Threat Detection Engineer - Security Operations
Role details
Job location
Tech stack
Job description
We are seeking a Threat Detection Engineer to join our security engineering and operations team. In this role, you will develop, test, and optimize high-fidelity detections across modern security data platforms, with a focus on security analytics, automation, and threat detection at scale. You will be expected to bring - and continuously develop - strong AI literacy: designing detection workflows that leverage large language models, anomaly detection, and agentic pipelines, while also understanding and defending against AI-specific attack surfaces.
You should be comfortable writing structured, reusable detection logic, working with infrastructure-as-code (IaC), and integrating behavioral and threat intelligence into detection strategies. You will collaborate closely with incident response, threat intel, and platform engineering teams to ensure resilient, high-quality coverage of modern threat scenarios across cloud and enterprise environments - including threats targeting and exploiting AI systems., * Design and implement detection logic across SIEM/SOAR platforms, including Splunk, Google Chronicle (SecOps), and Elastic/Logstash.
-
Build scalable detection rules, analytics, and anomaly models to detect adversary TTPs aligned with MITRE ATT&CK.
-
Develop and maintain detection-as-code using Python and YAML-based rule formats (e.g., Sigma, YARA-L, Kusto, or Lucene).
-
Design and evaluate LLM-assisted detection and triage workflows, including prompt engineering for alert enrichment, summarization, and classification.
-
Build and maintain AI-augmented detection pipelines: anomaly scoring, embedding-based similarity search, natural language parsing for phishing and social engineering detection, and LLM-based log analysis.
-
Apply AI security literacy to identify and detect risks in AI-integrated environments, including prompt injection, model abuse, data exfiltration via LLMs, and shadow AI usage.
-
Perform quality assurance and validation of alerts - including AI-generated signals - to minimize false positives and increase signal fidelity.
-
Leverage Snowflake and SQL to normalize and query large datasets across multiple telemetry sources, including AI system logs and API call records.
-
Contribute to infrastructure-as-code workflows for detection deployment (e.g., Terraform, GitOps pipelines).
-
Collaborate with Threat Intelligence and IR teams to translate threat actor TTPs - including those targeting AI systems - into actionable detections.
-
Participate in detection tuning, red/blue team exercises, and post-incident reviews, including adversarial testing of AI-assisted detection logic.
-
Maintain availability for 24x7 on-call rotation and ensure timely response to security incidents during standard EST business hours.
Requirements
Do you have experience in Version control systems?, * 2-4 years in a security engineering or other relevant security operations role.
-
Proficiency with Splunk, Elastic Stack, Google SecOps (Chronicle), and/or Logstash.
-
Strong programming or scripting experience in Python and SQL.
-
Working experience authoring detection logic using YARA-L, Sigma, or equivalent formats.
-
Demonstrated AI literacy: hands-on experience using LLM APIs (e.g., OpenAI, Anthropic, Google Gemini) or AI/ML frameworks for security use cases, including prompt engineering, retrieval-augmented generation (RAG), or agentic workflows.
-
Understanding of AI/ML concepts relevant to detection: anomaly detection, clustering, embedding models, LLM-based enrichment, and the limitations and failure modes of these approaches.
-
Ability to assess and detect AI-specific threats: prompt injection, model inversion, training data poisoning, and LLM-facilitated social engineering.
-
Experience working with cloud-scale security data and log management tools.
-
Familiarity with MITRE ATT&CK, threat modeling, and behavioral-based detections.
-
Knowledge of Infrastructure-as-Code (IaC) and version control systems (e.g., GitHub, Terraform, GitLab CI/CD).
Preferred Qualifications
-
Industry security certifications such as GCIA, GCIH, GCFA, Security+, or AI/ML security credentials.
-
Experience with Google Cloud Platform (GCP) and Google Kubernetes Engine (GKE), including GKE security posture management, audit logging, and cloud-native workload monitoring.
-
Experience building or operating SOAR integrations with LLM-assisted triage or response recommendations.
-
Hands-on experience with agentic AI frameworks (e.g., LangChain, LlamaIndex, or custom tool-use pipelines) applied to security automation.
-
Familiarity with Snowflake's Security Data Lake or cloud-native log pipelines, including telemetry from AI platforms (e.g., OpenAI API logs, Azure AI services).
-
Exposure to red team/blue team collaboration, threat hunting, or adversary emulation frameworks, with emphasis on AI-enabled attack scenarios.
-
Experience red-teaming or evaluating LLM-based systems for security weaknesses.
-
Contributions to open-source detection or AI security tooling projects.
Ideal Candidate Will Thrive In Our Culture:
-
Demonstrates a strong passion for security and a commitment to protecting digital identities.
-
Keeps pace with the rapidly evolving AI threat landscape and proactively translates emerging research into detection coverage.
-
Adapts well to changing priorities and can shift gears quickly in a fast-paced environment.
-
Exhibits excellent oral and written communication skills, including the ability to explain AI-driven detection decisions to non-technical stakeholders.
-
Works well within a team, but is also self-driven and capable of managing tasks independently.
-
Shows a continuous desire for learning and professional development, staying current with advances in both cybersecurity and applied AI.