Principal Threat Detection Engineer - Blue Team

CVS Health•New York, NY

About The Position

The Principal Threat Detection Engineer serves as a senior, highly technical individual contributor responsible for the design, implementation, and continuous evolution of advanced threat detection capabilities across the enterprise. This role owns the development and optimization of detection logic leveraging Microsoft Security tooling, CrowdStrike, Splunk Cloud, Cribl, and related SOC platforms to identify sophisticated adversary activity spanning endpoint, network, and cloud environments. A core focus of the role is proactive threat hunting and the identification of behavioral indicators that improve visibility into novel and emerging attack techniques. In this capacity, the Principal Threat Detection Engineer leads detection engineering strategy and execution, building, tuning, and automating high‑fidelity alerts using SIEM and analytics platforms such as Splunk Cloud, Microsoft Sentinel, and Cribl. The role applies deep knowledge of query languages (including KQL) and custom detection logic to reduce noise, improve precision, and increase analyst efficiency. Detection capabilities are continuously iterated based on adversary tradecraft, environmental changes, and lessons learned from active investigations and simulations. The role operates at the intersection of offensive and defensive security, collaborating closely with threat hunting, incident response, and purple team partners to translate adversary emulation and penetration testing findings into actionable detection improvements aligned to the MITRE ATT&CK framework. The position integrates threat intelligence and supports active incident investigations by providing insight into attacker behavior and detection blind spots. Through continuous innovation and a strong understanding of regulatory and compliance considerations (e.g., PCI-DSS, HIPAA, NIST, ISO 27001), the Principal Threat Detection Engineer strengthens the organization’s overall detection maturity and cyber resilience.

Requirements

10+ years of experience in threat detection, hunting, penetration testing, and/or offensive security.
7+ years of experience in Microsoft Security tools (Defender for Endpoint, Sentinel), CrowdStrike, Splunk Cloud, and Cribl.
5+ years of experience with KQL, SPL, Python, PowerShell, or Bash scripting for automation and detection logic.

Nice To Haves

Relevant certifications such as OSCP, GCIH, GCIA, CISSP, CEH, or Microsoft Azure Certification.
Experience in managing or participating in purple team exercises.
Familiarity with compliance standards like PCI-DSS, HIPAA, or ISO 27001.
Strong understanding of the MITRE ATT&CK framework and security standards (NIST, CIS).
Strong communication skills to convey complex security issues to non-technical stakeholders.

Responsibilities

Design, deploy, and continuously optimize high‑fidelity detections across SIEM platforms including Microsoft Sentinel, Splunk Cloud, and Cribl.
Lead proactive threat hunting using Microsoft Defender, CrowdStrike, and other SOC tools to identify advanced and emerging adversary activity.
Develop custom detection logic and automation using KQL, SPL, and scripting, iterating based on threat intelligence and environmental changes.
Design and execute adversary emulation and purple team exercises to evaluate and improve detection and response effectiveness.
Partner with defensive teams to translate offensive findings into actionable improvements aligned to the MITRE ATT&CK framework.
Support penetration testing efforts and produce actionable assessments highlighting detection gaps and remediation opportunities.
Integrate internal and external threat intelligence into detection strategies to prioritize risk and adapt alert logic.
Support active incident investigations by providing insight into adversary tactics, detection blind spots, and response opportunities.
Contribute to the development of enterprise‑wide threat detection strategy aligned with risk management objectives.
Communicate detection coverage, gaps, and effectiveness to security leadership through clear, actionable reporting.