United States onlyBasic Function
We are hiring a Detection Engineer to sit at the intersection of security operations and security engineering. This is not a traditional SOC analyst seat. AI-driven triage and SOAR platforms now handle the bulk of routine alert processing, and the analysts who thrive in the modern SOC are the ones who build the detections those platforms execute, author the automation playbooks that accelerate response, and hunt proactively for threats that evade automated pipelines.
You will own the full detection lifecycle—from threat intelligence intake and hypothesis formation through rule authoring, testing, deployment, and continuous tuning. You will also design and maintain SOAR playbooks and integrations that keep the SOC operating at machine speed, and you will serve as a hands-on incident responder when complex or novel threats demand human judgment and coordinated response.
This role operates with a high degree of autonomy. There is no daily task list handed to you — you are expected to self-direct priorities, identify gaps, and drive improvements without managerial prompting. Candidates who thrive here are self-directed, comfortable defining their own work, and consistently deliver without close supervision.
Essential Functions, Responsibilities, Experience:
Detection Engineering
Design, develop, tune, and maintain high-fidelity detection logic, including correlation rules, detection-as-code pipelines, and behavioral analytics, across SIEM, EDR, NDR, and cloud-native platforms, applying the judgment and pattern recognition that comes from deep hands-on experience with attacker behavior and enterprise environments.
Apply detection-as-code principles: version detection logic in Git, test in CI/CD pipelines, and deploy through automated workflows, including the use of Terraform, Sigma, Yara, and platform-specific query languages.
Map detection coverage to MITRE ATT&CK and maintain a living detection coverage matrix; identify and close gaps proactively.
Translate threat intelligence reports, red team findings, and incident post-mortems into actionable detection logic.
Manage signal-to-noise ratio across detection platforms through iterative rule logic refinement, suppression tuning, and threshold calibration, with the goal of maximizing automated fidelity and reducing analyst intervention.
SOAR, Automation & Response Orchestration
Design and build automated response playbooks and enrichment workflows using SOAR platforms, enabling the system to triage, enrich, and respond to high-confidence alert classes without manual analyst intervention.
Integrate SOAR with SIEM, EDR, threat intelligence platforms, ticketing systems, and cloud APIs via REST APIs and custom connectors.
Build tooling and scripts to accelerate the development of detection pipelines, log parsing, data normalization, and context enrichment.
Evaluate, configure, and optimize AI/ML-assisted triage capabilities; serve as the human-in-the-loop auditor validating AI-generated investigation narratives.
Maintain operational documentation, including runbooks, playbook logic diagrams, and integration dependency maps.
On-Call & Alert Operations
Participate in a rotating on-call schedule. During on-call weeks, primary responsibilities shift to triaging and reviewing incoming alerts, assessing events for incident response action, and tuning out false positive content to maintain alert fidelity. Ad hoc compliance requests will regularly interrupt planned work — this is expected and should be prioritized accordingly.
Incident Response & Threat Hunting
Serve as an escalation point for complex or novel security incidents, performing a deep-dive investigation across endpoint, network, identity, and cloud telemetry.
Contribute to the full incident response lifecycle: detection, analysis, containment, eradication, recovery, and lessons-learned documentation.
As part of the team's rotating duty, lead incident responses as the incident commander as needed, coordinating response activities across internal teams, vendors, and executive stakeholders with clarity and authority following established playbooks and structured approaches.
Conduct hypothesis-driven threat hunts using behavioral analytics, anomaly detection, and adversary TTP modeling.
Collaborate with team exercises to validate detection and response effectiveness; incorporate findings into the detection backlog.
Collaboration, Compliance & Continuous Improvement
Collect, organize, and present evidence of incident response lifecycle activities to support client due diligence requests and audits.
Contribute to security metrics reporting for leadership, providing timely and accurate measures such as case statistics, detection coverage, MTTD/MTTR, and TPR/FPR trends.
Collaborate with risk management and regulatory compliance to align detection and response capabilities with regulatory requirements and control frameworks relevant to financial services.
Perform other duties as assigned
Physical Demands:
While performing the duties of this Job, the employee is regularly required to sit; use hands to type, handle, or feel and talk or hear
Specific vision abilities required by this job include close vision
Ability to occasionally lift/move up to 25 pounds
Individuals with a disability who are otherwise able to perform the essential functions of the job may request reasonable accommodation through the Human Resources department.
Other physical activities may be required to support business operations.
Position Specifications
Education
Associate degree in Computer Science, Management Information Systems, Information Assurance, Information Security, Cybersecurity, or related field required; or equivalent self-study with demonstrated command of the knowledge, skills, and abilities outlined in this job description.
Certifications preferred: GCIH, GCIA, GCDA, GSOC, or similar detection engineering and incident response- focused credentials.
Experience
Required:
Five (5) years of experience in a relevant technology domain, including software engineering, information technology, systems administration, or information assurance required.
Five (5) years of demonstrated experience in detection engineering, security operations, or threat detection as a detection engineer, security engineer, high-tier SOC analyst, or similar role required.
Proven hands-on experience with SIEM platforms (e.g., Elastic Security, or similar), including writing and tuning detection rules.
Hands-on experience building and maintaining playbooks in at least one SOAR platform (e.g., Tines, or similar).
Demonstrated experience using AI-assisted development tools (e.g., Claude Code, Codex CLI, or similar) in a professional engineering or security workflow is required.
Experience with Git-based detection-as-code workflows, including version-controlled detection rules, test- driven development, and automated deployment, is required.
Experience leading or commanding security incident response efforts, including cross-functional coordination and stakeholder communication during active incidents, is required.
Experience with Amazon Web Services operational environments and related security offerings (e.g., GuardDuty, Inspector, Security Hub, and Security Lake) is required.
Preferred:
Hands-on experience with specific tooling in our stack: Uptycs, TheHive, SentinelOne.
Familiarity with fintech or banking security environments, including PCI-DSS compliance context.
Knowledge, Skills, & Abilities
Working proficiency with AI-assisted development tools (e.g., Claude Code, Codex CLI, or similar) is required. Candidates must demonstrate the ability to integrate these tools into day-to-day detection engineering and scripting workflows — including generating, reviewing, and iterating on AI-assisted code as part of a collaborative team environment.
Working proficiency in Python and shell scripting.
Deep working knowledge of MITRE ATT&CK techniques and tactics, the ‘Cyber Kill Chain’, and the ‘Pyramid of Pain’; ability to map adversary TTPs to detection strategies.
Deep technical knowledge of detection engineering principles, detection-as-code practices, SIEM architecture, and SOC operations in cloud-hosted environments.
Strong hands-on experience with SOAR platforms and the ability to design, build, and maintain automated enrichment and response workflows.
Strong hands-on experience with endpoint detection and response (EDR) tools, such as SentinelOne and Uptycs.
Engineering fluency with Git-based workflows: version control, branching strategies, pull request reviews, and CI/CD pipeline integration for detection content.
Strong understanding of cloud security principles, including containerization, orchestration, and IAM/KMS.
Ability to query and sift through large volumes of security-related data to surface critical events of interest and meaningful insights and trends.
Ability to prioritize under pressure, exercise sound independent judgment, and maintain confidentiality with sensitive information.
Calm, decisive approach with appropriate urgency and command authority during active security events.
Strong communication, interpersonal, and presentation skills, with the ability to convey technical findings clearly to both technical and non-technical audiences.
Ability to work remotely while maintaining high productivity, collaboration, and effectiveness with minimal supervision.
Strong drive to continuously improve detection fidelity, automation coverage, response speed, and overall security posture in a rapidly evolving field.
Must be able to pass required background checks to access sensitive information.
Travel
Minimal, generally 12 days or less per year; approximately 2 team on-site meetings per year.
