Principal Threat Researcher

DNSFilter’s mission is to protect our customers and partners with products they love to use! We are revolutionizing network security by providing fast, accurate, and reliable threat protection and content filtering. We're a rapidly growing company dedicated to creating a safer internet for businesses and organizations worldwide. Leveraging AI-driven threat intelligence, DNSFilter empowers our customers to proactively block threats before they impact their networks. We foster a collaborative, innovative, and results-oriented culture where every team member contributes to our mission of making the internet safer.

As we continue our product-fueled growth by adding new features and broadening our solution to meet the needs of the global market, it's clear there's a missing piece. That's where you come in!

DNSFilter is hiring a Principal Threat Researcher to create, derive, and refine scalable threat actor and campaign fingerprints using DNS and other data sources. This hands-on Principal IC role emphasizes high-impact, hypothesis-driven research, global infrastructure fingerprinting, and strong OSINT/threat hunting tradecraft. The goal is to transform deep investigative work into scalable detection logic and durable intelligence assets.
Eligible candidates have and can work successfully in a small to mid-sized fast-paced, hyper-growth, SaaS start-up or scale-up, and are located in the United States or Canada.

We recognize that people come with a wealth of experience and talent beyond just the technical requirements of a job. If you feel like this job is for you, please apply. We believe diversity of experience and skills, including transferable skills, combined with passion, is a key to innovation and excellence; therefore, we encourage people from all backgrounds to apply to our positions!

In this role, You Will: 

• Campaign & Infrastructure Clustering
• Identify, categorize, and track malicious campaigns.
• Own cluster-related infrastructure, building novel, high-fidelity clustering methods.
• Continuously refine fingerprints and tradecraft as adversaries shift TTPs.
• What Success Looks Like: New categorization methodologies, metrics, and scalable fingerprints that identify malicious campaign clusters that survive infrastructure churn.
• Hypothesis-Driven Research
• Develop and validate logical assumptions about operator behavior using your expertise and large data sets, converting them into actionable intelligence.
• Maintain consistent, reproducible documentation.
• What Success Looks Like: Completed investigations converting into scalable customer protection outcomes, reports, and detections/fingerprints.
• Professional Tooling & Tradecraft
• Demonstrate experience using professional-grade threat hunting/intelligence tooling, network telemetry, and OSINT.
• Comfortably carry an investigation from start to finish, drafting an explainable narrative while cataloguing the evidence necessary to support each piece.
• From Research to Production
• Translate research findings into durable detection rules (logic, tags, scores), predictive real-time intelligence feeds, and impactful intelligence outcomes. Partner with ML/AI engineers to operationalize patterns.
• What Success Looks Like: Clear increase in coverage metrics and blocked adversarial intrusion attempts. Intelligence artifacts that materially improve detection coverage at scale.
• Publication & Impact
• Produce high-confidence reports for internal and external consumers.
• Contribute to public security community narratives (talks, webinars).
• Maintain high standards for professionalism and technical know-how in communications.
• Travel
• Present at tradeshows and industry events 2-5 times a year.

To qualify for this role, You Have: 

• 10+ years across the fields of cybersecurity, threat research, intelligence analysis, or advanced threat detection roles.
• Significant experience tracking nation-state APTs, major cybercrime organizations, and/or malware campaigns.
• Demonstrated DNS-based investigation experience, to include botnets.
• Proficiency with professional threat hunting tools and OSINT tradecraft.
• Strong scripting ability (Python preferred) to automate research workflows.
• Experience documenting analytical reasoning and confidence levels with technical data and outcomes.
• Ability to work hours overlapping with ET hours
• Must be eligible to work in the region of hire without sponsorship from an employer now and/or in the future

Bonus points for: 

• Malware analysis experience (static or dynamic), AWS or other major cloud provider experience, and/or niche threat hunting experience.
• Examples of completed, hands-on investigations that have led to materially relevant security outcomes.
• Statistical analysis or data science experience (academic or otherwise).
• Experience producing public threat reports and/or speaking at security conferences.
• Familiarity with the entire threat intelligence lifecycle and utilizing structured, rigorous analytic techniques to follow it end-to-end.

We Offer:

• Pathway to promotion to additional organizational positions and responsibilities based upon results and performance, not just time in the chair.  You help us grow, and we will help you grow.
• Passionate and intelligent colleagues who work hard and have a good time doing it
• Paid company-wide week off at the end of each year
• Flexible Vacation Policy
• Awesome company swag
• Full medical, dental, and vision benefits for US, UK, and Canada-based employees
• Full short-term disability and life benefits; available long-term disability
• Retirement savings account options with vested company matching for qualifying employees
• In-person annual gatherings. Last time we all spent a week on a beach in the Dominican Republic!

DNSFilter is a pay-for-performance organization, which means there is an opportunity to advance your compensation based on performance over time. The hiring base pay is dependent on several factors, including level, function, training, transferable skills, work experience, business needs, and geographic location. As a hybrid company, our compensation reflects the cost of labor across several U.S. and global geographic markets. We pay differently based on those defined markets. Our Talent Team can share more about the specific salary range for the job location during the hiring process.

DNSFilter participates in the E-Verify program.

At DNSFilter, we utilize sophisticated software and tools to identify and eliminate Deepfake candidates. This approach helps us maintain the integrity of our hiring process, ensuring that we select the most qualified and genuine individuals to join our team.