Staff Software Engineer, Attack

Horizon3 AI

23h•Remote

About The Position

Horizon3.ai is a fast-growing, remote cybersecurity company dedicated to the mission of enabling organizations to proactively find and fix and verify exploitable attack vectors before criminals exploit them. Our flagship product, the NodeZeroTM platform, delivers production-safe autonomous pentests and other key assessment operations that scale across the largest internal, external, cloud, and hybrid cloud environments. NodeZero has been adopted by organizations of all sizes, from small educational institutions to government agencies and Global 100 enterprises. It is used by ITOps/SecOps teams, consulting pentesters, and MSSPs and MSPs. We are a fusion of former U.S. Special Operations cyber operators, startup engineers, and formerly frustrated cybersecurity practitioners. We're committed to helping solve our common security problems: ineffective security tools, false positives resulting in alert fatigue, blind spots, "checkbox” security culture, cybersecurity skills shortage, and the long lead time and expense of hiring outside consultants. Collectively, we are a team of learn it alls, committed to a culture of respect, collaboration, ownership, and results. We are hiring a Staff Software Engineer to own the technical vision for EDR telemetry and detection work inside NodeZero and ultimately, the future of EDR effectiveness and tuning as a product capability. Modern endpoints are instrumented by CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black, and others. Our customers need to know, with evidence, which of our attack techniques their EDR caught, which ones slipped through, and why. Answering that at scale — across platforms, tenants, and operator objectives — requires someone who deeply understands the telemetry surface and can turn that understanding into a product. Over time, this role will own the technical work for incorporating AI and ML research into how we reason about detection gaps, generate tuning recommendations, and scale effectiveness insights. This is not a pure architect role. You will write production code every week, review PRs from the people you lead, and partner closely with Product to sequence the right problems in the right order. You will be the person who both draws the system diagram on the whiteboard and commits the first slice of it to main.

Requirements

Deep familiarity with at least one major EDR platform (CrowdStrike, SentinelOne, Microsoft Defender) at the telemetry and API level.
Understands detection logic, alert triage workflows, and how SOC teams consume EDR output.
Can build and evaluate labeled ground truth datasets — knows what a correct detection actually looks like.
Fluent in FP/FN tradeoffs and confidence scoring in real production environments.
Write production code every week, review PRs from the people you lead, and partner closely with Product to sequence the right problems in the right order.

Nice To Haves

Incorporating AI and ML research into how we reason about detection gaps, generate tuning recommendations, and scale effectiveness insights.

Responsibilities

Owns the end-to-end technical vision for the workstream and rallies the team around it — from blank doc through shipping, iterating, and deprecating.
Production code contributions at Lead/Staff level in a modern backend language (Go, Rust, Python, or similar) in a service-oriented environment.
Sets and raises the technical bar (design reviews, code quality, operational discipline) by example rather than by mandate.
Mentors and enhances the engineers around them; Build the frameworks and architecture for others to do the best work of their careers.
Partners with the hiring team to attract, interview, and level engineers into the workstream as it scales.
Holds the team accountable to outcomes rather than activity; surfaces risks and tradeoffs early and in writing.
Translates ambiguous product goals into concrete technical roadmaps.
Makes build vs. buy vs. integrate calls with business context, not just engineering preference.
Partners closely with PM — comfortable in PRD reviews, not just sprint planning.
Sequences an MVP without painting the team into a corner.
Defines ground truth methodology and oversees execution (initially with intern support).
Designs confidence scoring approach and FP/FN threshold definitions.
Owns calibration and recalibration methodology as the system evolves.
Defines what “correct” looks like for tuning recommendations, translates missed detections into vendor-accurate guidance.