Threat Intelligence Engineer

Required Skills & Experience

1. Strong understanding of security logs, telemetry, and data analysis.
2. Hands-on experience with SIEM and EDR platforms.
3. Solid knowledge of Windows and Linux operating systems.
4. Working knowledge of networking concepts and protocols.
5. Practical understanding of MITRE ATT&CK framework.
6. Ability to analyse and interpret complex security data.
7. Basic scripting or query writing skills (KQL, SPL, SQL, Python, etc.)

Authority & Decision Scope

1. Executes threat hunts and investigations within defined scope.
2. Escalates confirmed threats and recommendations to senior stakeholders.
3. Operates under established threat hunting strategies and governance.

Responsibilities

1. Perform proactive threat hunting across endpoint, network, cloud, and identity logs to identify stealthy or undetected threats.
2. Develop and execute hunt hypotheses based on attacker TTPs, threat intel, and MITRE ATT&CK techniques.
3. Investigate suspicious activity and correlate events across SIEM, EDR, NDR, firewall, and AD logs.
4. Convert hunt findings into actionable detection rules, alerts, and analytics use-cases.
5. Create suggestions to optimize SIEM detection queries / correlation rules to reduce false positives.
6. Work on medium-to-complex L2 incident investigations, including lateral movement & persistence analysis.
7. Perform IOC and TTP mapping, enrichment, and validation using internal & external intel sources.
8. Collaborate with SOC, DFIR, and Threat Intel teams during investigations and incident response.
9. Support creation of behaviour-based and anomaly detections instead of IOC-only detections
10. Contribute to purple-team exercises and validate detections against simulated attacks
11. Analyze EDR telemetry and endpoint artifacts to identify malicious behaviour patterns
12. Assist in onboarding new log sources and improving telemetry coverage for hunting & detection
13. Maintain and update documentation for hunt plans, detection logic, playbooks, and investigation reports, and create quarterly reports that consolidate and summarize these hunting activities, detection logic, playbooks, and investigation outcomes.
14. Share knowledge with L1/L2 analysts and contribute to building repeatable hunting workflows

Skills & Experience Required

1. 3-5 years of experience in Threat Hunting / Detection Engineering / SOC / IR.
2. Strong experience with at least one SIEM (LogRythm/ QRadar..etc.)
3. Hands-on experience with EDR / XDR platforms (SentinelOne/CrowdStrike ...etc.)
4. Sigma / YARA style detection patterns.
5. Solid understanding of:

• Windows/Linux internals
• Active Directory & authentication logs
• Network traffic & protocols (DNS, HTTP, SMB, RDP)

1. Familiarity with MITRE ATT&CK mapping & threat actor behaviours
2. Experience performing IOC / TTP-driven investigations
3. Scripting knowledge preferred (Python / PowerShell / Bash)
4. Strong analytical thinking, documentation, and communication skills

Certifications/ Good to Have/ such as:

1. Experience with SOAR / automation workflows
2. Exposure to cloud telemetry (Private Cloud)
3. Participation in purple-team or red-blue simulations
4. SC-200 / AZ-500
5. Security+ / Blue Team certs
6. GIAC Certified Forensic Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), CompTIA Cybersecurity Analyst (CySA+), GCTI, FOR508 preferred.