Threat Detection Engineer - Security Operations

Integrity Development, Inc.
San Francisco, United States of America
12 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Intermediate
Compensation
$ 140K

Job location

San Francisco, United States of America

Tech stack

Training Data
API
Artificial Intelligence
Audit Trail
Big Data
Cloud Engineering
Apache Lucene
Cluster Analysis
Encodings
Computer Security
Elasticsearch
Emulators
Github
Information Security Management
Intrusion Detection and Prevention
Python
Log Analysis
Machine Learning
Open Source Technology
Logstash
TensorFlow
Phishing
Red Team (Cyber Security)
Kusto Query Language
Azure
Security Information and Event Management
SQL Databases
Systems Integration
YAML
Scripting (Bash/Python/Go/Ruby)
Google Cloud Platform
Large Language Models
Snowflake
Prompt Engineering
Mitre Att&ck
Generative AI
Cyber Threat Analysis
Data Lake
AI Platforms
Gitlab-ci
Kubernetes
Infrastructure Automation Frameworks
Cybercrime
Data Management
Api Design
Terraform
Splunk
Software Version Control
Blue Team (Cyber Security)
Security Orchestration, Automation & Response

Job description

We are seeking a Threat Detection Engineer to join our security engineering and operations team. In this role, you will develop, test, and optimize high-fidelity detections across modern security data platforms, with a focus on security analytics, automation, and threat detection at scale. You will be expected to bring - and continuously develop - strong AI literacy: designing detection workflows that leverage large language models, anomaly detection, and agentic pipelines, while also understanding and defending against AI-specific attack surfaces.

You should be comfortable writing structured, reusable detection logic, working with infrastructure-as-code (IaC), and integrating behavioral and threat intelligence into detection strategies. You will collaborate closely with incident response, threat intel, and platform engineering teams to ensure resilient, high-quality coverage of modern threat scenarios across cloud and enterprise environments - including threats targeting and exploiting AI systems., * Design and implement detection logic across SIEM/SOAR platforms, including Splunk, Google Chronicle (SecOps), and Elastic/Logstash.

  • Build scalable detection rules, analytics, and anomaly models to detect adversary TTPs aligned with MITRE ATT&CK.

  • Develop and maintain detection-as-code using Python and YAML-based rule formats (e.g., Sigma, YARA-L, Kusto, or Lucene).

  • Design and evaluate LLM-assisted detection and triage workflows, including prompt engineering for alert enrichment, summarization, and classification.

  • Build and maintain AI-augmented detection pipelines: anomaly scoring, embedding-based similarity search, natural language parsing for phishing and social engineering detection, and LLM-based log analysis.

  • Apply AI security literacy to identify and detect risks in AI-integrated environments, including prompt injection, model abuse, data exfiltration via LLMs, and shadow AI usage.

  • Perform quality assurance and validation of alerts - including AI-generated signals - to minimize false positives and increase signal fidelity.

  • Leverage Snowflake and SQL to normalize and query large datasets across multiple telemetry sources, including AI system logs and API call records.

  • Contribute to infrastructure-as-code workflows for detection deployment (e.g., Terraform, GitOps pipelines).

  • Collaborate with Threat Intelligence and IR teams to translate threat actor TTPs - including those targeting AI systems - into actionable detections.

  • Participate in detection tuning, red/blue team exercises, and post-incident reviews, including adversarial testing of AI-assisted detection logic.

  • Maintain availability for 24x7 on-call rotation and ensure timely response to security incidents during standard EST business hours.

Requirements

Do you have experience in Version control systems?, * 2-4 years in a security engineering or other relevant security operations role.

  • Proficiency with Splunk, Elastic Stack, Google SecOps (Chronicle), and/or Logstash.

  • Strong programming or scripting experience in Python and SQL.

  • Working experience authoring detection logic using YARA-L, Sigma, or equivalent formats.

  • Demonstrated AI literacy: hands-on experience using LLM APIs (e.g., OpenAI, Anthropic, Google Gemini) or AI/ML frameworks for security use cases, including prompt engineering, retrieval-augmented generation (RAG), or agentic workflows.

  • Understanding of AI/ML concepts relevant to detection: anomaly detection, clustering, embedding models, LLM-based enrichment, and the limitations and failure modes of these approaches.

  • Ability to assess and detect AI-specific threats: prompt injection, model inversion, training data poisoning, and LLM-facilitated social engineering.

  • Experience working with cloud-scale security data and log management tools.

  • Familiarity with MITRE ATT&CK, threat modeling, and behavioral-based detections.

  • Knowledge of Infrastructure-as-Code (IaC) and version control systems (e.g., GitHub, Terraform, GitLab CI/CD).

Preferred Qualifications

  • Industry security certifications such as GCIA, GCIH, GCFA, Security+, or AI/ML security credentials.

  • Experience with Google Cloud Platform (GCP) and Google Kubernetes Engine (GKE), including GKE security posture management, audit logging, and cloud-native workload monitoring.

  • Experience building or operating SOAR integrations with LLM-assisted triage or response recommendations.

  • Hands-on experience with agentic AI frameworks (e.g., LangChain, LlamaIndex, or custom tool-use pipelines) applied to security automation.

  • Familiarity with Snowflake's Security Data Lake or cloud-native log pipelines, including telemetry from AI platforms (e.g., OpenAI API logs, Azure AI services).

  • Exposure to red team/blue team collaboration, threat hunting, or adversary emulation frameworks, with emphasis on AI-enabled attack scenarios.

  • Experience red-teaming or evaluating LLM-based systems for security weaknesses.

  • Contributions to open-source detection or AI security tooling projects.

Ideal Candidate Will Thrive In Our Culture:

  • Demonstrates a strong passion for security and a commitment to protecting digital identities.

  • Keeps pace with the rapidly evolving AI threat landscape and proactively translates emerging research into detection coverage.

  • Adapts well to changing priorities and can shift gears quickly in a fast-paced environment.

  • Exhibits excellent oral and written communication skills, including the ability to explain AI-driven detection decisions to non-technical stakeholders.

  • Works well within a team, but is also self-driven and capable of managing tasks independently.

  • Shows a continuous desire for learning and professional development, staying current with advances in both cybersecurity and applied AI.

About the company

ID.me is the next-generation digital identity wallet that simplifies how individuals securely prove their identity online. Consumers can verify their identity with ID.me once and seamlessly login across websites without having to create a new login and verify their identity again. Over 152 million users experience streamlined login and identity verification with ID.me at 20 federal agencies, 45 state government agencies, and 70+ healthcare organizations. More than 600+ consumer brands use ID.me to verify communities and user segments to honor service and build more authentic relationships. ID.me's technology meets the federal standards for consumer authentication set by the Commerce Department and is approved as a NIST 800-63-3 IAL2 / AAL2 credential service provider by the Kantara Initiative. ID.me is committed to "No Identity Left Behind" to enable all people to have a secure digital identity. To learn more, visit https://network.id.me/., ID.me is a full-time, in-office culture. Unless a specific job description explicitly states otherwise, all roles are on-site five days per week at one of our offices in McLean, VA; Mountain View, CA; New York City, NY; or Tampa, FL. Certain roles - such as field-based sales or other remote-by-design positions - may have different work arrangements as noted in their individual postings.

Apply for this position