Internetwork Consulting Services/AGR, LLC

Job Description:

• Lead and mentor a cross-functional team of CTI analysts, threat hunters, and detection engineers.
• Architect detection strategies based on emerging threats, adversary behaviors, and customer risk posture.
• Drive threat hunting operations to proactively identify undetected malicious activity.
• Translate threat intelligence reports and TTP analysis into actionable detections, telemetry gaps, and defensive measures.
• Oversee and ensure the accuracy, clarity, and timeliness of all team deliverables, including:
• Detection documentation and enrichment logic
• Threat reports and intelligence summaries
• Hunt plans and post-hunt analysis
• Metrics and dashboards demonstrating operational impact
• Champion technical excellence and documentation standards across the team.
• Collaborate closely with SOC leadership, incident responders, and engineers to ensure team outputs drive measurable risk reduction.
• Evaluate detection effectiveness and coverage using data-driven assessments.
• Knowledge of detection engineering methodologies, including behavioral signature creation, enrichment logic, and telemetry correlation.
• Familiarity with endpoint detection and response (EDR) telemetry (e.g., SentinelOne, CrowdStrike, Defender for Endpoint) and how adversary activity presents in those platforms.
• Expertise in SIEM platforms such as Splunk (e.g., SPL query development, data models, correlation searches, macros, lookups, CIM normalization).
• Proficiency with data transformation and routing technologies such as CRIBL, including pipeline logic and field normalization strategies.

Qualifications

• Bachelor’s degree or higher
• Active Top Secret Clearance
• 7+ years of experience in cybersecurity, with direct experience in at least two of the following:
• Cyber Threat Intelligence (CTI)
• Threat Hunting / Adversary Emulation
• Detection Engineering / Security Analytics
• 2+ years of leadership experience with technical teams, including project ownership and report review responsibilities.
• Proven experience translating complex technical data into consumable products for leadership, engineers, and IR staff.
• Familiarity with SOC workflows, telemetry pipelines, and threat modeling.
• Background in writing formal technical reports with a focus on clarity, completeness, and audience relevance.
• Understanding of log sources across domains, including:
• Host-based logs (Windows Event Logs, Sysmon, EDR)
• Network telemetry (firewall, proxy, VPN, DNS, NDR)
• Cloud logs (Azure AD, AWS CloudTrail, O365 Management Activity)
• Familiarity with threat hunting techniques including:
• Hypothesis-driven hunting
• Behavioral pattern detection
• Environmental baselining and anomaly detection
• Knowledge of common persistence mechanisms, lateral movement techniques, and evasion tactics used by threat actors.
• Understanding of malware execution models (e.g., LOLBins, scripting engines, scheduled tasks, registry autostarts).
• Ability to map cyber threat intelligence to technical detections, SOC coverage gaps, or architectural weaknesses.

Additional Experience Preferred:

• Ability to understand customer non-technical mission sets and drive technical cyber operations to generate value for stakeholders.
• Programming or scripting experience (e.g., Python, PowerShell, Bash, or similar) to assist with automation, enrichment, or analytic tooling.
• Deep technical expertise in areas such as EDR telemetry, log forensics, malware behavior, or threat modeling.
• Ability to translate complex technical threat intelligence into tangible technical controls, detections, and mitigations that reduce risk to the organization.
• Familiarity with data routing/normalization platforms (e.g., CRIBL).
• Experience with purple teaming, emulation frameworks, or detection validation.
• Security certifications such as GCTI, GCFA, GREM, OSCP, or Splunk Certified Architect.

Job Type: Full-time

Pay: $130,000.00 - $135,000.00 per year

Education:

• Bachelor's (Required)

Experience:

• Cybersecurity: 7 years (Required)

Security clearance:

• Top Secret (Required)

Ability to Commute:

• Washington, DC 20230 (Required)

Ability to Relocate:

• Washington, DC 20230: Relocate before starting work (Required)

Work Location: In person