Job Description

As a Senior Security Specialist, you will join Sage’s global Cyber Defence team and play a key role in protecting Sage’s systems, data, and customers.

This is a hands-on senior technical role focused on advanced incident response and complex security investigations, including incident investigation, containment, remediation, and post-incident analysis. You will respond to complex and escalated security incidents while strengthening Sage’s detection and response capabilities.

You will own and lead investigations of medium to critical security incidents, perform forensic analysis, and proactively hunt for indicators of compromise across cloud and on-premises environments. You will also improve detection rules, develop response playbooks, and refine operational processes that strengthen Sage’s cyber defence capabilities.

You will partner with Product Engineering, IT, Cloud Operations, Legal, and other cybersecurity teams to lead investigations and drive remediation across Sage’s global environment.

Minimum Qualifications:

• 5 years of experience in cyber security responding to medium to critical security incidents

• Strong hands-on experience performing incident response activities including triage, investigation, containment, remediation, and post-incident analysis

• Proficiency using SIEM and EDR platforms to investigate security events and analyze large volumes of security telemetry

• Experience performing threat hunting and developing or tuning detection logic

• Knowledge of cyber threat intelligence practices, including analyzing attacker tactics and techniques and applying intelligence to improve detections and investigations

• Experience conducting incident investigations and forensic analysis to determine root cause and reconstruct attacker activity

• Experience investigating incidents in cloud environments (Azure, AWS, or GCP) including identity systems, logging, and cloud-native telemetry

• Experience working cross-functionally with engineering, IT, cloud operations, legal, and security teams to drive remediation

• Ability to work the required schedule and participate in the on-call rotation

Ideal/Bonus Qualifications

• Experience investigating application-layer attacks, abuse cases, or SaaS platform threats

• Advanced knowledge of cybersecurity and information security control best practices

• Certifications such as CISSP, SANS, or incident response, threat hunting, or forensics certifications

Work Schedule:

Monday–Friday, 8:00am – 4:00pm PST

Occasional adjusted hours (6:00am – 2:00pm PST) when covering UK colleagues during planned PTO. Participation in a shared on-call rotation (one weekend per month)

Location:

Hybrid; 3 days per week from our Vancouver office and 2 days from home

Who is Sage?

Sage is a global B2B SaaS helping small to medium-sized businesses to succeed with AI-powered Accounting & ERP software. Knowing that over 6M of our global customers depend on our solutions, motivates us to keep innovating so they keep growing. Sage Copilot is a prime example https://www.youtube.com/watch?v=1vRW5YfAeec

You'll have the opportunity expand your skills and grow your career at a stable SaaS with products voted #1 in customer satisfaction for 10 consecutive years. Collaborate with a globally diverse, customer-focused teams that embrace innovation, bold thinking, and impactful work. Our culture is built on doing the right thing—guided by our values: Human, Trust, Bold, and Simplify. We support work-life balance and encourage giving back through the Sage Foundation, offering every employee 40 paid volunteer hours per year to make a difference in our communities.

Key Responsibilities

Key Responsibilities

• Own and lead investigations of complex security incidents to ensure rapid containment, effective remediation, and secure recovery

• Perform proactive and hypothesis-driven threat hunting across endpoints, servers, cloud environments, and applications to identify malicious behaviour and emerging threats

• Develop and improve detection logic, alert tuning, and investigation workflows to enhance threat visibility and reduce false positives

• Apply threat intelligence to strengthen detection capabilities and prioritize investigations

• Conduct incident investigations and forensic analysis to determine root cause and reconstruct attacker activity

• Take ownership of complex investigations and drive remediation efforts through to resolution

• Improve incident response playbooks, procedures, and operational processes

• Lead cyber defence workstreams within larger security initiatives

• Mentor junior team members and support knowledge sharing across the team

• Investigate complex security alerts and confirmed incidents across SIEM, EDR, NDR, and cloud security platforms

Benefits? We have plenty...

• 100% paid premiums for health, dental, and vision coverage

• RRSP contribution match (100% up to 4%)

• 35 days paid time off (11 holidays, 16 vacation days, 3 personal days, 5 sick days)

• Work Away, an opportunity to work & play for 10 weeks in a country of your choice (from a Sage-approved list)

• 18 weeks of paid parental leave for birth, adoption, or surrogacy offered 1 year after your start date

• 5 days paid yearly to volunteer (through Sage Foundation)

• $5,250 tuition reimbursement per calendar year starting 6 months after your hire date

• Sage Wellness Rewards Program (annual fitness reimbursement)

• Library of on-demand career development options and ongoing training offerings

Compensation offered will be determined by factors such as location, level, job-related knowledge, education, and experience. Certain provinces in Canada require job postings to include a reasonable estimate of the salary range applicable to the role. For this role, in those locations, the target base salary range for new hires is C$135,000 to C$145,000. In addition to base salary, employees will participate in a bonus plan (20%) based on company and individual performance. Our talent acquisition team will provide specific opportunities on our bonus or incentive programs. The range listed is just one component of the Sage total compensation package.

#LI-CH1