Threat Detection Engineer
Hybrid to Chicago, IL
$65-$70/hr
Responsibilities
- Create Detection Content - Design, build, test, and maintain high-fidelity detections.
- Implement Detection-as-Code practices: version control, peer review, CI/CD pipelines, and automated validation for detection content and configuration.
- Develop and tune detection logic aligned to MITRE ATT&CK techniques and real-world adversary behavior (TTP-focused).
Collaborate in Purple Teaming Exercises
- Plan and execute purple team exercises and threat emulation using ATT&CK-driven test plans (e.g., Atomic Red Team/CALDERA/SafeBreach-style approaches).
- Measure detection coverage and response effectiveness; translate exercise findings into backlog items and measurable improvements.
Engineering Enablement & Operational Excellence
- Partner with SOC analysts, incident responders, and platform teams to improve signal-to-noise, alert workflows, and escalation quality.
- Contribute to logging strategy: define requirements, onboard new data sources, create parsing/normalization standards, and enrich events (lookups/context).
- Operate in an Agile/SAFe delivery model: manage backlog, user stories, sprint commitments, demos, and continuous improvement.
Governance, Metrics & Stakeholder Communication
- Define and track detection metrics (coverage, efficacy, false positive rate, mean time to detect, alert precision/recall proxies).
- Communicate risk and outcomes in business-relevant terms (especially helpful in regulated/insurance environments).
- Document detections, hunts, procedures, runbooks, and learning artifacts for repeatability and operational scaling.
Required Education
- Bachelor’s degree in Computer Science, Information Security, Engineering, or a related discipline
Preferred Certifications & Training
- Splunk Certifications: Core User, Power User, Admin; Splunk ES–focused training
- MITRE ATT&CK Training: Fundamentals, Detection Engineering, SOC Assessments, Purple Teaming
- Cloud Certifications: Google Cloud Digital Leader or Associate Cloud Engineer (security-focused experience preferred)
- Security Certifications (examples): GCIH, GCIA, CISSP, Security+, or comparable credentials
- Agile / SAFe Training or Certification (helpful for delivery alignment)
Skills & Experience
Required Skills (Core)
Detection Engineering & Security Analytics
- Strong experience building detections in a SIEM, preferably Splunk Enterprise Security, including:
- SPL, knowledge objects, data models, field extractions, lookups, and enrichment
- Expertise in detection engineering methodologies, including:
- Signal design, validation, tuning, alert routing, and lifecycle management
- Practical knowledge of MITRE ATT&CK, adversary TTPs, and mapping detections to ATT&CK techniques
Threat Hunting & Incident Analysis
- Proven ability to conduct threat hunts and investigations across:
- Endpoint, identity, network, and cloud telemetry
- Familiarity with analytic frameworks such as:
- Cyber Kill Chain, Diamond Model, and decision loops (e.g., OODA)
- Ability to apply structured analytic techniques to produce defensible conclusions and reduce cognitive bias
EDR & Endpoint Telemetry
- Experience using CrowdStrike Falcon (or comparable EDR platforms) for:
- Detection, investigation, and response workflows
- Knowledge of endpoint artifacts and attacker tradecraft, including:
- Persistence, privilege escalation, credential access, and lateral movement
Engineering & Automation
- Proficiency in Python for automation, enrichment, log parsing, analytics, and/or detection testing
- Strong working knowledge of Git, including branching, pull requests, and code reviews
- Comfort using developer tooling, including CLI-based editors (e.g., Vim)
- Experience applying CI/CD concepts to security content, such as:
- Pipelines, automated checks, and release management
Cloud, Containers & Infrastructure as Code
- Hands-on familiarity with Google Cloud security logging and incident response concepts
- Working knowledge of containers (Docker) and Kubernetes fundamentals related to monitoring and incident response
- Experience with Infrastructure as Code tools such as:
- Terraform and configuration management tools like Ansible (at least for interpreting changes and supporting secure deployments)
