Position – Hybrid/ Remote with occasional travel to Welwyn Garden City
Location - London, UK
Employment - Permanent
The Role
To design, develop and maintain high-quality detection logic aligned with the MITRE ATT&CK framework. The role involves close collaboration with SOC analysts, incident responders and threat intelligence teams to develop high-impact, context-rich use cases across Windows, Linux and cloud environments.
This position demands a balance of technical depth, analytical thinking and strong content development skills to ensure detections are both effective and operationally relevant.
Key Responsibilities
* Design, develop, and maintain robust detection content aligned to MITRE ATT&CK and threat-led priorities.
* Build and optimise detection queries using KQL, applying efficiency and best practices in logic construction.
* Support the full detection engineering lifecycle, including modelling, data onboarding, rule development, deployment, and iterative tuning.
* Collaborate with SOC and threat intelligence teams to validate alert quality, minimise false positives, and ensure operational relevance.
* Maintain detection-as-code repositories in GitHub, ensuring proper version control, peer review, and documentation standards.
* Document all detection content with clear context, data dependencies, and investigation guidance.
Skills
* Strong hands-on experience with Microsoft Defender (Endpoint, Cloud, Identity) and Splunk Enterprise Security.
* Proficiency in KQL and SPL, with the ability to optimise query performance and maintain clarity of logic.
* Demonstrated experience with detection-as-code practices using GitHub or similar version control platforms.
* Deep understanding of MITRE ATT&CK, threat actor TTPs, and translating them into detection use cases.
* Familiarity with enterprise logging, data onboarding, and schema normalisation.
* Working knowledge of Sentinel, Defender for Endpoint, Splunk ES, Jira, and Confluence.
Strong written communication skills for content development, documentation, and stakeholder collaboration.
#J-18808-Ljbffr