Principal Threat Researcher, Software Engineer (Counter-Threat Ops)

Salesforce•Seattle, WA

1d•Remote

About The Position

Salesforce is the #1 AI CRM, driving customer success through the collaboration of humans and AI agents. The company is seeking Trailblazers passionate about leveraging AI to improve business and the world, while upholding Salesforce's core values. The Threat Intelligence team is dedicated to defending the organization and its customers by identifying and preparing for emerging threats, drawing on expertise in nation-state, eCrime, and other adversarial tactics. As a Principal Threat Researcher (Counter-Threat Ops), you will be a key member of the Threat Intelligence (TI) team, focusing on adversary disruption. This technical leadership role involves identifying, tracking, and imposing friction on threat actors targeting the Salesforce ecosystem. You will conduct deep-dive research across extensive datasets to extract tactics, techniques, and procedures (TTPs), build complex attacker profiles, and translate this intelligence into actionable strategies. Your work will involve partnering with hyperscalers to dismantle attacker infrastructure and collaborating with multi-national law enforcement to support criminal prosecution, with the ultimate goal of making it costly and risky for adversaries to operate against Salesforce and its customers.

Requirements

Recognized, first-hand knowledge of how advanced adversaries operate and their tactics, techniques, and procedures (TTPs), with a focus on AWS, GCP, Azure, and other cloud providers
10+ years of hands-on experience identifying, tracking, and disrupting advanced cyber threat actors (government-backed and advanced e-crime adversaries), including successful referrals to international Law Enforcement agencies
5+ years hands-on experience with strategic intelligence writing and standard conventions (BLUF, Diamond Model, MITRE ATT&CK), with a proven track record of authoring dozens of research articles and public-facing blog posts
Established threat intelligence practitioner and active member of private, invite-only Information Security trust groups with extensive industry and community contacts
Experience with Cyber Threat Intelligence writing for both technical, non-technical, and executive audiences - ideally with threat briefings, threat reports, blog posts, or similar finished intelligence
A capable oral and written communicator, you are able to engage others in the business at multiple levels to translate threat research into actionable recommendations to shape strategy and decisions
Experience conducting and correlating threat research using OSINT and proprietary tools, including infrastructure analysis, malware telemetry, and full attack lifecycle tracking
You operate autonomously to drive projects and have experience mentoring and supporting junior analysts in a globally distributed or remote team environment
You have an understanding existing and emerging threats to an organization spanning multiple industries and threat profiles
3+ years experience scripting, automating, and building investigative tooling (Python, Bash, SQL, Splunk) and using YARA or Sigma for threat hunting
Identify patterns and trends across various data sources and distill findings concisely

Nice To Haves

Extensive experience collaborating with global law enforcement agencies (e.g., FBI, Europol) on attribution and evidence collection resulting in successful prosecutions and takedowns
Experience using Threat Intelligence Platforms, and building integrations with these platforms
Extensive experience using Machine Learning automation for the detection and disruption of high-harm groups and platform-based abuse
Deep familiarity with reverse engineering, malware analysis, and knowledge of underground communities
Experience with security analysis tools (Jupyter notebooks, Splunk, ElasticSearch, etc)
Extensive experience with uncovering threats in AWS, Microsoft Azure, and Google Cloud
Expert-level use of hunting/IR tools for host and network analysis
Recognized industry leader in the threat Community
You have performed all of the above “at scale“ in a large, complex environment

Responsibilities

Adversary Disruption & Denial: Lead initiatives to disrupt threat actor operations by leveraging Salesforce infrastructure and strategic partnerships with hyperscalers (AWS, GCP, MAS), CDNs, and network security providers.
Law Enforcement Collaboration: Develop high-fidelity technical evidence and attribution data to support US and European law enforcement in the successful criminal prosecution of threat actors.
Strategic Intelligence Ecosystem: Deepen Salesforce’s reach into the broader cyber intelligence community, fostering peer-to-peer partnerships with other industry disruption teams to build a collective defensive picture.
Advanced Threat Tracking: Perform expert-level tracking of advanced e-crime and state-sponsored actors, distilling complex tactics, techniques and procedures (TTPs) into actionable intelligence for executives and technical stakeholders.
Tactical Tooling & Automation: Build custom scripts, investigative tools, and automation (Python, SQL, Splunk) to scale research and enable "on-the-fly" analysis during active campaigns or incident response.
Technical Mentorship: Serve as a technical mentor on the Threat Intelligence team, guiding junior researchers and driving the direction of investigations through deep subject matter expertise.
Cross-Functional Influence: Act as a central bridge between Incident Response, Security Engineering, and Platform Defense to ensure intelligence directly hardens our environment.