Detection Engineer
| Dyddiad hysbysebu: | 25 Tachwedd 2025 |
|---|---|
| Cyflog: | £47,670 bob blwyddyn |
| Oriau: | Llawn Amser |
| Dyddiad cau: | 14 Rhagfyr 2025 |
| Lleoliad: | London, UK |
| Gweithio o bell: | Hybrid - gweithio o bell hyd at 2 ddiwrnod yr wythnos |
| Cwmni: | Government Recruitment |
| Math o swydd: | Dros dro |
| Cyfeirnod swydd: | 437410 |
Crynodeb
Job summary
This is an exciting opportunity to work at the heart of Government cyber security, as part of the Government Cyber Coordination Centre (GC3). The GC3 is a joint initiative sponsored by the Government Digital Service (GDS) and the National Cyber Security Centre (NCSC). The GC3 coordinates the cross-Government response to cyber security vulnerabilities, threats, and incidents, enhancing cyber resilience and enabling the Government to more efficiently and effectively protect public services and “defend as one”.
In June 2025, the Government Cyber Unit moved from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT) as part of a machinery of government (MoG) change. This role is in scope to transfer to DSIT when the change takes effect. We are currently consulting with Trade Unions on which policies, terms and conditions will apply on transfer. The statement of changes applied to all other Cabinet Office staff will also apply to you if you are successful.
Job description
Design, implement, and optimize threat detection content across a wide range of platforms and data sources. This role combines advanced query language skills, a deep understanding of system and network logging, and experience with rule-based detection engines and CI/CD pipelines (notably those developed in Python).
Key Responsibilities
• Develop and optimize detection rules using query languages such as:
KQL (Microsoft Sentinel / Defender XDR)
SPL (Splunk)
AQL (QRadar)
EQL/Lucene (Elastic Security)
SQL (across traditional and security data platforms)
• Create and manage detection rules using cross-platform languages such as Sigma and YARA;
• Build, test, and deploy detection rules using CI/CD tools and principles (e.g., GitHub Actions, GitLab CI, Azure DevOps);
• Tune and validate alerting logic to reduce false positives and optimize signal-to-noise ratio;
• Contribute to detection-as-code practices with structured rule repositories (e.g., Sigma, Panther, custom JSON/YAML formats);
• Support threat hunting and incident triage using advanced log queries and packet inspection;
• Collaborate with offensive security and threat intelligence teams to translate TTPs into behavioural detections, aligned with industry frameworks such as MITRE ATT&CK.
Person specification
Essential criteria & Skills
• Significant experience developing detection content in multiple detection query languages including:
KQL (Microsoft Sentinel / Defender XDR)
SPL (Splunk)
AQL (QRadar)
EQL/Lucene (Elastic Security)
SQL (across traditional and security data platforms)
• Strong understanding of endpoint and server logging, including: process execution, file activity, registry access/changes (Windows), network connections, and errors/system logs across OSes.
• Experience using cross-platform detection languages such as Sigma.
• Experience using Python.
• Experience building or using pipelines for detection deployment and validation in CI/CD environments, with version control (Git), YAML/JSON templating, and automated testing of detection rules.
Desirable Skills
• Experience developing transformers and wider infrastructure to support Sigma.
• Experience using OSquery or other endpoint telemetry frameworks.
• Experience with cloud-native logging (e.g., AWS CloudWatch, Azure Monitor).
• Experience performing malware analysis and/or reverse engineering.
• Experience using GraphQL or REST APIs for telemetry and enrichment.
This is an exciting opportunity to work at the heart of Government cyber security, as part of the Government Cyber Coordination Centre (GC3). The GC3 is a joint initiative sponsored by the Government Digital Service (GDS) and the National Cyber Security Centre (NCSC). The GC3 coordinates the cross-Government response to cyber security vulnerabilities, threats, and incidents, enhancing cyber resilience and enabling the Government to more efficiently and effectively protect public services and “defend as one”.
In June 2025, the Government Cyber Unit moved from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT) as part of a machinery of government (MoG) change. This role is in scope to transfer to DSIT when the change takes effect. We are currently consulting with Trade Unions on which policies, terms and conditions will apply on transfer. The statement of changes applied to all other Cabinet Office staff will also apply to you if you are successful.
Job description
Design, implement, and optimize threat detection content across a wide range of platforms and data sources. This role combines advanced query language skills, a deep understanding of system and network logging, and experience with rule-based detection engines and CI/CD pipelines (notably those developed in Python).
Key Responsibilities
• Develop and optimize detection rules using query languages such as:
KQL (Microsoft Sentinel / Defender XDR)
SPL (Splunk)
AQL (QRadar)
EQL/Lucene (Elastic Security)
SQL (across traditional and security data platforms)
• Create and manage detection rules using cross-platform languages such as Sigma and YARA;
• Build, test, and deploy detection rules using CI/CD tools and principles (e.g., GitHub Actions, GitLab CI, Azure DevOps);
• Tune and validate alerting logic to reduce false positives and optimize signal-to-noise ratio;
• Contribute to detection-as-code practices with structured rule repositories (e.g., Sigma, Panther, custom JSON/YAML formats);
• Support threat hunting and incident triage using advanced log queries and packet inspection;
• Collaborate with offensive security and threat intelligence teams to translate TTPs into behavioural detections, aligned with industry frameworks such as MITRE ATT&CK.
Person specification
Essential criteria & Skills
• Significant experience developing detection content in multiple detection query languages including:
KQL (Microsoft Sentinel / Defender XDR)
SPL (Splunk)
AQL (QRadar)
EQL/Lucene (Elastic Security)
SQL (across traditional and security data platforms)
• Strong understanding of endpoint and server logging, including: process execution, file activity, registry access/changes (Windows), network connections, and errors/system logs across OSes.
• Experience using cross-platform detection languages such as Sigma.
• Experience using Python.
• Experience building or using pipelines for detection deployment and validation in CI/CD environments, with version control (Git), YAML/JSON templating, and automated testing of detection rules.
Desirable Skills
• Experience developing transformers and wider infrastructure to support Sigma.
• Experience using OSquery or other endpoint telemetry frameworks.
• Experience with cloud-native logging (e.g., AWS CloudWatch, Azure Monitor).
• Experience performing malware analysis and/or reverse engineering.
• Experience using GraphQL or REST APIs for telemetry and enrichment.