Senior Detection Engineer - KQL​/SPL

Overview

This role is for a hands-on detection engineer whose primary job is designing, building and maintaining security detections.

You will spend the majority of your time:

• Expanding ATT&CK coverage
• Testing and tuning detections
• Working with threat intel and incident response to convert findings into new detections

This is not a SOC analyst, SIEM administrator, Sec Ops generalist, cloud security, IAM, or vulnerability management role.

• Design and implement behaviour based detections in Microsoft Sentinel (KQL) and Splunk (SPL)
• Own detection logic end-to-end: creation, testing, tuning, false-positive reduction, lifecycle management
• Map detections to MITRE ATT&CK and track coverage gaps
• Maintain and improve a detection library over time
• Validate detections using: threat hunting, incident learnings, testing frameworks (e.g. Atomic Red Team)
• Work closely with IR and SOC teams, but not perform SOC triage
• Treat detections as a product, not one-off alerts

• Hands-on experience authoring detections, not just using SIEMs
• Strong KQL experience writing Sentinel analytics rules
• Strong SPL experience writing Splunk correlation searches
• Experience maintaining detections in production environments
• Clear examples of reducing false positives through logic changes
• Ability to explain why a detection exists, not just how it works

• Experience running or contributing to a detection engineering function
• Detection-as-code (Git, CI/CD, IaC)
• Threat hunting that directly feeds detection creation
• Experience migrating detections between SIEM platforms