ML Engineer - Threat Detection Engineering

AppGate Cybersecurity, Inc.•New York, NY

About The Position

AppGate is seeking a Senior/Staff/Principal AI/ML Engineer specializing in Threat Detection to design, build, and operationalize detection algorithms, ML inference pipelines, and risk aggregation systems for their autonomous threat detection platform. This role operates at the intersection of identity security, behavioral analytics, and applied machine learning, focusing on production systems that analyze ZTNA audit logs in near real-time to identify high-fidelity threat signals and feed into the Risk Sentinel enforcement engine for continuous access hardening. The engineer will contribute to next-generation capabilities including a Threat Detection Engine (rule-based, behavioral, and ML-based), ML Anomaly Detection, Risk Aggregation & Enforcement, a Real-Time Detection Pipeline, AI Agent Security, and Autonomous Remediation (roadmap). Responsibilities include designing detection algorithms, training and deploying ML models, architecting and operating the detection pipeline, defining the detection taxonomy, instrumenting and improving signal quality, and collaborating with cross-functional teams. This is an opportunity to build AI systems that detect, prevent, and auto-remediate threats across networks, users, and autonomous AI agents.

Requirements

7+ years of production AI/ML engineering experience, with a strong preference for candidates who have built threat detection, UEBA, ITDR, or identity security platforms at leading security or cloud companies.
Detection algorithm expertise: Hands-on experience designing detections for identity-based threats — credential compromise, privilege escalation, insider activity, behavioral anomalies, and data exfiltration.
ML proficiency: Anomaly detection (Isolation Forest, One-Class SVM, Autoencoders), statistical methods, and supervised classification using PyTorch or TensorFlow.
Data & streaming engineering: Real-time or near-real-time pipeline experience (Kafka, Flink, Spark Streaming, or equivalent); familiarity with lakehouse formats (Apache Iceberg, Parquet).
Security domain knowledge: MITRE ATT&CK, identity threat kill chains, ZTNA or network access control systems, and audit log analysis.
Mindset: Mission-driven, production-focused, signal-obsessed. You measure precision and recall, you eliminate alert fatigue, and you care that your work protects real systems.

Nice To Haves

Experience with detection-as-code frameworks (Sigma, YARA)
Experience with ZTNA platforms
Experience with LLMs or GNNs applied to security
Publications at USENIX, CCS, NeurIPS, or ICML

Responsibilities

Design and implement detection algorithms spanning authentication, authorization, network/location, data access, session management, and temporal behavioral domains.
Train, evaluate, and deploy ML models on real-world identity and network telemetry; tune for production precision and recall targets.
Architect and operate the detection pipeline — from audit log ingestion through risk aggregation and Risk Sentinel integration.
Define the detection taxonomy — categorizing, prioritizing, and lifecycle-managing the full detection library using a scalable detection family model.
Instrument and improve signal quality — measuring MTTD, false positive rates, and MITRE ATT&CK coverage; partnering with red teams to validate detections against real attack scenarios.
Collaborate cross-functionally with security, product, and platform engineering to align detection coverage with customer threat models and roadmap priorities.