Detection Engineer, Senior

About The Position

Requirements

• 5+ years of experience in a security engineering function such as detection engineering, SOC analytics, or threat hunting.
• Experience contributing to shared rule and detection repositories.
• Experience authoring detections in two or more of the following: Sigma, YARA, Suricata, Splunk SPL, KQL, or SQL / DB-SQL.
• Experience applying Detection-as-Code (DaC) best practices such as Git workflows, pull requests, automated linting, CI pipelines, unit tests, and metadata enforcement.
• Experience with detection versioning, semantic versioning, changelogs, and ruleset lifecycle management.
• Experience building detections across multiple log sources and platforms, such as EDR / XDR, SIEM, cloud telemetry, and identity providers.
• Ability to demonstrate map detections to MITRE ATT&CK techniques and communicate coverage effectively to stakeholders.
• Ability to communicate detection logic clearly, document rationale, and collaborate with SOC, IR, and engineering partners.
• Ability to obtain a Secret clearance.
• HS diploma or GED.

Nice To Haves

• Experience operating within a mature DaC program with standardized rule formats, metadata schemas, test harnesses, and CI/CD promotion gates.
• Experience with adversary simulation or detection validation frameworks such as automated test harnesses, replay testing, or red or blue collaboration workflows.
• Experience with cloud environments such as AWS, Azure, and GCP, cloud logging architectures, and SIEM or XDR platforms such as Sentinel, Chronicle, or Elastic.
• Experience with scripting and programming in Python or Go for detection utilities or automation.
• Knowledge of data models such as ECS and CIM, normalization pipelines, and building portable detections across platforms.
• Knowledge of MITRE ATLAS for AI-relevant threat behaviors and integrating ATT&CK and ATLAS coverage models.
• GCIH, GCTI, GCDA, GMON, or similar certifications.

Responsibilities

• Design, build, test, and maintain production-grade detections across data sources, including endpoint, network, identity, SaaS, and cloud.
• Apply Detection-as-Code (DaC) practices to ensure consistency, scalability, versioning, and automation.
• Collaborate closely with incident responders, hunters, and platform engineers to map rules to MITRE ATT&CK.
• Maintain coverage dashboards.
• Continuously iterate on detection fidelity and performance.

Benefits

• Health, life, disability, financial, and retirement benefits
• Paid leave
• Professional development
• Tuition assistance
• Work-life programs
• Dependent care
• Recognition awards program