SIEM Detection Engineer

Blackpoint Cyber is the leading provider of world-class cybersecurity threat hunting, detection and remediation technology. Founded by former National Security Agency (NSA) cyber operations experts who applied their learnings to bring national security-grade technology solutions to commercial customers around the world, Blackpoint Cyber is in hyper-growth mode,  fueled by a recent $190m series C round. 

What You’ll Do

As a SIEM Detection Engineer, you will focus on building and tuning high-fidelity detections using SIEM data sources, ensuring strong coverage across partner environments. You’ll work closely with SOC analysts, threat hunters, and platform teams to create detection content, improve data quality, and reduce alert fatigue. You also will contribute to light automation and enrichment where it improves triage outcomes.

· Create, test, and maintain detection logic and rules for new and emerging threats using SIEM telemetry.

· Tune alerts to reduce false positives and ensure detection rules have minimal gaps, maximizing the efficiency and accuracy of our 24x7 SOC.

· Build and refine detections using diverse log sources and integrations, including firewall and network security telemetry (e.g., FortiGate, SonicWall, and similar platforms), plus endpoint, identity, cloud, and DNS data where available.

· Collaborate with SOC analysts to identify common patterns and trends across customer environments and translate them into durable detection content.

· Assist in designing dashboards/visualizations to track threat trends, detection performance, and customer-specific patterns.

· Partner with ingestion/platform teams to troubleshoot parsing, normalization, indexing, and data availability issues impacting detection quality.

· Build or maintain test environments and validation workflows to safely verify detections against real-world attacker TTPs.

· Support incident response efforts by reviewing activity mitigated by the SOC and writing detections based on observed tradecraft.

· Contribute to enrichment and automation improvements (light scripting, workflow enhancements, alert context) to reduce investigation time and improve analyst decision-making.

What You’ll Bring

· Five (5+) years of experience in an information security role. Progressive relevant training and/or certification may be substituted for one (1) year of the experience requirement.

· Experience working in a SOC, Threat Hunting, or DFIR is preferred.

· Two (2+) years of experience with system tuning and/or engineering (SIEM, EDR, logging pipelines, or analytics platforms).

· Strong experience writing SIEM detections and queries (e.g., Elasticsearch/Kibana or similar).

· Familiarity with common network security and firewall logs and the ability to interpret and detect threats from them (e.g., FortiGate, SonicWall, and other vendor integrations).

· Familiarity with schemas such as OCSF.

· Working knowledge of Windows threat indicators and common attacker behaviors (process execution, persistence, lateral movement, credential access, C2 patterns).

· Knowledge of attacker tools, including legitimate software abused for malicious purposes.

· Familiarity with parent/child process relationships, command-line arguments, and how they are used to identify suspicious activity.

· Ability to troubleshoot and debug data ingestion issues, including parsing problems, missing fields, and normalization gaps.

· Excellent communication skills to summarize findings and present detection rationale, coverage, and trends.

· Ability to work independently with strong problem-solving skills.

Bonus

· Experience with log onboarding and integrations (syslog, agents, API-based collection) across common MSP stacks.

· Basic scripting/automation experience (Python and/or PowerShell) to support enrichment, detection testing, or workflow improvements.

· Experience creating Sigma and/or YARA rules and validating against adversary TTPs.

· Proficiency using Power BI or building Kibana dashboards for detection and trend visualization.

· Network/System Administration experience.

· CRTO, eCPTX, or other relevant certifications.

· Deep forensic knowledge of Windows, macOS and/or Linux.

· Malware analysis experience (behavioral and/or static analysis)

Blackpoint Cyber welcomes and encourages applications from qualified individuals of all races,  colors, religions, sex, sexual orientation, gender identity or expression, national origin, age, marital  status, or any other legally protected status. We are committed to equality of opportunity in all  aspects of employment.  For eligible employees in the US, Blackpoint offers competitive Health, Vision, Dental, and Life Insurance plans, a robust 401k plan, Discretionary Time Off, and other minor perks.