Job description

Job Purpose

The Detection Engineer is responsible for designing, building, and continuously improving our organization's threat

detection capabilities. This role translates threat intelligence and adversary tactics into high-fidelity detection

logic, conducts proactive threat hunting to identify coverage gaps, and engineers automated detection content

across our security stack. The Detection Engineer ensures our security operations can effectively identify malicious

activity while minimizing alert fatigue through precision detection engineering.

Major Accountabilities

Detection Development & Engineering

• Design, develop, and deploy detection rules and alerts across multiple security platforms (SIEM, EDR,

NDR, cloud security tools)

• Create high-fidelity detections based on threat intelligence, MITRE ATT&CK techniques, and emerging

threats

• Write detection logic using query languages (KQL, SPL, Sigma, YARA, etc.)

• Develop custom parsers and correlation rules for security event data

• Build detections for both known threats (IOCs) and behavioral/anomaly-based patterns

• Continuously tune and optimize detection rules to reduce false positives while maintaining coverage

Threat Hunting & Research

• Conduct proactive threat hunting campaigns to identify gaps in detection coverage

• Analyze adversary tactics, techniques, and procedures (TTPs) to develop new detections

• Research emerging threats and translate findings into actionable detection content

• Develop hypotheses and use data analytics to validate or refute threat scenarios

• Document threat hunting activities, findings, and lessons learned

Detection Testing & Validation

• Perform regular testing of detection rules using attack simulation and red team exercises

• Validate detection efficacy against the MITRE ATT&CK framework

• Use tools like Atomic Red Team, Caldera, or custom scripts to generate test telemetry

• Measure and report on detection coverage and detection engineering KPIs

• Conduct purple team exercises in collaboration with offensive security teams

Data Source Engineering

• Identify and onboard new log sources to improve detection visibility

• Ensure log quality, completeness, and proper normalization across all data sources

• Work with IT and engineering teams to configure optimal logging and telemetry

• Map data sources to MITRE ATT&CK techniques to identify coverage gaps

• Optimize data ingestion pipelines for detection use cases

Automation & Tooling

• Develop automation workflows for detection deployment and management (Detection-as-Code)

• Build tools and scripts to streamline detection engineering processes

• Create automated response playbooks for common detection scenarios

• Implement continuous integration/continuous deployment (CI/CD) for detection content

• Integrate threat intelligence feeds into detection platforms

ITSM & Operational Management

• Manage detection-related incidents, requests, and changes through ITSM workflows

• Create and track detection engineering work items in ticketing systems (ServiceNow, Jira, etc.)

• Document detection deployments, modifications, and rollbacks following change management processes

• Participate in problem management to identify and resolve recurring detection issues

• Maintain accurate CMDB entries for detection rules and security monitoring infrastructure

• Generate regular reports on detection coverage, effectiveness, and operational metrics

• Ensure proper SLA compliance for detection development and tuning requests

Collaboration & Knowledge Sharing

• Partner with SOC analysts to refine detections based on operational feedback

• Collaborate with incident response teams to develop detections from post-incident findings

• Work with threat intelligence teams to operationalize intelligence into detections

• Create and maintain detection engineering documentation and runbooks

• Mentor junior detection engineers and SOC analysts on detection development

Personal Requirements

Competencies

Technical Expertise

Detection & Query Languages

• Expert proficiency in at least two query languages: SPL (Splunk), KQL (Kusto/Sentinel), SQL, or similar

• Experience writing detection rules in Sigma, YARA, Snort/Suricata, or similar formats

• Ability to translate detection logic across different platforms and formats

Security Platforms & Tools

• Hands-on experience with SIEM platforms (Splunk, Elastic Security, Microsoft Sentinel, Chronicle, QRadar)

• Experience with EDR/XDR solutions (CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black)

• Familiarity with NDR tools (Zeek, Suricata, Corelight) and cloud security platforms

• Knowledge of SOAR platforms and detection orchestration tools

Threat Intelligence & Frameworks

• Deep understanding of the MITRE ATT&CK framework and its application to detection engineering

• Experience operationalizing threat intelligence into actionable detections

• Knowledge of adversary behavior, TTPs, and attack patterns

• Familiarity with threat intelligence platforms and feeds

Programming & Scripting

• Proficiency in Python for automation, data analysis, and tool development

• Experience with scripting languages (PowerShell, Bash) for detection testing

• Understanding of data structures, APIs, and RESTful services

• Familiarity with version control systems (Git) and CI/CD concepts

Log Analysis & Data Science

• Strong log analysis and parsing skills across multiple data sources (Windows Event Logs, Syslog, cloud logs,

network logs)

• Understanding of data normalization, enrichment, and correlation techniques

• Experience with statistical analysis and anomaly detection methods

• Knowledge of common log formats (JSON, CEF, LEEF, Syslog)

ITSM & Documentation

• Experience with ITSM platforms (ServiceNow, Jira Service Management, or similar)

• Understanding of ITIL processes (Incident, Change, Problem, Knowledge Management)

• Strong documentation skills and ability to create clear technical runbooks

• Experience tracking and reporting on security operations metrics and KPIs

Operating Systems & Networks

• Deep understanding of Windows, Linux, and macOS internals and artifacts

• Strong knowledge of network protocols, traffic analysis, and packet capture

• Understanding of authentication protocols (Kerberos, NTLM, SAML, OAuth)

• Familiarity with cloud environments (AWS, Azure, GCP) and their logging mechanisms

Key Competencies

• Analytical thinking and problem-solving abilities

• Strong attention to detail and ability to identify security weaknesses

• Excellent communication skills for technical and non-technical audiences

• Ability to work under pressure during security incidents

• Proactive mindset and continuous learning attitude

• Team collaboration and cross-functional coordination

• • Time management and ability to prioritize multiple tasks

Qualifications

• Bachelor's degree in Computer Science, Information Security, or related field (or equivalent experience)

• GIAC Certified Detection Analyst (GCDA)

• Background in threat hunting or security analytics

Experience

• 3-5 years of experience in security operations, threat detection, or SOC environments

• Proven experience developing detection rules and content across multiple platforms

• Contributions to open-source detection projects (Sigma rules, YARA rules, etc.)

• Experience with machine learning or behavioral analytics for detection

• Background in offensive security, penetration testing, or red teaming

• Experience building Detection-as-Code pipelines and infrastructure

• Experience with threat emulation and breach & attack simulation (BAS) tools

Preferred candidate

Years of experience

No experience required

Degree

Bachelor's degree / higher diploma