Detection Engineer

Posting date:	20 January 2026
Salary:	£47,670 to £51,690 per year
Additional salary information:	Our cyber posts attract a skills based DDAT allowance. This post is subject to a DDAT skills assessed non pensionable allowance. In certain circumstances exceptional candidates may be eligible for a higher starting salary.
Hours:	Full time
Closing date:	08 February 2026
Location:	London
Company:	Government Recruitment Service
Job type:	Permanent
Job reference:	444435/1

Summary

This is an exciting opportunity to work at the heart of Government cyber security, as part of the Government Cyber Coordination Centre (GC3). The GC3 is a joint initiative sponsored by the Government Digital Service (GDS) and the National Cyber Security Centre (NCSC). The GC3 coordinates the cross-Government response to cyber security vulnerabilities, threats, and incidents, enhancing cyber resilience and enabling the Government to more efficiently and effectively protect public services and “defend as one”.

In June 2025, the Government Cyber Unit moved from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT) as part of a machinery of government (MoG) change. This role is in scope to transfer to DSIT in February 2026. We are currently consulting with Trade Unions on which policies, terms and conditions will apply on transfer. The statement of changes applied to all other Cabinet Office staff will also apply to you if you are successful.

Design, implement, and optimize threat detection content across a wide range of platforms and data sources. This role combines advanced query language skills, a deep understanding of system and network logging, and experience with rule-based detection engines and CI/CD pipelines (notably those developed in Python).

Successful candidates must meet the security requirements before they can be appointed. The level of security needed is Security Check (SC) but must be willing to undergo Developed Vetting (DV) clearance whilst in post where necessary.

Key Responsibilities

• Develop and optimize detection rules using query languages such as:
  o KQL (Microsoft Sentinel / Defender XDR)
  o SPL (Splunk)
  o AQL (QRadar)
  o EQL/Lucene (Elastic Security)
  o SQL (across traditional and security data platforms
• Create and manage detection rules using cross-platform languages such as Sigma and YARA
• Build, test, and deploy detection rules using CI/CD tools and principles (e.g., GitHub Actions, GitLab CI, Azure DevOps)
• Tune and validate alerting logic to reduce false positives and optimize signal-to-noise ratio
• Contribute to detection-as-code practices with structured rule repositories (e.g., Sigma, Panther, custom JSON/YAML formats)
• Support threat hunting and incident triage using advanced log queries and packet inspection
• Collaborate with offensive security and threat intelligence teams to translate TTPs into behavioural detections, aligned with industry frameworks such as MITRE ATT&CK

Proud member of the Disability Confident employer scheme

About Disability Confident

A Disability Confident employer will generally offer an interview to any applicant that declares they have a disability and meets the minimum criteria for the job as defined by the employer. It is important to note that in certain recruitment situations such as high-volume, seasonal and high-peak times, the employer may wish to limit the overall numbers of interviews offered to both disabled people and non-disabled people. For more details please go to Disability Confident.