combinations across CSPM/CWP/CIEM signals.
• Build and tune custom detection content (IOAs, IOMs, CQL queries) for cloud-native attack techniques mapped to MITRE ATT&CK Cloud Matrix.

Integrate

• Ingest cloud log telemetry into Falcon Next-Gen SIEM (LogScale) — AWS CloudTrail, GuardDuty findings, VPC Flow Logs, S3 access logs; Azure Activity Log, Defender for Cloud alerts, NSG Flow Logs, Entra ID sign-in logs; GCP Audit Logs, VPC Flow Logs, Security Command Center findings; EKS / AKS / GKE control plane logs; Kubernetes audit logs.
• Build detection engineering content in Next-Gen SIEM correlating Falcon Cloud Security findings with cloud provider native logs, endpoint telemetry, and identity events for full attack-path visibility.
• Build Falcon Fusion SOAR playbooks for cloud-native response actions: quarantine compromised workload, revoke IAM credential, isolate Kubernetes pod, remediate misconfiguration via IaC pull request, trigger MFA via Falcon Identity Protection.
• Integrate Falcon Cloud Security with Falcon Identity Protection for cross-domain correlation between cloud workload activity and identity risk.
• Integrate Falcon Cloud Security with Falcon Insight (EDR) for unified endpoint + cloud workload protection.
• Integrate Falcon Cloud Security with Falcon AIDR for AI workload runtime protection in Kubernetes.
• Build Charlotte AI prompts and agentic workflows for cloud event triage, misconfiguration remediation guidance, and executive cloud-risk reporting.

Tune and Operate

• Tune IOM and IOA policies to reduce false positives without sacrificing detection efficacy.
• Tune ExPRT.AI prioritization and attack path analysis to client risk tolerance and remediation capacity.
• Optimize sensor performance and agentless scan cadence for cost and coverage balance.
• Validate detection coverage through controlled adversary emulation against the MITRE ATT&CK Cloud Matrix.
• Hand off operational runbooks to client cloud security teams and Kroll Managed Services for ongoing operation.

Advise (scoped to the platform)

• Advise client cloud platform, DevSecOps, and SOC engineering teams on Falcon Cloud Security deployment architecture — agent vs. agentless coverage decisions, account onboarding patterns, Kubernetes admission control posture, IaC scanning policy in CI/CD, and integration with existing Falcon modules.
• Partner with CrowdStrike account teams on Falcon Cloud Security pre-sales scoping, solution design, proof-of-value engagements, and joint go-to-market motions.

Build the Practice

• Develop reusable Falcon Cloud Security deployment runbooks, configuration templates (Terraform, Bicep), integration patterns, Fusion SOAR playbook libraries, custom IOM/IOA detection libraries, and Charlotte AI workflow templates.
• Mentor consultants on Falcon Cloud Security deployment and integration.

Hiring Requirements:

• 5+ years (Manager) or 7+ years (Senior Manager) of hands-on experience deploying, configuring, and operating cloud security tooling in enterprise environments — with a meaningful concentration in CNAPP, CSPM, CWP, or container/Kubernetes security.
• Hands-on deployment experience with the CrowdStrike Falcon platform — direct experience with Falcon Cloud Security (CSPM, CWP, CIEM, KSPM, IaC scanning) is required. Equivalent hands-on with a competing CNAPP (Wiz, Prisma Cloud, Lacework, Aqua, Sysdig, Orca) plus willingness to ramp on Falcon Cloud Security is acceptable.
• Demonstrated experience deploying, configuring, and integrating cloud security platforms across AWS, Azure, and GCP — not just operating them post-deployment. Working depth across at least two of the three hyperscalers is required.
• Hands-on with Kubernetes security — EKS, AKS, GKE, or self-managed; Pod Security Standards; admission controllers; RBAC; container runtime protection.
• Hands-on with Infrastructure as Code — Terraform (required), CloudFormation, ARM/Bicep, Helm — and IaC security scanning in CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).
• Strong working knowledge of cloud log analysis — AWS CloudTrail, GuardDuty, VPC Flow Logs; Azure Activity Log, Defender for Cloud, Entra ID sign-in logs; GCP Audit Log