This role is for a hands-on detection engineer whose primary job is designing, building and maintaining security detections.
You will spend the majority of your time:
* Writing detection logic
* Improving signal quality
* Expanding ATT&CK coverage
* Testing and tuning detections
* Working with threat intel and incident response to convert findings into new detections
This is not a SOC analyst, SIEM administrator, SecOps generalist, cloud security, IAM, or vulnerability management role.
Responsibilities:
* Design and implement behaviour based detections in Microsoft Sentinel (KQL) and Splunk (SPL)
* Own detection logic end-to-end: creation, testing, tuning, false-positive reduction, lifecycle management
* Map detections to MITRE ATT&CK and track coverage gaps
* Maintain and improve a detection library over time
* Validate detections using: threat hunting, incident learnings, testing frameworks (e.g. Atomic Red Team)
* Work closely with IR and SOC teams, but not perform SOC triage
* Treat detections as a product, not one-off alerts
Skills:
* Hands-on experience authoring detections, not just using SIEMs
* Strong KQL experience writing Sentinel analytics rules
* Strong SPL experience writing Splunk correlation searches
* Experience maintaining detections in production environments
* Clear examples of reducing false positives through logic changes
* Ability to explain why a detection exists, not just how it works
Preferred:
* Experience running or contributing to a detection engineering function
* Detection-as-code (Git, CI/CD, IaC)
* ATT&CK-driven detection coverage modelling
* Threat hunting that directly feeds detection creation
* Experience migrating detections between SIEM platforms