The Role

The platform processes billions of security events in near real time, and the endpoint and SIEM detection architecture is yours to own. The true challenge isn’t just writing rules; it’s engineering high-fidelity detections that balance coverage against latency, performance, and false positives at massive scale. You will serve as the technical authority on attacker behavior, directly shaping how the platform identifies and preempts real-world intrusions.

About the Product

The product is an AI-driven cybersecurity platform designed to ingest, process, and analyze massive volumes of real-world telemetry in near real time. It operates as an automated security operations layer that secures large-scale digital infrastructure against sophisticated threats. The system solves the critical problem of visibility and response speed, transforming raw log noise into actionable, high-context threat intelligence.

Technology Stack: The detection ecosystem is heavily anchored in Sigma for cross-platform rule engineering, integrated deeply with advanced SIEM architectures and modern EDR telemetry. The pipeline is built to process high-throughput behavioral signals and log correlations, utilizing AI/ML-driven anomaly detection alongside traditional analytics. This environment allows engineers to test logic against live attack patterns without fighting fragmented, legacy infrastructure.

What You’ll Be Doing

Own the design, implementation, and long-term scaling of the endpoint and SIEM-based detection capabilities
Architect high-fidelity behavioral detections across endpoint telemetry, logs, and complex network signals
Minimize detection drift and operational cost by continuously tuning logic to eliminate false positives and evasion vectors
Translate raw intelligence from real-world attacks and security incidents into resilient, automated platform features
Establish the engineering standards for threat response tradeoffs and attacker TTP mapping across the product
Partner with Incident Response, Security Research, and core product teams to integrate detection logic directly into the automated response pipeline

What We Expect

Must-have

7+ years of dedicated experience in detection engineering, endpoint security, SIEM engineering, or production incident response
Deep, hands-on mastery of writing, maintaining, and operationalizing Sigma rules
Proven background building detection logic (behavioral rules, correlations, analytics) with a strong grasp of OS internals, logs, and distributed systems
Fluent written and spoken English

Nice to have

Direct experience with custom endpoint telemetry, kernel/user-mode signals, and leading EDR platforms
Familiarity with mapping detection coverage using the MITRE ATT&CK framework within early-stage or high-growth startup environments

Why This Role Is Worth Your Time

You are building threat detection capabilities that run against billions of live events in near real time, providing an immediate feedback loop on the efficacy of your logic
This is a role with genuine architectural influence—you aren’t just triaging alerts or clearing a backlog; you are defining the detection engineering standards for the entire platform
The environment bypasses traditional SOC burnout by embedding AI/ML and automation deeply into the workflow, allowing you to focus on complex behavioral engineering rather than repetitive alert noise