• Take escalations from L1 and perform in-depth investigations: hypothesis-driven analysis, evidence validation, scoping, impact assessment, and timeline building. • Correlate telemetry across endpoint (EDR), Windows/Linux, AD, firewall/proxy/DNS/IDS, and (when applicable) cloud logs. • Recommend and/or coordinate containment actions (host isolation, credential resets, IOC blocks, temporary control changes) following change control and governance. • Determine severity and communicate clearly in English to technical stakeholders; provide concise executive-style updates when required. • Identify detection gaps and drive improvements: reduce false positives, close false negatives, propose new rules/use cases. • Ensure evidence integrity and proper documentation, coordinate handoffs with IR, IT Ops, Network, and Cloud teams. • Produce post-incident deliverables: probable root cause, lessons learned, and preventive actions.

• Monitor security events and alerts in SIEM and defensive tools; perform initial triage and classification (benign / false positive / suspicious / incident). • Collect and review basic evidence: endpoint telemetry, Windows/Linux logs, firewall/IDS, DNS/proxy; perform initial correlation (host/user/IP/IOC/process). • Execute runbooks/playbooks (e.g., password reset request, IOC block request, host isolation request) when authorized and aligned with procedures. • Create and maintain high-quality tickets with a clear narrative: what happened, supporting evidence, potential impact, actions taken, recommended next steps. • Escalate to L2/L3/IR when there is evidence of compromise, material risk, lateral movement, or uncertainty that requires deeper investigation. • Deliver structured shift handovers (case status, findings, hypotheses, next steps, blockers). • Meet operational SLAs and documentation of quality standards.

• Administer and configure AI tools and platforms • Configure and review security settings for AI tools • Own the platform layer for AI context at scale • Monitor AI tool health and support cloud operations • Own AI transformation analytics and reporting • Partner with Engineering and IT for cloud resource deployment • Develop and maintain AI governance documentation.

Role Description As an OT Security Operation Engineer with a focus on Claroty or Nozomi, you will be responsible for setting up, operating and further developing our OT security services. Your area of responsibility includes: - Monitoring, analyzing and securing operational technology (OT) systems and industrial networks. - Implementing and operating OT security solutions to detect and defend against threats. - Analyzing events and supporting the continuous improvement of the OT security architecture. - Identifying OT cyber threats and vulnerabilities and investigating their causes. - Co-designing and setting up the new OT Security service. - Processing customer inquiries about the security services. - Supporting exciting service portfolios. - Change management (planning and implementation). - Work location in Zurich, Bern or Geneva. Qualifications - Practical experience from OT. - Good German (at least B1 level) and English (at least B1 level); French is an advantage. - Sound knowledge of the operation of Claroty or Nozomi. - Know-how in routing/switching. - Experience with agile working methods such as DevOps or Scrum. - Advantageous knowledge of firewall, proxy, cloud security, VPN. - Willing to work on-call sporadically. Benefits - Opportunity to work in one of our offices in Switzerland or in your home office. - Contact with agile working methods and the latest technologies. - Flexible working hours to meet your personal needs. - A pleasant working environment. - Financial benefits. - Exciting opportunities for professional development. Contact Person Sören Bergmann Talent Acquisition Manager +41 (58) 2230451 Your Homebase Swisscom (Schweiz) AG Binzring 17, 8045 Zürich