Detection Engineer

About The Position

Requirements

• Five (5) years of experience in a relevant technology domain, including software engineering, information technology, systems administration, or information assurance required.
• Five (5) years of demonstrated experience in detection engineering, security operations, or threat detection as a detection engineer, security engineer, high-tier SOC analyst, or similar role required.
• Proven hands-on experience with SIEM platforms (e.g., Elastic Security, or similar), including writing and tuning detection rules.
• Hands-on experience building and maintaining playbooks in at least one SOAR platform (e.g., Tines, or similar).
• ​​Demonstrated experience using AI-assisted development tools (e.g., Claude Code, Codex CLI, or similar) in a professional engineering or security workflow is required.
• Experience with Git-based detection-as-code workflows, including version-controlled detection rules, test- driven development, and automated deployment, is required.
• Experience leading or commanding security incident response efforts, including cross-functional coordination and stakeholder communication during active incidents, is required.
• Experience with Amazon Web Services operational environments and related security offerings (e.g., GuardDuty, Inspector, Security Hub, and Security Lake) is required.
• Working proficiency with AI-assisted development tools (e.g., Claude Code, Codex CLI, or similar) is required. Candidates must demonstrate the ability to integrate these tools into day-to-day detection engineering and scripting workflows — including generating, reviewing, and iterating on AI-assisted code as part of a collaborative team environment.
• Working proficiency in Python and shell scripting.
• Deep working knowledge of MITRE ATT&CK techniques and tactics, the ‘Cyber Kill Chain’, and the ‘Pyramid of Pain’; ability to map adversary TTPs to detection strategies.
• Deep technical knowledge of detection engineering principles, detection-as-code practices, SIEM architecture, and SOC operations in cloud-hosted environments.
• Strong hands-on experience with SOAR platforms and the ability to design, build, and maintain automated enrichment and response workflows.
• Strong hands-on experience with endpoint detection and response (EDR) tools, such as SentinelOne and Uptycs.
• Engineering fluency with Git-based workflows: version control, branching strategies, pull request reviews, and CI/CD pipeline integration for detection content.
• Strong understanding of cloud security principles, including containerization, orchestration, and IAM/KMS.
• Ability to query and sift through large volumes of security-related data to surface critical events of interest and meaningful insights and trends.
• Ability to prioritize under pressure, exercise sound independent judgment, and maintain confidentiality with sensitive information.
• Calm, decisive approach with appropriate urgency and command authority during active security events.
• Strong communication, interpersonal, and presentation skills, with the ability to convey technical findings clearly to both technical and non-technical audiences.
• Ability to work remotely while maintaining high productivity, collaboration, and effectiveness with minimal supervision.
• Strong drive to continuously improve detection fidelity, automation coverage, response speed, and overall security posture in a rapidly evolving field.
• Must be able to pass required background checks to access sensitive information.
• Associate degree in Computer Science, Management Information Systems, Information Assurance, Information Security, Cybersecurity, or related field required; or equivalent self-study with demonstrated command of the knowledge, skills, and abilities outlined in this job description.

Nice To Haves

• Hands-on experience with specific tooling in our stack: Uptycs, TheHive, SentinelOne.
• Familiarity with fintech or banking security environments, including PCI-DSS compliance context.
• Certifications preferred: GCIH, GCIA, GCDA, GSOC, or similar detection engineering and incident response- focused credentials.

Responsibilities

• Design, develop, tune, and maintain high-fidelity detection logic, including correlation rules, detection-as-code pipelines, and behavioral analytics, across SIEM, EDR, NDR, and cloud-native platforms, applying the judgment and pattern recognition that comes from deep hands-on experience with attacker behavior and enterprise environments.
• Apply detection-as-code principles: version detection logic in Git, test in CI/CD pipelines, and deploy through automated workflows, including the use of Terraform, Sigma, Yara, and platform-specific query languages.
• Map detection coverage to MITRE ATT&CK and maintain a living detection coverage matrix; identify and close gaps proactively.
• Translate threat intelligence reports, red team findings, and incident post-mortems into actionable detection logic.
• Manage signal-to-noise ratio across detection platforms through iterative rule logic refinement, suppression tuning, and threshold calibration, with the goal of maximizing automated fidelity and reducing analyst intervention.
• Design and build automated response playbooks and enrichment workflows using SOAR platforms, enabling the system to triage, enrich, and respond to high-confidence alert classes without manual analyst intervention.
• Integrate SOAR with SIEM, EDR, threat intelligence platforms, ticketing systems, and cloud APIs via REST APIs and custom connectors.
• Build tooling and scripts to accelerate the development of detection pipelines, log parsing, data normalization, and context enrichment.
• Evaluate, configure, and optimize AI/ML-assisted triage capabilities; serve as the human-in-the-loop auditor validating AI-generated investigation narratives.
• Maintain operational documentation, including runbooks, playbook logic diagrams, and integration dependency maps.
• Participate in a rotating on-call schedule. During on-call weeks, primary responsibilities shift to triaging and reviewing incoming alerts, assessing events for incident response action, and tuning out false positive content to maintain alert fidelity. Ad hoc compliance requests will regularly interrupt planned work — this is expected and should be prioritized accordingly.
• Serve as an escalation point for complex or novel security incidents, performing a deep-dive investigation across endpoint, network, identity, and cloud telemetry.
• Contribute to the full incident response lifecycle: detection, analysis, containment, eradication, recovery, and lessons-learned documentation.
• As part of the team's rotating duty, lead incident responses as the incident commander as needed, coordinating response activities across internal teams, vendors, and executive stakeholders with clarity and authority following established playbooks and structured approaches.
• Conduct hypothesis-driven threat hunts using behavioral analytics, anomaly detection, and adversary TTP modeling.
• Collaborate with team exercises to validate detection and response effectiveness; incorporate findings into the detection backlog.
• Collect, organize, and present evidence of incident response lifecycle activities to support client due diligence requests and audits.
• Contribute to security metrics reporting for leadership, providing timely and accurate measures such as case statistics, detection coverage, MTTD/MTTR, and TPR/FPR trends.
• Collaborate with risk management and regulatory compliance to align detection and response capabilities with regulatory requirements and control frameworks relevant to financial services.
• Perform other duties as assigned