Detection Engineer
COMPANY OVERVIEW
ThreatLocker® is a leader in endpoint protection technologies, providing enterprise-level cybersecurity tools to improve the security of servers and endpoints. The ThreatLocker® platform with Application Allowlisting, Ringfencing™, Storage Control, Elevation Control, Endpoint Network Control, Configuration Management, and Operational Alert solutions are leading the cybersecurity market toward a more secure approach of blocking the exploits of application vulnerabilities.
JOB OVERVIEW
ThreatLocker is seeking a Detection Engineer to drive the development and continuous improvement of detection content within the ThreatLocker Detect platform. This role is responsible for creating and maintaining detection rules used by our Endpoint Detection and Response (EDR) and Identity Threat Detection and Response (ITDR) products while ensuring alignment with the MITRE ATT&CK® Framework.
The Detection Engineer will leverage telemetry generated through malware analysis, vulnerability research, and proactive threat hunting to identify detection gaps and improve product coverage. Working closely with Threat Analysts and Security Researchers, this individual will develop high-quality detection logic that identifies evolving attacker techniques while minimizing false positives.
As a Detection Engineer, you are responsible for, but not limited to:
- Develop, test, and maintain detection content for ThreatLocker's Endpoint Detection and Identity Threat Detection platforms.
- Create and maintain custom Sigma, YARA, and Snort detection rules.
- Map detections to the MITRE ATT&CK Framework and continuously improve coverage.
- Analyze Windows telemetry and forensic artifacts to identify detection opportunities.
- Research attacker techniques including persistence, privilege escalation, defense evasion, and post-exploitation activity.
- Collaborate with Threat Analysts and Security Researchers to identify and remediate detection gaps.
- Validate detection logic through threat hunting, malware analysis, and adversary emulation.
- Tune detection content to improve accuracy while reducing false positives.
- Document detection methodologies and technical findings for internal teams.
- Stay current on emerging threats, attack techniques, and industry best practices.
- The role will be based in Orlando, FL and is an in-office position.
REQUIRED QUALIFICATIONS
- 3+ years of experience in Information Security.
- 2+ years of experience working with Endpoint Detection and Response (EDR) or Identity Threat Detection and Response (ITDR) technologies within an enterprise environment.
- Experience developing detection content is strongly preferred.
- Strong understanding of the MITRE ATT&CK Framework and its application within enterprise security.
- Experience creating custom Sigma, YARA, and Snort detection rules.
- Strong knowledge of Windows operating systems and Windows forensic artifacts.
- Experience with Windows persistence mechanisms, privilege escalation, defense evasion, and parent-child process relationships.
- Familiarity with malware analysis, threat hunting, and vulnerability research.
- Familiarity with adversary emulation and post-exploitation frameworks.
- Strong analytical, troubleshooting, and critical thinking skills.
- Excellent written and verbal communication skills with the ability to explain technical concepts to non-technical stakeholders.
- Ability to work independently while collaborating effectively within a team environment.
- Relevant certifications such as OSCP, GCFA, GCIH, GCIA, GCDA, GCTD, or GISP are a plus.
WORKING CONDITIONS
The duties described below are representative of those encountered while performing the essential functions of this position. If necessary, reasonable accommodation may be requested and will be evaluated for its relationship to the essential functions that must be performed.
- Job will generally be performed in an office environment but may require travel to visit company offices and/or property locations.
- While performing duties of this job, would occasionally require standing, walking, sitting, reaching with hands and arms, climbing or balancing, stooping or kneeling, talking and hearing, and using fingers and hands to feel objects and tools.
- Must occasionally lift and/or move up to 25 pounds.
- Specific vision abilities required include close vision, distance vision, depth perception, and the ability to adjust focus.
A background check and drug/substance screening are required after a conditional offer. Employment will proceed only upon receiving clear results from both.
ThreatLocker also conducts randomized drug and substance testing approximately every 60 days, in line with the same screening standards.