About the Role
We are looking for a Threat Collections Engineer to join our Threat Intelligence team. In this role, you will build the infrastructure that powers our threat discovery capabilities-integrating external data sources, developing detection systems for automated lead generation, and creating internal tooling that scales our investigators impact.
This is a foundational engineering role on a small, high-impact team. You will take projects from proof-of-concept to production, work closely with investigators to understand their needs, and help scale what may become a multi-person collections function.
Responsibilities
• Build automated detection systems that use disparate signals to identify abusive behavior. • Take systems from idea to proof-of-concept to production-grade with appropriate monitoring, documentation, and maintenance processes. • Develop and maintain YARA rule infrastructure, including tools for writing, validating, and testing rules against real data. • Create integrations with external threat intelligence platforms (e.g. VirusTotal, Censys, Urlscan) via MCP servers to enable multi-source correlation during investigations. • Build data pipelines that ingest intelligence from RSS feeds, CTI news sources, and partner sharing, using Claude to extract TTPs and generate targeted hunting queries. • Develop behavioral analytics capabilities using DBT-based frameworks and create searchable audit logging infrastructure. • Establish feedback loops with investigators to tune detection systems and reduce false positives. • Scrape and normalize data from external sources to feed threat detection and enrichment workflows.
You may be a good fit if you:
• Have strong coding proficiency in Python and SQL for building detection logic, data pipelines, and automation. • Have experience with data pipeline orchestration tools (Airflow, DBT, or similar). • Have familiarity with threat intelligence concepts including IOCs, YARA rules, and threat correlation techniques. • Have experience integrating external APIs and building data ingestion systems. • Can translate investigator needs and workflows into technical requirements. • Are comfortable building v0 systems and iterating based on user feedback. • Have strong communication skills for working closely with non-engineering stakeholders.
Strong candidates may also have:
• Experience with threat intelligence sharing frameworks (e.g. MISP, STIX/TAXII). • Background in cyber threat intelligence, security operations, or abuse detection. • Experience building MCP servers or similar tool integrations for AI systems. • Familiarity with web scraping and data extraction at scale. • Experience with behavioral analytics or anomaly detection systems. • Understanding of LLM capabilities and how to leverage them for automation.
Deadline to apply: None. Applications will be reviewed on a rolling basis.