At Kroll, we provide reactive, advisory, transformation, and managed security services to support clients at every stage of their path toward cyber and data resilience maturity. Our experts bring decades of experience in cyber risk consultancy, helping organizations across the world simplify and reduce the complexity of implementing, transforming, and managing their cyber programs. Through our strategic multi-year partnership with CrowdStrike, we combine world-class investigative expertise with an AI-native platform to redefine the future of managed detection and response, delivering faster outcomes, stronger protection, and greater resilience for organizations worldwide.
The Cyber & Data Resilience capability (formerly Engineered Defense) is hiring a Manager or Senior Manager to build and lead Kroll's CrowdStrike Falcon AI Detection and Response (AIDR) deployment practice. With the GA of Falcon AIDR, CrowdStrike extended the Falcon platform to secure the AI prompt and agent interaction layer — protecting workforce GenAI use and homegrown AI applications and agents through one sensor and one console, with deployment via browser extension, application SDK, AI/API gateway integration, and MCP proxy.
Kroll clients need a partner who can deploy, configure, integrate, and tune Falcon AIDR end-to-end inside their Falcon tenant — getting AIDR turned on across the right deployment surfaces, wiring its telemetry into Falcon Next-Gen SIEM, building Fusion SOAR playbooks for AI events, integrating with Falcon Cloud Security and Falcon Data Protection, and tuning prompt-attack and data-protection policies to each client's AI usage patterns.
This is a player-coach role. The “Manager” or “Senior Manager” title does not mean hands-off oversight. You will personally lead engagement delivery — standing up AIDR in client tenants, integrating it with the rest of the Falcon stack, configuring policies, and tuning detections — while mentoring junior consultants and partnering with CrowdStrike account teams on scoping.
This role reports into the Engineered Defense / Tech Transformation leadership team and partners closely with Kroll’s Cloud Security, Identity, Next-Gen SIEM, and CrowdStrike Services delivery teams.
Deploy
Stand up Falcon AIDR in client tenants — provisioning, sensor configuration, console setup, and verification of telemetry flow.
Roll out the browser extension for workforce AI visibility and policy enforcement on employee GenAI usage.
Integrate the AIDR SDK into client AI applications and agents (LangChain, LlamaIndex, AutoGen, AWS Bedrock Agents, Microsoft Copilot Studio, custom-built agent frameworks).
Deploy the MCP proxy to instrument Model Context Protocol traffic for agent security.
Configure AI/API gateway integrations for inline prompt inspection and response.
Enable AIDR coverage of AI workloads in Kubernetes through Falcon Cloud Security, including runtime detection at the prompt layer with no proxies or architectural changes.
Configure
Configure prompt-attack detection policies — tuning sensitivity for direct prompt injection, indirect prompt injection, jailbreaks, multi-modal (text + image) attacks, and unsafe content across the client's AI tools and applications.
Configure sensitive data protection policies — defining custom data categories, redaction patterns, masking rules, and encryption behaviors for credentials, regulated data, and client-specific confidential information before it reaches models, agents, or external AI systems.
Configure policy enforcement across users, agents, tools, and models — including block, mask, encrypt, and allow-with-audit responses.
Configure runtime AI event logging — capturing full prompt and response content, AI model versions, users, and relationship mapping between users, prompts, models, agents, and MCP servers.
Build and tune custom detection content mapped to MITRE ATLAS adversarial ML techniques (AML.T0051 LLM Prompt Injection, AML.T0054 LLM Jailbreak, AML.T0048 External Harms) as detection vocabulary inside AIDR.
Integrate
Wire AIDR telemetry into Falcon Next-Gen SIEM (LogScale) — building correlation rules, dashboards, and identity-driven case management for AI events alongside endpoint, cloud, identity, and SaaS telemetry.
Build Falcon Fusion SOAR playbooks for AI-specific response actions: block unsafe interactions, contain malicious agent actions, redact sensitive output, revoke AI tool access, trigger MFA/identity response via Falcon Identity Protection.
Integrate AIDR with Falcon Cloud Security for runtime AI application protection in cloud environments.
Integrate AIDR with Falcon Data Protection for unified sensitive-data detection across AI and non-AI exfiltration paths.
Integrate AIDR with Falcon Identity Protection for cross-domain correlation between AI policy violations and identity risk.
Build Charlotte AI prompts and agentic workflows for AI event triage, agent action review, and response automation.
Tune and Operate
Tune detection policies to reduce false positives without sacrificing efficacy against the 180+ prompt injection techniques in CrowdStrike’s adversarial prompt research.
Tune data protection policies to client-specific sensitive data types, regulated data categories, and business workflow constraints.
Optimize policy enforcement to maintain sub-30ms detection latency at scale.
Validate detection efficacy through controlled testing against known prompt injection and jailbreak techniques.
Hand off operational runbooks to client SOC teams and Kroll Managed Services for ongoing operation.
Advise (scoped to the platform)
Advise client identity, cloud, and SOC engineering teams on AIDR deployment architecture decisions — where to place browser extensions, where to instrument with SDK vs. gateway vs. MCP proxy, how to phase rollout, how to integrate with existing Falcon modules.
Partner with CrowdStrike account teams on AIDR-focused pre-sales scoping, solution design, and joint go-to-market motions.
Build the Practice
Develop reusable AIDR deployment runbooks, configuration templates, integration patterns, Fusion SOAR playbook libraries, and Charlotte AI workflow templates.
Mentor consultants on AIDR deployment and integration.
Hiring Requirements
4+ years (Manager) or 6+ years (Senior Manager) of hands-on experience deploying, configuring, and integrating security tooling in enterprise environments — with a meaningful concentration in the CrowdStrike Falcon platform.
Hands-on deployment experience with the CrowdStrike Falcon platform — including at least one of Falcon Insight (EDR), Falcon Cloud Security, Falcon Identity Protection, Falcon Next-Gen SIEM / LogScale, or Falcon Data Protection. Direct hands-on with Falcon AIDR is preferred but not required.
Demonstrated experience deploying, configuring, and integrating Falcon platform modules — not just operating them post-deployment.
Working knowledge of modern AI/agent stacks sufficient to deploy and configure AIDR against them: LLMs (OpenAI, Anthropic Claude, Google Gemini, open-weights models), agent frameworks (LangChain, LlamaIndex, AutoGen, AWS Bedrock Agents, Microsoft Copilot Studio), MCP (Model Context Protocol), AI/API gateways, RAG architectures.
Working understanding of prompt-injection and jailbreak tradecraft sufficient to tune AIDR detection policies — direct vs. indirect prompt injection, jailbreaks, multi-modal attacks, MCP abuse — referenced through MITRE ATLAS detection vocabulary inside AIDR.
Hands-on scripting proficiency: Python (required), CQL (CrowdStrike Query Language); experience with LLM SDKs (OpenAI, Anthropic, LangChain) and KQL are pluses.
Experience building Fusion SOAR playbooks, Charlotte AI workflows, or equivalent SOAR/automation content on the Falcon platform.
Experience integrating Falcon modules with Next-Gen SIEM / LogScale including custom correlation, dashboards, and case management.
Prior consulting delivery experience — scoping, leading, and personally executing deployment engagements for external clients.
Bachelor’s degree in a relevant field or equivalent professional experience.
A note on experience: Falcon AIDR was released in December 2025 — almost no candidate has multi-year hands-on history with the product. We will strongly consider candidates with fewer years of consulting experience who bring deep hands-on Falcon platform deployment skills plus working knowledge of modern AI/agent stacks. Demonstrated Falcon deployment skill and the ability to ramp on AIDR quickly can offset tenure.
Preferred Qualifications
Direct hands-on Falcon AIDR deployment, configuration, or integration experience.
CrowdStrike Certified Cloud Specialist (CCCS) — strongly preferred (AIDR sits adjacent to and integrates with Falcon Cloud Security).
Additional CrowdStrike credentials: CCFA, CCFR, CCSA, CCSE, CCIS.
Experience deploying and tuning Falcon Next-Gen SIEM / LogScale content (parsers, correlation rules, dashboards, case management).
Experience building production Falcon Fusion SOAR playbooks at scale.
Experience building Charlotte AI prompts and agentic workflows.
Experience deploying Falcon Cloud Security in Kubernetes / containerized AI workload environments.
Hands-on experience instrumenting AI applications and agents at the SDK level (LangChain, LlamaIndex, AutoGen, AWS Bedrock Agents).
Hands-on experience with MCP (Model Context Protocol) server deployment and instrumentation.
Experience with AI gateway architectures — AWS Bedrock Guardrails, Azure AI Content Safety, NVIDIA NeMo Guardrails — for the purpose of integration or migration to AIDR.
Prior consulting experience at a tier-1 firm with a CrowdStrike-focused delivery practice (Big 4 CrowdStrike teams, CrowdStrike Services, or equivalent).
Your recruiter will be happy to walk you through your U.S.-specific benefits, which include:
Healthcare Coverage: Comprehensive medical, dental, and vision plans.
Time Off and Leave Policies: Generous paid time off (PTO), paid company holidays, generous parental and family leave.
Protective Insurances: Life insurance, short- and long-term disability coverage, and accident protection.
Compensation and Rewards: Competitive salary structures, performance-based incentives, and merit-based compensation reviews.
Retirement Plans: 401(k) plans with company matching.
Please note that benefits may vary by region, department and role. We encourage you to speak with your recruiter to learn more about the specific benefits available for your position.
About Kroll
Join the global leader in risk and financial advisory solutions—Kroll. With a nearly century-long legacy, we blend trusted expertise with cutting-edge technology to navigate and redefine industry complexities. As a part of One Team, One Kroll, you'll contribute to a collaborative and empowering environment, propelling your career to new heights. Ready to build, protect, restore and maximize our clients’ value? Your journey begins with Kroll.
In order to be considered for a position, you must formally apply via careers.kroll.com.
We are proud to be an equal opportunity employer and will consider all qualified applicants regardless of gender, gender identity, race, religion, color, nationality, ethnic origin, sexual orientation, marital status, veteran status, age or disability.
The current salary range for this position is $150,000 to $200,000
#LI-CN1
#LI-Remote
