Detection Engineer

About The Position

Requirements

• 2 years with BS/BA; 0 years with MS/MA; 6 years with no degree
• Clearance: Active TS/SCI clearance.
• Candidate must meet ONE of the following: Bachelor’s degree in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering; OR Relevant DoD/military training (examples: A‑531‑1900; DISA (521) Training; Cyber Defense Infrastructure Support Specialist (Intermediate) Playlist); OR Relevant professional certification or equivalent experience (examples: GMON, GRID, CEH, Cloud+, CySA+, GSEC, PenTest+, Security+, SSCP).
• Detection engineering, SOC analytics, or security operations experience.
• Practical experience authoring correlation rules/signatures and analytic queries in one or more SIEM/analytics languages (e.g., KQL, SPL, Sigma, vendor‑specific).
• Familiarity with IDS/IPS signature development, EDR/endpoint detection, and OT/DCI telemetry characteristics.
• Hands‑on testing/tuning experience to validate detections, reduce false positives, and document operational runbooks.
• Ability to liaise with data engineering to specify ingestion and normalization requirements and validate telemetry fidelity.
• Strong documentation skills and capability to maintain versioned detection content and operational artifacts.

Nice To Haves

• Prior DoD/ARNG or enterprise SOC/NOSC detection engineering experience.
• Experience mapping detections to MITRE ATT&CK and integrating CTI/CDAP/CHAP inputs into use‑case prioritization.
• Familiarity with automated testing frameworks, SOAR integrations, and detection performance metrics (precision/recall, MTTD).

Responsibilities

• Develop and maintain detection logic across SIEM, IDS/IPS, endpoint, and OT/DCI monitoring platforms: correlation rules, signatures, and behavioral analytics.
• Translate threat intelligence, CDAP findings, CHAP results, and vulnerability data into detection use cases, dashboards, and alerting content.
• Test detection rules in lab and sample datasets to verify functionality, tune for false‑positive reduction, and validate operational readiness.
• Document detection logic, metadata, versioned content, and change histories to support operational tracking and auditability.
• Collaborate with SOC and NOSC analysts to tune alerts, refine rule logic, and validate detections against observed activity.
• Update runbooks, produce tuning notes, and support analysts during triage and validation workflows.
• Coordinate with data engineers to ensure ingestion, normalization, and field mappings for high‑value telemetry sources.
• Review telemetry quality, identify gaps in coverage, and report issues that affect detection visibility.
• Contribute to continuous improvement by iterating detection content, refining workflows, and adopting new defensive techniques.