Detection Engineer, Senior

About The Position

Requirements

• 5+ years of experience in a security engineering function, such as detection engineering, SOC analytics, or threat hunting
• Experience contributing to shared rule and detection repositories
• Experience authoring detections in two or more of the following: Sigma, YARA, Suricata, Splunk SPL, KQL, or SQL/DB‑SQL
• Experience applying Detection‑as‑Code (DaC) best practices, such as Git workflows, pull requests, automated linting, CI pipelines, unit tests, and metadata enforcement
• Experience with detection versioning, semantic versioning, changelogs, and ruleset lifecycle management
• Experience building detections across multiple log sources and platforms, such as EDR/XDR, SIEM, cloud telemetry, and identity providers
• Ability to demonstrate map detections to MITRE ATT&CK techniques and communicate coverage effectively to stakeholders
• Ability to communicate detection logic clearly, document rationale, and collaborate with SOC, IR, and engineering partners
• Ability to obtain a Secret clearance
• HS diploma or GED

Nice To Haves

• Experience operating within a mature DaC program with standardized rule formats, metadata schemas, test harnesses, and CI/CD promotion gates
• Experience with adversary simulation or detection validation frameworks, such as automated test harnesses, replay testing, or red or blue collaboration workflows
• Experience with cloud environments, such as AWS, Azure, and GCP, cloud logging architectures, and SIEM or XDR platforms such as Sentinel, Chronicle, or Elastic
• Experience with scripting and programming in Python or Go for detection utilities or automation
• Knowledge of data models, such as ECS and CIM, normalization pipelines, and building portable detections across platforms
• Knowledge of MITRE ATLAS for AI‑relevant threat behaviors and integrating ATT&CK and ATLAS coverage models
• GCIA, GCTI, GCDA, GMON, or similar certifications

Responsibilities

• design, build, test, and maintain production‑grade detections across diverse data sources—endpoint, network, identity, SaaS, and cloud
• applying Detection‑as‑Code (DaC) practices to ensure consistency, scalability, versioning, and automation
• collaborate closely with incident responders, hunters, and platform engineers to map rules to MITRE ATT&CK
• maintain coverage dashboards
• continuously iterate on fidelity and performance

Benefits

• health
• life
• disability
• financial
• retirement benefits
• paid leave
• professional development
• tuition assistance
• work-life programs
• dependent care
• recognition awards program