SNOW SIR Engineer CGEMJP

Role Title: SNOW SIR Engineer

Duration: contract to run until 30/11/2026

Location: Knutsford, Hybrid 3 days per week onsite

Rate: up to £471.96 p/d Umbrella inside IR35

Role purpose/summary

We are seeking an experienced ServiceNow Security Incident Response (SIR) Engineer to design, implement, and optimise security incident response capabilities within the ServiceNow platform. This role will play a critical part in strengthening the organisation's cyber resilience by enabling effective detection, response, remediation, and reporting of security incidents across the enterprise.

The ideal candidate will have strong hands-on experience with ServiceNow Security Operations (SecOps), particularly the SIR module, and will work closely with Cyber Security, SOC, IT Operations, and Compliance teams to ensure security incidents are handled efficiently, consistently, and in line with organisational and regulatory requirements.

Key Responsibilities

ServiceNow SIR Implementation & Configuration

• Configure and customise the ServiceNow Security Incident Response (SIR) module to support end-to-end incident handling workflows.
• Design and implement security incident life cycle processes, including intake, triage, investigation, containment, eradication, and closure.
• Configure security incident types, response playbooks, task automation, SLAs, notifications, and escalation rules.

Integration & Automation

• Integrate ServiceNow SIR with security tools such as SIEM, SOAR, EDR, vulnerability scanners, and threat intelligence platforms.
• Enable automated ingestion of security alerts and events from multiple sources into ServiceNow.
• Develop workflow automations, Flow Designer flows, and business rules to reduce manual effort and speed up response times.

Collaboration with Security & IT Teams

• Act as a trusted technical partner to SOC analysts, Cyber Security teams, and IT Operations.
• Translate security and operational requirements into scalable ServiceNow solutions.
• Support security teams during active incidents, providing platform expertise and tooling support.

Reporting, Metrics & Continuous Improvement

• Build dashboards and reports to track KPIs such as MTTR, incident volumes, severity trends, and SLA compliance.
• Support audit, compliance, and regulatory reporting requirements.
• Identify opportunities to improve incident response maturity through enhanced automation, tooling, and process refinement.

Platform Governance & Best Practice

• Ensure configurations align with ServiceNow best practices and security standards.
• Support platform upgrades, patching, and module enhancements related to SecOps and SIR.
• Contribute to documentation, knowledge articles, and operational runbooks.

Required Skills & Experience

Technical Skills

• Proven hands-on experience implementing and supporting ServiceNow SIR within ServiceNow SecOps.
• Strong understanding of security incident response frameworks (eg NIST, ISO 27035).
• Experience integrating ServiceNow with security tools such as SIEM, SOAR, or EDR platforms.
• Solid ServiceNow development skills, including Flow Designer, business rules, UI policies, client scripts, and integrations.
• Experience with REST APIs and data ingestion pipelines.

Security & Operational Knowledge

• Good understanding of cyber threats, vulnerabilities, and incident response processes.
• Familiarity with SOC operations and security monitoring workflows.
• Ability to assess and prioritise incidents based on risk and impact.

Professional Skills

• Strong stakeholder management and communication skills, able to work with both technical and non-technical teams.
• Analytical and problem-solving mindset with attention to detail.
• Ability to work calmly under pressure during critical incidents.

Desirable Skills & Certifications

• ServiceNow Certified Implementation Specialist - Security Incident Response (preferred).
• ITIL or ITSM certification.
• Background in Cyber Security, SOC operations, or Security Engineering.
• Experience with ServiceNow Vulnerability Response or Threat Intelligence modules.

All profiles will be reviewed against the required skills and experience. Due to the high number of applications we will only be able to respond to successful applicants in the first instance. We thank you for your interest and the time taken to apply!