Threat Senior Associate

Position: Threat Hunt Senior Associate
Are you ready to make an impact at DTCC?

Do you want to work on innovative projects, collaborate with a dynamic and supportive team, and receive investment in your professional development? At DTCC, we are at the forefront of innovation in the financial markets. We are committed to helping our employees grow and succeed. We believe that you have the skills and drive to make a real impact. We foster a thriving internal community and are committed to creating a workplace that looks like the world that we serve.

The Information Technology group delivers secure, reliable technology solutions that enable DTCC to be the trusted infrastructure of the global capital markets. The team delivers high-quality information through activities that include development of essential, building infrastructure capabilities to meet client needs and implementing data standards and governance.

Pay and Benefits:

• Competitive compensation, including base pay and annual incentive
• Comprehensive health and life insurance and well-being benefits, based on location
• Pension / Retirement benefits
• Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.
• DTCC offers a flexible/hybrid model of 3 days onsite and 2 days remote (onsite Tuesdays, Wednesdays and a third day unique to each team or employee).

The Impact you will have in this role:

Being a member of CISO Team and as a Threat Hunt Senior Associate, you will execute hypothesis-driven hunts across endpoint, identity, network, and cloud telemetry; track and document hunt activity end-to-end; and translate findings into actionable improvements, detections, response playbooks, hardening tasks, and prioritized engineering work.

This role is hands-on and requires a practitioner mindset: you'll spend your time asking better questions of the data, validating what "normal" looks like in complex systems, and proving or disproving attacker behaviors using repeatable methods. You'll also provide surge support to incident response during investigations where hunt techniques accelerate containment and root cause analysis.

This is a mid-level role for someone who can operate independently on scoped hunts, communicate clearly, and contribute to a sustained, measurable hunting program.

Your Primary Responsibilities:

Hunt Execution & Documentation (Core)

• Execute hypothesis-based threat hunts mapped to MITRE ATT&CK tactics/techniques, focusing on realistic adversary behaviors (credential access, persistence, lateral movement, defense evasion, and cloud abuse).
• Use behavioral analytics and anomaly detection to identify suspicious patterns across endpoint + identity + cloud + network telemetry, then validate with deeper artifact review.
• Perform, track, and record hunt activity in a structured way: hypotheses, datasets queried, query versions, findings (positive/negative), evidence, confidence, and follow-up actions.
• Maintain clean, audit-ready hunt notes that allow another analyst to reproduce your work and understand decisions made under uncertainty.

Investigative Workflows & Telemetry Correlation

• Correlate logs across EDR/XDR, SIEM, cloud control plane logs, identity logs, and container/Kubernetes telemetry to build a coherent narrative from partial signals.
• Investigate attacker tradecraft such as:
  • Credential theft and replay (token theft, OAuth abuse, suspicious refresh patterns)
  • "Living off the land" execution (Power Shell, WMI, LOLBins on Windows; bash/curl/wget/systemd on Linux)
  • Persistence mechanisms (scheduled tasks/cron, service modifications, registry run keys, launch agents)
• Command-and-control behaviors and egress anomalies (beaconing, domain fronting indicators, unusual TLS fingerprints where available)
• Cloud and Kubernetes abuse (suspicious role assumptions, unusual API call sequences, kubeconfig access, container escape precursors)
• Triage and deepen suspicious signals into defensible findings: timeline, scope, impact, root cause, and containment recommendations.

Detection Engineering & Continuous Improvement

• Translate hunt results into durable controls: new detections, tuning improvements, telemetry onboarding, or gaps to address (instrumentation, logging coverage, parsing, enrichment).
• Draft and iterate detection logic (e.g., Sigma/YARA, SIEM analytics rules, EDR custom IOAs) with measurable success criteria: false-positive rate, time-to-detect improvements, and coverage mapped to ATT&CK.
• Partner with SOAR/automation engineers to operationalize repetitive enrichment and triage steps into playbooks.

Purple Teaming & Adversary Simulation

• Collaborate with Red Team / Purple Team efforts to validate detection coverage, refine alerts, and ensure hunts align to current and relevant TTPs.
• Help design and execute controlled simulations (atomic tests, adversary emulation plans), then close the loop by updating detections, documentation, and response procedures.
• Incident Support (When Needed)
• Provide incident surge support: rapid scoping queries,…