×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Cybersecurity AI Engineer (Applied/Software)

Threat-Led Detection Engineer

Job in Greater London, London, Greater London, W1B, England, UK
Listing for: Willis Towers Watson
Full Time position
Listed on 2026-06-28
Job specializations:
  • IT/Tech
    Cybersecurity, AI Engineer (Applied/Software)
Salary/Wage Range or Industry Benchmark: 60000 - 80000 GBP Yearly GBP 60000.00 80000.00 YEAR
Job Description & How to Apply Below
Location: Greater London

Description

The Threat-Led Detection Engineer will design, build, and maintain high-quality threat detections within WTW’s Global Information and Cyber Security Defence (ICSD) function, helping WTW detect adversary activity quickly and accurately across its global estate. This is a hands‑on engineering role for someone with a strong cyber security mindset and a genuine interest in how attackers operate. You will write and tune detection rules, map coverage to real adversary behaviour, and contribute to a well‑maintained, version‑controlled detection library.

Working closely with SOC, Threat Hunting, Cyber Threat Intelligence (CTI), and Incident Response, you will turn intelligence and hunt findings into reliable detections, embracing a threat‑led, Detection‑as‑Code approach.

The individual will work as part of a global, multi‑disciplined security community with strong support across the business, helping to foster a security‑aware culture while ensuring WTW remains a great place to work. With WTW’s large global footprint, this role offers a varied and stimulating range of work, and occasional global travel may be required.
The role is based in London and follows a hybrid working model, with the expectation of attending the office as and when required on business demand.

The Role: The Threat‑Led Detection Engineer will build and maintain detections within WTW’s Global Cyber Security Defence team. Responsibilities of this role will include:

  • Design, write, test, and maintain high‑fidelity detection rules across SIEM, EDR/XDR, cloud, identity, and network data sources.
  • Apply a threat‑led approach, developing detections mapped to adversary tradecraft using the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model.
  • Rapidly create new detections in response to emerging threats, Cyber Threat Intelligence, and incident or hunt findings.
  • Contribute to the detection library, ensuring detections are version‑controlled, documented, tested, and mapped to MITRE ATT&CK coverage.
  • Tune and optimise existing detections to reduce false positives and continuously improve fidelity.
  • Practise Detection‑as‑Code, using Git‑based workflows, peer review, and automated testing for detection content.
  • Validate detections through adversary emulation and testing (e.g. Atomic Red Team) and collaborate on purple‑team exercises.
  • Support the integration of AI and automation into detection and triage workflows, and help build detections for AI/GenAI‑specific threats.
  • Collaborate with SOC, Threat Hunting, CTI, and Incident Response to close detection gaps surfaced during hunts and incidents.
  • Write clear detection documentation and response guidance so each detection is actionable for analysts.
  • Onboard and validate new log sources and telemetry to expand detection coverage.
  • Contribute to detection coverage and quality metrics to help measure and improve detection effectiveness.
Qualifications

What you'll bring:

We are looking for a candidate for the Threat‑Led Detection Engineer role who has the following:

Must‑have:

  • Strong background in cyber security with hands‑on detection engineering, SOC, or threat‑hunting experience.
  • Strong cyber security mindset and a solid, thorough understanding of attacker behaviour and the modern threat landscape.
  • Working knowledge of the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model, with the ability to map detections to them.
  • Hands‑on experience writing and tuning detection rules using query languages such as KQL, SPL, EQL, or Sigma on platforms like Microsoft Sentinel, Splunk, Elastic, Crowd Strike, or Microsoft Defender XDR.
  • Ability to develop high‑fidelity detections swiftly in response to emerging threats and intelligence.
  • Experience maintaining detection content and contributing to a detection library.
  • Familiarity with Detection‑as‑Code concepts:
    Git, version control, and automated testing of detection content.
  • Awareness of AI/ML in security operations and AI‑specific threats (e.g. prompt injection, sensitive‑data exposure via GenAI), with awareness of the OWASP LLM Top 10 and MITRE ATLAS.
  • Exposure to cloud detection across Azure, AWS, and/or GCP and to cloud and identity log sources…
Note that applications are not being accepted from your jurisdiction for this job currently via this jobsite. Candidate preferences are the decision of the Employer or Recruiting Agent, and are controlled by them alone.
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search:
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search