Location: UK (remote/hybrid)
Stack:
• Microsoft Security: Defender XDR, Sentinel, Entra ID
• SIEM/XDR: Microsoft Sentinel (KQL), SentinelOne (S1QL)
• Exposure to other platforms such as CrowdStrike, or Elastic a plus
• Threat intelligence integration and detection tuning
• Tooling: KQL, S1QL, PowerShell, API usage
Join us and help strengthen the defensive capability of the organisations we support. You will focus on building, tuning, and improving detection logic across Microsoft and modern XDR platforms.
This role sits at the centre of threat detection, platform optimisation, and continuous improvement. You’ll work closely with SOC analysts, engineers, and threat intelligence practitioners to build high-quality detections.
Technical responsibilities
• Design, build, and tune detection logic across Sentinel and XDR platforms.
• Write and optimise KQL and S1QL queries for detection and hunting scenarios.
• Improve signal quality through tuning, suppression logic, and data validation.
• Review and enhance existing analytic rules for coverage, performance, and operational effectiveness.
• Develop threat hunting queries and support proactive detection improvement initiatives.
• Assist with detection testing and validation across endpoint, identity, and cloud telemetry.
Platform & engineering responsibilities
• Understand how telemetry from endpoints, identity, cloud, and network sources feeds into SIEM/XDR platforms.
• Support optimisation of logging pipelines and signal ingestion where required.
• Contribute to detection-as-code, structured rule development, and repeatable deployment practices.
Customer & collaboration
• Work closely with SOC teams to refine detections based on operational feedback.
• Liaise with threat intelligence contributors to align detections with emerging attacker techniques.
• Support customer discussions around detection coverage, tuning, and maturity improvements.
• Contribute to internal documentation, detection standards, and knowledge sharing.
• Collaborate with engineering and architecture teams to improve overall security posture.
What we’re looking for
Must have:
• Practical experience working in a SOC or security operations environment.
• Knowledge of KQL, or equivalent, and some experience writing or tuning detections.
• Solid understanding of common attack techniques across identity, endpoint, and cloud.
• Experience working with Microsoft security tooling, ideally Sentinel or Defender XDR.
• Ability to think analytically about signal quality, false positives, and detection gaps.
• Comfortable working independently and taking ownership of technical outcomes.
Nice to have:
• Experience with SentinelOne and S1QL.
• Exposure to threat intelligence workflows and mapping detections to MITRE ATT&CK.
• Familiarity with automation or scripting (PowerShell, Python).
• Understanding of logging pipelines and data onboarding (AMA, Syslog, etc.).
• Exposure to detection-as-code or CI/CD workflows.
• Experience working in an MSSP or consultancy environment.
What this role gives you
• A path into engineering-led detection design.
• Deep, hands-on experience across modern SIEM and XDR platforms.
• Exposure to real-world attacker behaviours and evolving threat patterns.
• The opportunity to directly improve the effectiveness of security teams.
• A stepping stone toward senior engineering or architecture roles.