Expert in
the Loop.
Be the human judgment layer across Joon's AI SOC agents. Review AI-generated investigations before they reach customers. Catch the false positives, catch the misses, and make the agents better over time. One 90-minute test, then we meet.
About Joon
Joon was founded by ex-Googlers — a team that has already built, scaled, and exited. Our CEO founded and led a cybersecurity company that was acquired by Google, and brings with him the bar, the velocity, and the deep understanding of what it takes to build a security product that reshapes an industry.
We're building AI agents to actually do the work. Instead of SOC analysts burning hours on repetitive triage.
Our vision is clear: security work will be led by AI. Digital workers will do the actual work — investigating, correlating, deciding — while human experts supervise them when needed. We're not building a copilot. We're building the workforce that runs the SOC of the future — and Joon will be the platform powering it.
We hire selectively. We're looking for people who love hard problems, thrive at high velocity, and want to build a product that goes head-to-head with the most sophisticated threats on the planet — and wins.
The role
This isn't a traditional SOC analyst role. Our AI agents handle the first pass on every alert — entity extraction, pivots, query logic, evidence interpretation, proposed verdict. You're the human who reviews their work before it reaches the customer. When the AI is uncertain, you decide. When it's wrong, you spot the pattern and help us train it out.
If you've ever sat in a SOC and thought "this could be automated, but only if someone smart was reviewing it" — that's the job.
What you'll do
- Review AI investigations. Check the agent's entity extraction, pivots, query logic, and evidence interpretation. Was the verdict defensible? Was something obvious missed?
- Catch what the AI doesn't. False positives that look real, false negatives that hide in plain sight. The hard cases.
- Handle edge cases. When the AI's confidence is low, you take the call directly.
- Find recurring failure patterns. Same kind of mistake across investigations? Document it, feed it back, help us shape the next iteration of agent behavior.
- Improve agent workflows. You're not just reviewing output — you're shaping how the agents investigate next time.
What we're looking for
- SOC L2/L3 or IR experience. Hands-on, not just management. You've actually closed cases.
- Deep SIEM query fluency — SPL, KQL, or equivalent. You can read someone else's query and tell whether it answers the question they think it does.
- Good judgment and decisiveness. You make calls without dragging things through three meetings.
- Curiosity and a builder mindset. You're interested in why the AI got it wrong, not just that it did.
- Comfortable working alongside AI, not against it. You're skeptical of its output without being dismissive of the approach.
- Clear writing. Half this job is documenting what the AI missed and why.
Background that fits well
- SOC L2 / L3, Incident Response, or Threat Hunting roles.
- Security operations leadership, training, or coaching experience — strong plus.
- Certifications (nice to have, not mandatory): GCIH, GCFA, GCIA, GX-IH, GX-FA, BTL2, CDSA, SIEM certs (Splunk, Sentinel, Elastic).
What matters most: actual hands-on capability, ability to make judgment calls, systems thinking, and comfort working alongside AI rather than against it. Certs and titles are signal, not requirements.
Hiring process
Two steps, fully self-serve. No essays, no scheduling, no take-home that eats your weekend.
- 1Apply — Your details, CV, LinkedIn, location. No essays. (~2 min)
- 2Take the assessment — right away — As soon as your details check out you start the 90-minute test.
Start assessment
Fill in your details and start the 90-minute assessment right away — no scheduling.