Security Engineer (Detection and Investigation)

We are looking for a practical security engineer who can improve detection quality, investigate real incidents, and help reduce manual SOC work.

This role is not about building an “AI security platform”. The focus is on better visibility, cleaner detections, faster investigations, and useful automation.

What You Will Work On

Threat Hunting
• Run targeted hunts based on clear hypotheses, including:

• Suspicious cloud activity
• Abnormal IAM or API usage
• Unusual network or application behavior
• Weak or missing detection coverage
• Gaps in logging and telemetry

• Use internal data and external threat intelligence to validate risks and improve detection logic.

Security Incident Investigation
• Investigate security alerts and incidents end-to-end:

• Understand what happened
• Validate whether the alert is real or noisy
• Identify affected users, systems, and data
• Collect evidence from logs and infrastructure
• Document findings clearly
• Recommend fixes or detection improvements

• Expected experience: 2+ years of hands-on security incident investigation.

Detection Engineering
• Improve existing detections and create new ones where needed:

• Reduce false positives
• Improve signal quality
• Tune alerts based on real data
• Validate whether detections catch meaningful activity
• Map useful detections to MITRE ATT&CK where appropriate

Automation and Internal Tooling
• Build small but useful tools to reduce repetitive work:

• Scripts for log analysis
• Alert enrichment
• Investigation helpers
• Data normalization
• Tool integrations
• Basic SOAR-style automation

Practical AI / LLM Usage
• Use LLMs only where they bring practical value:

• Alert enrichment
• Investigation summaries
• Internal tooling
• Analyst productivity

No hype. No AI-first positioning. AI is just one tool in the workflow.

Requirements
• Solid experience with SIEM tools, such as:

• Elastic
• Splunk
• Microsoft Sentinel
• Similar platforms

• 2+ years investigating real security incidents

• Strong understanding of:

• AWS logs and IAM activity
• Cloud security basics
• Network fundamentals
• APIs, authentication flows, and modern application behavior

• Comfortable working with:

• Large datasets
• Raw logs
• Noisy alerts
• Incomplete telemetry

• Python or similar language for data processing

• Experience with automation:

• SOAR
• Scripts
• Internal tools
• Custom workflows

• Basic DevOps knowledge:

• AWS
• Linux
• Docker
• Kubernetes basics
• CI/CD basics
• Cloud infrastructure concepts
• Logs, metrics, and monitoring

Nice to Have
• Experience applying simple ML or statistical methods to logs
• Familiarity with LLMs in internal tooling
• Experience with data pipelines:

• Kafka
• Spark
• Similar systems

• MITRE ATT&CK mapping
• Detection-as-code experience

• Understanding of infrastructure monitoring:

• Prometheus
• Grafana
• OpenTelemetry

What Will Make You Effective Here
You will be effective in this role if:
• You do not trust alerts blindly
• You care about signal quality, not the number of detections
• You can explain why a detection is noisy or useless
• You understand systems, not just security tools
• You are comfortable reading raw logs
• You prefer building automation once instead of repeating manual work
• You can work with engineers and explain security findings in practical terms