Sr. Detection Engineer

Abnormal Security is looking for a Senior Detection Engineer to join our Security & Privacy team. As a cybersecurity leader, we continuously adapt to threat actor behaviors by building resilient detection logic and automated response mechanisms. In this role, you’ll take ownership of the SIEM platform(s) by administering, optimizing, and building high-fidelity detection content. You will also drive automation initiatives using SOAR platforms, working closely with Cyber Defense analysts, Security Engineering, and broader infrastructure teams to improve detection efficacy and incident response at scale.

• SIEM Engineering & Administration: Own the administration and optimization of our SIEM platform. Ensure ingestion, normalization, parsing, correlation, and search performance are tuned for security use cases.
  
• Detection Engineering: Create and maintain detection content to identify malicious behaviors, suspicious activities, and policy violations. Continuously tune rules and logic to reduce false positives and improve fidelity.
  
• SOAR & Security Automation: Design and implement automation playbooks to streamline incident triage, enrichment, response, and escalation workflows using SOAR platforms.
  
• Threat-Informed Detection: Collaborate with Threat Intelligence and Incident Response teams to operationalize attacker TTPs into automated detections mapped to frameworks like MITRE ATT&CK.
  
• Content Development: Build custom queries, dashboards, and visualizations in the SIEM to provide insights to stakeholders and measure security control efficacy.
  
• Detection Lifecycle Management: Define and implement processes to govern the full lifecycle of detections — from ideation and development to validation, deployment, and tuning.
  
• Cross-Team Collaboration: Work with Infrastructure, Application Security, and IT teams to ensure comprehensive coverage of logs and telemetry and to support response automation.
  
• Documentation & Enablement: Maintain documentation for detection rules, automation workflows, and SOPs. Train analysts on how to use and improve detection content.

• Bachelor’s Degree in Information Security, Computer Science, Engineering, or equivalent practical experience.
  
• 5+ years of experience in cybersecurity, with a focus on SIEM and detection engineering.
  
• Hands-on experience administering one or more SIEM platforms (e.g., Splunk, Sentinel, Chronicle, QRadar, Sumo Logic, ELK).
  
• Strong knowledge of query languages (e.g., SPL, KQL, SQL) and ability to write performant and accurate detection logic.
  
• Experience with SOAR platforms (e.g., Tines, Torq, Cortex XSOAR, or Splunk SOAR) and automation playbook development.
  
• Deep understanding of attacker TTPs, detection use cases, and incident response workflows.
  
• Good scripting skills (e.g., Python, PowerShell, Bash) to support data parsing, enrichment, or automation.
  
• Excellent communication skills and a team-oriented mindset.
  

• Security certifications such as GCIH, GCDA, GCTI, OSCP, or Splunk Certified Admin/User.
  
• Experience with threat detection in cloud environments (AWS, Azure, GCP).
  
• Familiarity with EDR tools, log forwarding agents, cloud-native logging pipelines, and enrichment platforms.
  
• Understanding of CI/CD pipelines and how to integrate detection logic testing and deployment into them.
  
• Exposure to machine learning or behavior-based detection strategies.
  

#LI-UC1