Senior Manager - Cloud Security Engineer (CrowdStrike)

At Kroll, we provide reactive, advisory, transformation, and managed security services to support clients at every stage of their path toward cyber and data resilience maturity. Our experts bring decades of experience in cyber risk consultancy, helping organizations across the world simplify and reduce the complexity of implementing, transforming, and managing their cyber programs. Through our strategic multi-year partnership with CrowdStrike, we combine world-class investigative expertise with an AI-native platform to redefine the future of managed detection and response, delivering faster outcomes, stronger protection, and greater resilience for organizations worldwide.

The Cyber & Data Resilience capability is hiring a Manager or Senior Manager to build and lead Kroll's CrowdStrike Falcon Cloud Security deployment practice . Falcon Cloud Security is the industry's first unified Cloud-Native Application Protection Platform (CNAPP), spanning CSPM, CWP, CIEM, KSPM, ASPM, DSPM, IaC scanning, and container and Kubernetes runtime protection across AWS, Azure, and Google Cloud — delivered through one sensor and one console, with both agent-based and agentless coverage.

Kroll clients need a partner who can deploy, configure, integrate, and tune Falcon Cloud Security end-to-end inside their Falcon tenant — registering cloud accounts at scale across AWS Organizations, Azure tenants, and GCP projects; rolling out runtime protection across VMs, containers, and Kubernetes; wiring cloud log telemetry into Falcon Next-Gen SIEM for detection engineering; building Fusion SOAR playbooks for cloud-native response; and tuning IOM (Indicators of Misconfiguration) and IOA (Indicators of Attack) policies to maximize signal and minimize noise in each client's cloud estate.

This is a player-coach role . The “Manager” or “Senior Manager” title does not mean hands-off oversight. You will personally lead engagement delivery — onboarding cloud accounts, deploying sensors and admission controllers, configuring CNAPP modules, building detection content, and integrating with the broader Falcon stack — while mentoring junior consultants and partnering with CrowdStrike account teams on scoping.

This role reports into the Engineered Defense / Tech Transformation leadership team and partners closely with Kroll’s Identity, Next-Gen SIEM, AIDR, and CrowdStrike Services delivery teams.

Deploy

• Onboard client AWS, Azure, and GCP environments to Falcon Cloud Security at scale — using AWS CloudFormation StackSets across AWS Organizations, Bicep / Entra ID integrations for Azure tenants and management groups, and service account patterns for GCP projects and folders.

• Deploy the Falcon sensor across cloud workloads — EC2 / Azure VMs / GCE instances, container hosts, Kubernetes nodes — and stand up agentless snapshot-based scanning to fill coverage gaps.

• Deploy the Kubernetes Admission Controller to enforce pre-runtime policy on workload admission across EKS, AKS, GKE, and self-managed Kubernetes.

• Roll out container image registry scanning and IaC scanning (Terraform, CloudFormation, ARM/Bicep, Kubernetes manifests, Helm) into client CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).

• Enable serverless protection for AWS Lambda, Azure Functions, and GCP Cloud Functions.

• Stand up CIEM across cloud identity providers (IAM users, roles, service accounts, managed identities) for least-privilege analysis.

Configure

• Configure CSPM policies — IOM rules, custom misconfiguration detections, compliance frameworks (CIS Benchmarks, NIST, PCI-DSS, HIPAA, SOC 2), and exception management.

• Configure CWP runtime policies — IOA detections, prevention policies, container runtime protection, drift detection.

• Configure KSPM policies — Kubernetes posture, pod security standards, admission control rules, RBAC analysis.

• Configure ASPM and DSPM policies for application-security posture and data-security posture across cloud data stores.

• Configure CIEM — effective permission analysis, toxic combinations, privilege right-sizing, service-account hygiene.

• Configure ExPRT.AI risk prioritization to surface attack paths and toxic combinations across CSPM/CWP/CIEM signals.

• Build and tune custom detection content (IOAs, IOMs, CQL queries) for cloud-native attack techniques mapped to MITRE ATT&CK Cloud Matrix.

Integrate

• Ingest cloud log telemetry into Falcon Next-Gen SIEM (LogScale) — AWS CloudTrail, GuardDuty findings, VPC Flow Logs, S3 access logs; Azure Activity Log, Defender for Cloud alerts, NSG Flow Logs, Entra ID sign-in logs; GCP Audit Logs, VPC Flow Logs, Security Command Center findings; EKS / AKS / GKE control plane logs; Kubernetes audit logs.

• Build detection engineering content in Next-Gen SIEM correlating Falcon Cloud Security findings with cloud provider native logs, endpoint telemetry, and identity events for full attack-path visibility.

• Build Falcon Fusion SOAR playbooks for cloud-native response actions: quarantine compromised workload, revoke IAM credential, isolate Kubernetes pod, remediate misconfiguration via IaC pull request, trigger MFA via Falcon Identity Protection.

• Integrate Falcon Cloud Security with Falcon Identity Protection for cross-domain correlation between cloud workload activity and identity risk.

• Integrate Falcon Cloud Security with Falcon Insight (EDR) for unified endpoint + cloud workload protection.

• Integrate Falcon Cloud Security with Falcon AIDR for AI workload runtime protection in Kubernetes.

• Build Charlotte AI prompts and agentic workflows for cloud event triage, misconfiguration remediation guidance, and executive cloud-risk reporting.

Tune and Operate

• Tune IOM and IOA policies to reduce false positives without sacrificing detection efficacy.

• Tune ExPRT.AI prioritization and attack path analysis to client risk tolerance and remediation capacity.

• Optimize sensor performance and agentless scan cadence for cost and coverage balance.

• Validate detection coverage through controlled adversary emulation against the MITRE ATT&CK Cloud Matrix.

• Hand off operational runbooks to client cloud security teams and Kroll Managed Services for ongoing operation.

Advise (scoped to the platform)

• Advise client cloud platform, DevSecOps, and SOC engineering teams on Falcon Cloud Security deployment architecture — agent vs. agentless coverage decisions, account onboarding patterns, Kubernetes admission control posture, IaC scanning policy in CI/CD, and integration with existing Falcon modules.

• Partner with CrowdStrike account teams on Falcon Cloud Security pre-sales scoping, solution design, proof-of-value engagements, and joint go-to-market motions.

Build the Practice

• Develop reusable Falcon Cloud Security deployment runbooks, configuration templates (Terraform, Bicep), integration patterns, Fusion SOAR playbook libraries, custom IOM/IOA detection libraries, and Charlotte AI workflow templates.

• Mentor consultants on Falcon Cloud Security deployment and integration.

Hiring Requirements:

• 5+ years (Manager) or 7+ years (Senior Manager) of hands-on experience deploying, configuring, and operating cloud security tooling in enterprise environments — with a meaningful concentration in CNAPP, CSPM, CWP, or container/Kubernetes security.

• Hands-on deployment experience with the CrowdStrike Falcon platform — direct experience with Falcon Cloud Security (CSPM, CWP, CIEM, KSPM, IaC scanning) is required. Equivalent hands-on with a competing CNAPP (Wiz, Prisma Cloud, Lacework, Aqua, Sysdig, Orca) plus willingness to ramp on Falcon Cloud Security is acceptable.

• Demonstrated experience deploying, configuring, and integrating cloud security platforms across AWS, Azure, and GCP — not just operating them post-deployment. Working depth across at least two of the three hyperscalers is required.

• Hands-on with Kubernetes security — EKS, AKS, GKE, or self-managed; Pod Security Standards; admission controllers; RBAC; container runtime protection.

• Hands-on with Infrastructure as Code — Terraform (required), CloudFormation, ARM/Bicep, Helm — and IaC security scanning in CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).

• Strong working knowledge of cloud log analysis — AWS CloudTrail, GuardDuty, VPC Flow Logs; Azure Activity Log, Defender for Cloud, Entra ID sign-in logs; GCP Audit Logs, VPC Flow Logs, Security Command Center; Kubernetes audit logs; EKS / AKS / GKE control plane logs.

• Working knowledge of cloud-native attack tradecraft mapped to MITRE ATT&CK Cloud Matrix — cloud credential theft, IMDS abuse, role chaining, container escape, Kubernetes RBAC abuse, S3 / blob storage exfiltration, supply-chain attacks on container images and IaC.

• Hands-on scripting and query proficiency: Python, Bash, PowerShell, CQL (CrowdStrike Query Language) ; KQL a plus.

• Experience building Falcon Fusion SOAR playbooks, Charlotte AI workflows, or equivalent automation content on the Falcon platform.

• Prior consulting delivery experience — scoping, leading, and personally executing cloud security deployment engagements for external clients.

• Bachelor’s degree in a relevant field or equivalent professional experience.

A note on experience: The years of experience above are guidelines, not gates. We will strongly consider candidates with fewer years who bring CCCS certification plus demonstrable hands-on Falcon Cloud Security deployment experience across multiple hyperscalers. Skill and certification can offset tenure.

Preferred Qualifications

• CrowdStrike Certified Cloud Specialist (CCCS) certification — strongly preferred . Candidates without CCCS at hire will be expected to certify within their first 90 days.

• Additional CrowdStrike credentials: CCFA, CCFR, CCSA, CCSE, CCIS.

• Cloud-native security certifications (one or more strongly preferred): AWS Certified Security – Specialty , Microsoft Certified: Azure Security Engineer Associate (AZ-500) , Google Cloud Professional Cloud Security Engineer , Certified Kubernetes Security Specialist (CKS) , Certified Kubernetes Administrator (CKA) .

• Foundational cloud certifications: AWS Solutions Architect (Associate or Professional), Azure Administrator / Solutions Architect Expert, Google Cloud Professional Cloud Architect.

• Industry security certifications: CCSP (Certified Cloud Security Professional), CISSP, GCSA (GIAC Cloud Security Automation), GCLD (GIAC Cloud Security Essentials).

• Experience deploying and tuning Falcon Next-Gen SIEM / LogScale content for cloud detection engineering (parsers, correlation rules, dashboards, case management).

• Experience building production Falcon Fusion SOAR playbooks for cloud response at scale.

• Experience building Charlotte AI prompts and agentic workflows for cloud security use cases.

• Experience with competing CNAPPs (Wiz, Prisma Cloud, Lacework, Aqua, Sysdig, Orca) — particularly migration experience from those platforms to Falcon Cloud Security.

• Hands-on with service mesh (Istio, Linkerd), secrets management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager), and policy-as-code (OPA / Rego, Kyverno).

• Prior consulting experience at a tier-1 firm with a CrowdStrike-focused or cloud security delivery practice (Big 4 cloud security teams, CrowdStrike Services, Mandiant, Unit 42, or equivalent).

• Experience supporting cloud security M&A due diligence, post-acquisition cloud tenant consolidation, or cloud migration security.

• Healthcare Coverage: Comprehensive medical, dental, and vision plans.

• Time Off and Leave Policies: Generous paid time off (PTO), paid company holidays, generous parental and family leave.

• Protective Insurances: Life insurance, short- and long-term disability coverage, and accident protection.

• Compensation and Rewards: Competitive salary structures, performance-based incentives, and merit-based compensation reviews.

• Retirement Plans: 401(k) plans with company matching.

Please note that benefits may vary by region, department and role. We encourage you to speak with your recruiter to learn more about the specific benefits available for your position.

About Kroll

Join the global leader in risk and financial advisory solutions—Kroll. With a nearly century-long legacy, we blend trusted expertise with cutting-edge technology to navigate and redefine industry complexities. As a part of One Team, One Kroll, you'll contribute to a collaborative and empowering environment, propelling your career to new heights. Ready to build, protect, restore and maximize our clients’ value? Your journey begins with Kroll.

We are proud to be an equal opportunity employer and will consider all qualified applicants regardless of gender, gender identity, race, religion, color, nationality, ethnic origin, sexual orientation, marital status, veteran status, age or disability.

The current salary range for this position is $150,000 to $200,000

#LI-CN1

#LI-Remote