Engineer II, Threat Detection - Windows; Hybrid
Listed on 2026-07-14
-
Security
Cybersecurity
About The Role
The Crowd Strike Endpoint Protection (EPP) Content Response team is seeking an experienced and passionate professional to analyze intrusions, threat campaigns, and malware, and to drive efforts to mitigate them by implementing robust behavioral detection coverage on the Falcon sensor platform. The Content Response Team improves detection capability and efficiency through tactical analysis of ongoing attacks by criminal and nation‑state actors, translating observed attacker behavior into high‑fidelity endpoint detections deployed at global scale.
The role requires independent work as well as the ability to collaborate across threat intelligence, engineering, and operational teams. You will be expected to take initiative identifying and solving detection gaps that directly protect our customers. Your work will involve regularly facing sophisticated techniques and well–resourced adversaries. This role is hybrid, requiring 2‑3 days per week on‑site at one of the posted locations.
WhatYou’ll Do
- Analyze emerging threats, campaigns, intrusion data, and malware execution telemetry to identify detectable behaviors and coverage gaps
- Author and optimize behavioral detection rules (Indicators of Attack) targeting adversary techniques observed on Windows endpoints
- Query and analyze endpoint telemetry (process execution, file system, registry, memory, authentication events) to validate detection hypotheses and assess coverage
- Monitor detection precision metrics, investigate false positives, and tune detections to maintain high signal‑to‑noise ratios
- Manage detections through a structured lifecycle: development, validation, staged deployment, and production monitoring
- Collaborate with threat intelligence and incident response teams to prioritize detection development based on active threat campaigns
- Must be eligible for CJIS clearance (requires U.S. citizenship or Green Card/permanent resident status).
- Bachelor’s degree in information security, computer science, or related field — or 4+ years of equivalent hands‑on experience in detection engineering, threat analysis, or endpoint security.
- Experience with endpoint detection platforms, EDR tooling, or detection‑driven security workflows.
- Proficiency in Windows OS internals and APIs (process creation, registry, file system, memory management, authentication subsystems).
- Experience with behavioral malware analysis, sandboxing, telemetry collection, and detectable behaviors from execution logs or Windows forensics.
- Working knowledge of regular expressions and pattern‑based detection authoring.
- Ability to read and understand various programming languages and Power Shell; scripting proficiency in Python for automation and analysis.
- Experience analyzing endpoint telemetry or host‑based log data to identify malicious patterns.
- Solid working knowledge of common adversary TTPs and the ability to translate threat intelligence into detection logic.
- Ability to assess cyber threat intelligence, open‑source intelligence, or partner reporting for actionable detection opportunities.
- Passion for detection engineering, threat analysis, or security research, with the motivation to keep learning and growing.
- Comfortable using AI‑assisted tooling as a daily force multiplier, not just a novelty.
- Energetic self‑starter mentality with the ability to take ownership and be accountable for deliverables.
- Clear written and verbal communication skills to drive triage, convey detection rationale, and align cross‑functionally with both technical and executive‑level stakeholders.
- Proven experience utilizing AI technologies to enhance decision‑making, streamline workflows and processes, improve efficiency and drive business outcomes.
- Experience writing behavioral detection rules or signatures for an endpoint security product (IOA/IOC logic, behavioral engines, or equivalent).
- Experience with regex optimization or pattern matching in performance‑sensitive contexts.
- Familiarity with detection precision concepts: true/false positive analysis, disposition workflows, and tuning at scale.
- Experience with detection content lifecycle management (development → testing → staged…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).