Security Engineer 4

Security research & threat modeling

Investigate emerging TTPs, business-logic abuse patterns, and identity/OAuth attack paths.

Build and maintain adversary playbooks mapped to MITRE ATT&CK; drive coverage roadmaps.

Detection engineering (detection-as-code)

Ship high-quality detections using Sigma/KQL/SPL/OSQuery/eBPF, versioned as code with CI/CD.

Instrument cloud/SaaS telemetry pipelines; reduce noise via tuning, suppression, and risk scoring.

AI-assisted analytics

Apply ML for anomaly detection, clustering, and outlier triage; prototype LLM/RAG assistants for playbook generation, enrichment, and hypothesis-driven hunts.

Partner with data teams to productionize models with feedback loops (precision/recall tracked).

Threat intelligence integration

Build ingestion/enrichment pipelines (TIPs, OSINT, ISACs, vendor feeds); normalize IOCs/TTPs.

Correlate TI with detections & hunts; drive proactive hardening and hypothesis creation.

Proactive controls & response acceleration

Recommend/implement preventive controls (authz hardening, rate limits, token binding, WAF rules).

Automate response (SOAR/runbooks), shrinking MTTD/MTTR with measurable impact.

Metrics & continuous improvement

Own coverage and efficacy KPIs (FPR/FNR, time-to-detect, time-to-close, alert fatigue).

Run post-incident detection reviews and continuously up-level our catalog.

5–8+ years in security engineering/detection engineering/threat research for cloud/SaaS.

Applied AI/ML experience for security (feature engineering, anomaly detection, basic model evaluation).

Strong detection content skills (Sigma/KQL/SPL/OSQuery/eBPF) and detection-as-code practices (Git, tests, CI/CD).

Demonstrated threat hunting experience (hypothesis-led, telemetry-driven) at scale.

Hands-on with SIEM/SOAR and cloud-native telemetry (e.g., AWS/GCP/Azure, Kubernetes, API logs).

Solid programming for automation/data wrangling (Python/Go) and comfort with SQL.

Working knowledge of MITRE ATT&CK, adversary emulation, and identity-centric threats (SSO/OIDC/OAuth).

Built TI pipelines/TIP integrations; mapping intel → detections/hunts/playbooks.

Experience tuning detections to reduce false positives without losing recall; risk-based alerting.