The Role
Lead Detection Engineering operations and support the AOUSC by managing detection engineering activities including research, implementation, and collaboration with various teams to enhance cybersecurity measures.
Summary Generated by Built In
cFocus Software seeks a Detection Engineering Lead to join our program supporting the Administrative Office of the United States Courts (AOUSC). This position is Hybrid with the onsite location being in Washington, DC. This position requires a Public Trust clearance.
Qualifications:
Duties:
Qualifications:
- Active Public Trust clearance
- B.S. Computer Science, Information Technology, or a related field
- 5+ years within IR in a large SOC (over 5,000 endpoints) with at least 3 years focused on proactive detection engineering, threat hunt, or adversary emulation.
- 3+ years of experience with demonstrated proficiency in forming hypothesis, querying large datasets and identifying APT behavior.
- 2+ years’ experience with demonstrated proficiency in scripting languages including Python and PowerShell to develop new tools.
- 2+ years’ experience with demonstrated proficiency developing detections in a SIEM (utilizing Splunk ES or Microsoft Sentinel).
- This role most closely aligns with the NICE work role PD-WRL-006 (Threat Analysis).
- Active OSCP or GXPN certification
Duties:
- Lead Detection Engineering operations supporting AOUSC Security Operations Division (SOD) mission objectives and defensive cybersecurity operations.
- Provide full lifecycle support for cybersecurity detection engineering activities, including research, testing, implementation, tuning, deployment, and maintenance of detection capabilities.
- Research emerging cyber threats, adversary capabilities, attack methodologies, and Tactics, Techniques, and Procedures (TTPs) to improve detection coverage and SOC visibility.
- Develop, test, validate, and deploy new SIEM detection signatures, analytics, rules, and workflows to enhance threat detection capabilities and minimize analyst burden.
- Maintain and manage the Risk Based Alerting (RBA) framework within the Judiciary SIEM environment to ensure effective detection of risky or malicious activity.
- Coordinate weekly meetings with SOC analysts and stakeholders to review alert performance, analyst feedback, false positives, and detection tuning requirements.
- Analyze all false positive alerts to determine necessary tuning, whitelisting, suppression logic, and gaps in security monitoring or analytics.
- Develop and maintain detailed documentation for all detection engineering changes, configuration updates, rule logic, workflows, and implementation procedures.
- Coordinate with Threat Hunting, Cyber Threat Intelligence (CTI), Cybersecurity Triage, Incident Response, and Blue Team personnel to operationalize intelligence-driven detections.
- Develop new alerts and detections in response to emerging cybersecurity threats, active vulnerabilities, malicious campaigns, and government-directed priorities.
- Ensure critical vulnerability-related detections are deployed within required service level timelines, including 24-hour implementation for critical severity alerts.
- Conduct analysis and validation of new alerts from security devices and external telemetry sources to determine operational impact, detection value, and analyst workflow considerations.
- Track all detection engineering changes, modifications, additions, and removals through Jira stories and established Agile workflows.
- Develop weekly operational reports summarizing security events, alert dispositions, workforce metrics, tuning activities, detection improvements, and outstanding issues.
- Document and maintain all detection framework changes within configuration files, knowledge management portals, and operational repositories.
- Support development and implementation of detection engineering execution plans aligned to AOUSC operational priorities, organizational risks, and emerging threat vectors.
- Provide recommendations for improving telemetry collection, log visibility, event correlation, and security monitoring effectiveness across Judiciary systems and cloud environments.
- Collaborate with Blue Team personnel to improve detection coverage associated with Red Team findings, adversary emulation, and cyber exercises.
- Prepare and deliver technical briefings, operational status reports, executive summaries, and stakeholder presentations.
- Support transition-in, transition-out, operational readiness, and knowledge transfer activities in accordance with AOUSC requirements.
Skills Required
- B.S. Computer Science, Information Technology, or related field
- 5+ years within IR in a large SOC
- 3+ years focused on proactive detection engineering, threat hunt or adversary emulation
- 3+ years of experience with querying large datasets and identifying APT behavior
- 2+ years proficiency in scripting languages, including Python and PowerShell
- 2+ years experience developing detections in a SIEM (Splunk ES or Microsoft Sentinel)
- Active OSCP or GXPN certification
- Active Public Trust clearance
Am I A Good Fit?
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.
Success! Refresh the page to see how your skills align with this role.
The Company
What We Do
Established in 2006, cFocus Software automates FedRAMP compliance and develops government chatbots for the Azure Government Cloud, Office 365, and SharePoint. cFocus Software is the exclusive vendor of ATO (Authority To Operate) as a Service™, which automates FedRAMP compliance for the Azure Government Cloud and Office 365. Contact Us for a demo of ATO as a Service™ or a FREE government chatbot proof of concept project today!
