Information Security Engineer - Endpoint

Core Responsibilities

• Own the security posture of Palantir's Windows and Active Directory estate — hardening, configuration standards, and ongoing validation that those standards hold.
• Reduce attack surface across AD: audit and remediate misconfigurations, legacy protocol exposure, excessive privilege, Kerberos delegation abuse, and tier model violations.
• Evaluate, deploy, and own the configuration of defensive tooling across the Windows environment: EDR, PAM, identity threat detection, and endpoint hardening controls.
• Build and maintain automation for security operations across Windows infrastructure — patching pipelines, configuration drift monitoring, access reviews, and credential hygiene.
• Partner with Identity and Infrastructure teams to drive architectural improvements: tiered administration, Protected Users, LAPS, Credential Guard, and authentication policy silos.
• Translate findings from assessments and red team exercises into durable fixes — configuration changes, architectural improvements, and policy updates that reduce recurrence.

What We're Looking For

Active Directory
• Deep, working knowledge of AD architecture: sites and services, replication, trust relationships, delegation models, and the LDAP schema.
• Hands-on experience investigating and detecting AD attacks across the full kill chain — from initial enumeration through domain dominance.
• Familiarity with attack tooling (BloodHound, Impacket, Rubeus, Mimikatz, CrackMapExec) and, critically, what they leave behind.
• Experience hardening AD environments: tiered administration, Protected Users, LAPS, Credential Guard, PAM trusts, and authentication policy silos.
Windows Internals
• Thorough understanding of Windows security architecture: access tokens, privilege model, integrity levels, LSASS and credential storage, SAM, and the Security Reference Monitor.
• Ability to read and interpret Windows kernel structures, driver behavior, and undocumented APIs when necessary.
• Proficiency with low-level analysis tools: WinDbg, Process Monitor, Process Hacker, Volatility, and x64dbg.
• Experience with ETW-based telemetry pipelines and building detections on top of raw Windows event data.
Detection & Response
• Proven track record writing high-fidelity detection logic, not just tuning vendor signatures.
• Experience leading complex incident response investigations, including those involving nation-state or sophisticated criminal actors.
• Strong forensic fundamentals across disk, memory, and network artifacts on Windows systems.

What We Value

• Experience with Entra ID (Azure AD), hybrid identity architectures, and cloud-based attack paths that pivot through on-prem AD.
• Prior work in adversary simulation, red teaming, or offensive security research — especially against AD targets.
• Public contributions: conference talks (BlueHat, BSides, SANS, etc.), blog posts, or open-source tooling.

What We Require

• 5+ years of hands-on security experience, with the majority focused on Windows environments and Active Directory.
• Proficiency in Python or PowerShell for detection development, automation, and forensic tooling.
• Active TS/SCI security clearance, or eligibility and willingness to obtain one.
• A portfolio of real work: detections you've written, research you've published, tools you've built, or incidents you've led.

Salary