IDVA Threat Lead
| Posting date: | 16 January 2026 |
|---|---|
| Salary: | £58,541 to £72,711 per year |
| Hours: | Full time |
| Closing date: | 23 January 2026 |
| Location: | Stratford, Leeds, Bristol |
| Remote working: | Hybrid - work remotely up to 2 days per week |
| Company: | HMRC |
| Job type: | Permanent |
| Job reference: | 443936 |
Summary
Job description
The Fraud Prevention Centre (FPC) is HMRC’s dedicated hub for tackling identity-based fraud at scale, protecting the integrity of the UK’s tax system and safeguarding public funds. As part of HMRC Security’s Identity team, the FPC combines advanced analytics, intelligence, and cutting-edge technology to identify and disrupt fraudulent activity before it impacts customers.
In this critical role as Threat Intelligence Lead, you will shape and drive our intelligence strategy — providing actionable insights on emerging threats, guiding proactive defence measures, and ensuring HMRC stays ahead of adversaries. Working at the heart of HMRC’s digital transformation, you’ll collaborate across security teams and the wider organisation to deliver intelligence that underpins trust and resilience in our services.
You will establish and lead a team to maintain a threat intelligence taxonomy grounded in MITRE ATT&CK, mapping adversary TTPs to HMRC-relevant techniques and detection logic to ensure consistency and traceability from intel to action. By structuring intelligence using STIX/TAXII standards and operationalising indicators in MISP, you’ll enable rapid enrichment, correlation, and automated distribution of high-fidelity IOCs to the right teams.
Working across the FPC and wider HMRC, you’ll enable threat-informed, real-time interventions, integrating threat intelligence platforms with SIEM and orchestration technology. You’ll establish feedback loops with the SOC, red/purple teams, and data science functions to validate signal quality, tune detections against ATT&CK techniques, and continuously uplift coverage. Your approach will embed measurable coverage metrics (e.g., ATT&CK heatmaps, detection maturity scores) and ensure intelligence is actionable, timely, and resilient against evolving fraud threats.
Join us to lead intelligence to combat fraud — harness advanced tools, shape strategy, access world-class training, and make a real impact by protecting millions of taxpayers and safeguarding the UK’s digital future.
Person specification
Oversee and task intelligence collection and analysis from multiple sources (FPC teams, teams across HMRC, open-source, commercial feeds, internal telemetry).
Lead the acquisition and analysis of cybercrime tools that pose a threat to HMRC services to inform appropriate controls for detection and response.
Transform raw data into actionable intelligence for proactive threat detection and fraud prevention, mapped to a taxonomy tailored MITRE ATT&CK.
Work with Engineering to operationalise intelligence through platforms like MISP, ensuring integration with SIEM, SOAR, and detection technologies.
Manage real-time exploitation of intelligence, enabling automated enrichment and distribution of indicators, supporting proactive analytical teams.
Produce intelligence reports and contribute data to FPC dashboards for leadership, including threat trends and control effectiveness.
Provide expert advice on aspects of cybercrime threats and techniques, supporting stakeholders across HMRC through the FPC advisory function.
Work closely with FPC analysts, incident response, and wider HMRC teams to validate intelligence and improve detection logic.
Provide training and guidance to drive consistency in intelligence reporting and promote its wider use across HMRC teams, including the application of organisational and wider standards for data handling and intelligence sharing.
Provide technical leadership to the FPC, championing leading methodologies in cyber threat intelligence practices and their application in a fraud context.
Deputise on behalf of the Head of Proactive Protection as needed, partnering with peers across the Fraud Prevention Centre.
Essential Criteria:
Proven experience in threat intelligence operations, including collection, analysis, and dissemination of actionable intelligence.
Ability to develop and maintain intelligence taxonomies, ensuring consistency and traceability from indicators to detection logic.
Strong understanding of cyber threat landscapes, adversary tactics, techniques, and procedures (TTPs), and frameworks such as MITRE ATT&CK.
Excellent stakeholder engagement skills, with experience collaborating across security teams and wider business units.
Knowledge of fraud prevention techniques and how threat intelligence supports proactive defence in large-scale environments.
Desirable Criteria:
Certifications such as GCTI (GIAC Cyber Threat Intelligence), CISM, or equivalent.
Experience with automation and orchestration for intelligence workflows.
Understanding of regulatory and compliance requirements relevant to HMRC and UK government security standards.
The Fraud Prevention Centre (FPC) is HMRC’s dedicated hub for tackling identity-based fraud at scale, protecting the integrity of the UK’s tax system and safeguarding public funds. As part of HMRC Security’s Identity team, the FPC combines advanced analytics, intelligence, and cutting-edge technology to identify and disrupt fraudulent activity before it impacts customers.
In this critical role as Threat Intelligence Lead, you will shape and drive our intelligence strategy — providing actionable insights on emerging threats, guiding proactive defence measures, and ensuring HMRC stays ahead of adversaries. Working at the heart of HMRC’s digital transformation, you’ll collaborate across security teams and the wider organisation to deliver intelligence that underpins trust and resilience in our services.
You will establish and lead a team to maintain a threat intelligence taxonomy grounded in MITRE ATT&CK, mapping adversary TTPs to HMRC-relevant techniques and detection logic to ensure consistency and traceability from intel to action. By structuring intelligence using STIX/TAXII standards and operationalising indicators in MISP, you’ll enable rapid enrichment, correlation, and automated distribution of high-fidelity IOCs to the right teams.
Working across the FPC and wider HMRC, you’ll enable threat-informed, real-time interventions, integrating threat intelligence platforms with SIEM and orchestration technology. You’ll establish feedback loops with the SOC, red/purple teams, and data science functions to validate signal quality, tune detections against ATT&CK techniques, and continuously uplift coverage. Your approach will embed measurable coverage metrics (e.g., ATT&CK heatmaps, detection maturity scores) and ensure intelligence is actionable, timely, and resilient against evolving fraud threats.
Join us to lead intelligence to combat fraud — harness advanced tools, shape strategy, access world-class training, and make a real impact by protecting millions of taxpayers and safeguarding the UK’s digital future.
Person specification
Oversee and task intelligence collection and analysis from multiple sources (FPC teams, teams across HMRC, open-source, commercial feeds, internal telemetry).
Lead the acquisition and analysis of cybercrime tools that pose a threat to HMRC services to inform appropriate controls for detection and response.
Transform raw data into actionable intelligence for proactive threat detection and fraud prevention, mapped to a taxonomy tailored MITRE ATT&CK.
Work with Engineering to operationalise intelligence through platforms like MISP, ensuring integration with SIEM, SOAR, and detection technologies.
Manage real-time exploitation of intelligence, enabling automated enrichment and distribution of indicators, supporting proactive analytical teams.
Produce intelligence reports and contribute data to FPC dashboards for leadership, including threat trends and control effectiveness.
Provide expert advice on aspects of cybercrime threats and techniques, supporting stakeholders across HMRC through the FPC advisory function.
Work closely with FPC analysts, incident response, and wider HMRC teams to validate intelligence and improve detection logic.
Provide training and guidance to drive consistency in intelligence reporting and promote its wider use across HMRC teams, including the application of organisational and wider standards for data handling and intelligence sharing.
Provide technical leadership to the FPC, championing leading methodologies in cyber threat intelligence practices and their application in a fraud context.
Deputise on behalf of the Head of Proactive Protection as needed, partnering with peers across the Fraud Prevention Centre.
Essential Criteria:
Proven experience in threat intelligence operations, including collection, analysis, and dissemination of actionable intelligence.
Ability to develop and maintain intelligence taxonomies, ensuring consistency and traceability from indicators to detection logic.
Strong understanding of cyber threat landscapes, adversary tactics, techniques, and procedures (TTPs), and frameworks such as MITRE ATT&CK.
Excellent stakeholder engagement skills, with experience collaborating across security teams and wider business units.
Knowledge of fraud prevention techniques and how threat intelligence supports proactive defence in large-scale environments.
Desirable Criteria:
Certifications such as GCTI (GIAC Cyber Threat Intelligence), CISM, or equivalent.
Experience with automation and orchestration for intelligence workflows.
Understanding of regulatory and compliance requirements relevant to HMRC and UK government security standards.