Threat Hunt Senior Associate

About The Position

Requirements

• Min 3-6 years of relevant experience
• Bachelor’s Degree and/or equivalent experience
• 3-6 years in Threat Hunting, Detection Engineering, Incident Response, or SOC investigations in a production environment (financial services/fintech experience is a plus but not required).
• Demonstrated experience running hypothesis-driven hunts and documenting outcomes in a way that supports repeatability and measurement.
• Strong log analysis skills and comfort working across multiple telemetry sources (endpoint, identity, network, cloud).
• Practical detection and query experience in one or more: KQL (Microsoft Sentinel / Defender), Splunk SPL, Elastic/Kibana (EQL/KQL/Lucene), Chronicle/Google SecOps query language or equivalent
• Solid operating system fundamentals: Windows internals basics (process ancestry, services, scheduled tasks, registry persistence), Linux fundamentals (systemd, cron, auth logs, process/network inspection)
• Familiarity with attacker tradecraft and investigative methods aligned to MITRE ATT&CK; ability to map raw evidence to techniques without forcing it.
• Ability to communicate clearly—writeups that separate observation from inference, quantify confidence, and identify next steps.
• Proven ability to prioritize: know when you have enough evidence to escalate vs. when to keep iterating.

Nice To Haves

• Experience hunting across cloud + containerized environments (AWS/Azure/GCP; Kubernetes; CI/CD telemetry).
• Experience developing or tuning detections using Sigma, YARA, EDR custom detections, or SIEM correlation rules.
• Familiarity with NIST CSF / NIST 800-61 incident response concepts and how hunting feeds detection/response maturity.
• Experience with SOAR automation, enrichment pipelines, and case management workflows.
• Comfortable scripting for analysis and automation (Python, PowerShell, Bash) and using tools like jq, osquery, CyberChef.
• GCFA, GCIH, GCIA certifications
• OSCP certification (useful signal for investigative depth; not required)
• CISSP certification (helpful for program maturity context; not required)

Responsibilities

• Execute hypothesis-based threat hunts mapped to MITRE ATT&CK tactics/techniques, focusing on realistic adversary behaviors (credential access, persistence, lateral movement, defense evasion, and cloud abuse).
• Use behavioral analytics and anomaly detection to identify suspicious patterns across endpoint + identity + cloud + network telemetry, then validate with deeper artifact review.
• Perform, track, and record hunt activity in a structured way: hypotheses, datasets queried, query versions, findings (positive/negative), evidence, confidence, and follow-up actions.
• Maintain clean, audit-ready hunt notes that allow another analyst to reproduce your work and understand decisions made under uncertainty.
• Correlate logs across EDR/XDR, SIEM, cloud control plane logs, identity logs, and container/Kubernetes telemetry to build a coherent narrative from partial signals.
• Investigate attacker tradecraft such as: Credential theft and replay (token theft, OAuth abuse, suspicious refresh patterns), “Living off the land” execution (PowerShell, WMI, LOLBins on Windows; bash/curl/wget/systemd on Linux), Persistence mechanisms (scheduled tasks/cron, service modifications, registry run keys, launch agents), Command-and-control behaviors and egress anomalies (beaconing, domain fronting indicators, unusual TLS fingerprints where available), Cloud and Kubernetes abuse (suspicious role assumptions, unusual API call sequences, kubeconfig access, container escape precursors).
• Triage and deepen suspicious signals into defensible findings: timeline, scope, impact, root cause, and containment recommendations.
• Translate hunt results into durable controls: new detections, tuning improvements, telemetry onboarding, or gaps to address (instrumentation, logging coverage, parsing, enrichment).
• Draft and iterate detection logic (e.g., Sigma/YARA, SIEM analytics rules, EDR custom IOAs) with measurable success criteria: false-positive rate, time-to-detect improvements, and coverage mapped to ATT&CK.
• Partner with SOAR/automation engineers to operationalize repetitive enrichment and triage steps into playbooks.
• Collaborate with Red Team / Purple Team efforts to validate detection coverage, refine alerts, and ensure hunts align to current and relevant TTPs.
• Help design and execute controlled simulations (atomic tests, adversary emulation plans), then close the loop by updating detections, documentation, and response procedures.
• Provide incident surge support: rapid scoping queries, hunting for related activity, identifying patient-zero candidates, and strengthening containment decisions with evidence.
• Contribute to post-incident reviews by identifying detection gaps, improving playbooks, and capturing lessons learned as backlog items.

Benefits

• Competitive compensation, including base pay and annual incentive
• Comprehensive health and life insurance and well-being benefits, based on location
• Pension / Retirement benefits
• Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.