Cybersecurity Engineer - Endpoint Detection

Company Overview
KLA is a global leader in diversified electronics for the semiconductor manufacturing ecosystem. Virtually every electronic device in the world is produced using our technologies. No laptop, smartphone, wearable device, voice-controlled gadget, flexible screen, VR device or smart car would have made it into your hands without us. KLA invents systems and solutions for the manufacturing of wafers and reticles, integrated circuits, packaging, printed circuit boards and flat panel displays. The innovative ideas and devices that are advancing humanity all begin with inspiration, research and development. KLA focuses more than average on innovation and we invest 15% of sales back into R&D. Our expert teams of physicists, engineers, data scientists and problem-solvers work together with the world's leading technology providers to accelerate the delivery of tomorrow's electronic devices. Life here is exciting and our teams thrive on tackling really hard problems. There is never a dull moment with us.

Job Description/Preferred Qualifications

The Cybersecurity group at KLA is involved in every aspect of the global business. The KLA Cybersecurity group defends against cyber-attacks and provides cybersecurity tools, incident response services and assessment capabilities to safeguard the environments that support the essential operations of KLA. We are passionate about identifying adversarial activities and anticipating a wide variety of threats to strengthen our defenses and the overall protection of KLA Intellectual Property.

We are seeking an Endpoint Detection Engineer to serve as the hands-on subject matter expert for our enterprise endpoint detection platforms. This role is responsible for the configuration, tuning, lifecycle management, and continuous improvement of our EDR and EPM tooling from a cybersecurity perspective, ensuring the platform is optimally deployed, deeply integrated with our broader security stack, and proactively evolving to address emerging threats. You will partner closely with the SOC and IT Security teams to align detection capabilities with operational workflows, serving as the primary technical liaison.

Platform Configuration & Optimization

• Own the design, configuration, and ongoing optimization of the enterprise EDR and EPM platforms across Windows, macOS, and Linux environments.
  
• Define and author endpoint hardening standards, detection policies, exclusion logic, and response baselines aligned with industry best practices.
  
• Ensure endpoint platforms integrate effectively with SIEM, SOAR, SOC workflows, and identity platforms to maximize telemetry value and response automation.
  
• Proactively evaluate new platform features, capabilities, and emerging technologies, leading proof-of-concept testing and driving adoption of enhancements that strengthen security posture.
  
• Monitor agent health, fleet coverage, and version compliance; manage agent lifecycle including upgrades, rollouts, and rollback procedures.
  

Detection Engineering & Incident Response

• Collaborate with detection engineers to develop, evaluate, and continuously refine endpoint-based detections mapped to MITRE ATT&CK techniques and real-world threat actor TTPs.
  
• Partner with the SOC to improve detection fidelity, reduce false positive rates, and enhance automated response capabilities tied to endpoint threats.
  
• Assist in endpoint-related security incident investigations, leveraging endpoint telemetry for root cause analysis, forensic evidence collection, and remediation guidance.
  
• Contribute to proactive threat hunting missions with the Cyber Threat Intelligence team, using behavioral analytics and endpoint telemetry to surface threats that evade automated detection.
  
• Drive root cause analysis following incidents or platform issues and implement continuous improvements to prevent recurrence.
  

Troubleshooting & Interoperability

• Identify and resolve complex performance, stability, and interoperability issues between the endpoint agents and other tooling including EPM, DLP, and MDM solutions.
  
• Serve as the primary technical liaison with the endpoint platform vendors, managing escalations, product roadmap input, and coordination on advanced support cases.
  
• Partner with IT Security and infrastructure teams to troubleshoot deployment and compatibility issues across the enterprise endpoint fleet.
  
• Write and maintain technical documentation including configuration standards, operational runbooks, and troubleshooting guides.
  

PREFERRED QUALIFICATIONS

• Experience supporting or participating in red team, purple team, or adversary simulation exercises.
  
• Malware analysis or reverse engineering experience is highly desirable.
  
• Familiarity with digital forensics tooling and methodology (e.g., KAPE / Zimmerman Tools) for endpoint artifact analysis.
  
• Familiarity with MDM/MAM solutions (Intune, JAMF, Workspace ONE) and their interplay with endpoint security tooling.
  
• Working knowledge of security hardening benchmarks (CIS Controls, NIST 800-53) and how to operationalize them at the endpoint layer.
  
• Experience in regulated or large enterprise environments with compliance requirements (PCI-DSS, ISO 27001, or similar).
  
• Relevant certifications such as GCDA, GREM, GCIH, or platform-specific certifications.
  

Minimum Qualifications

• Five (5) years of hands-on experience in cybersecurity, with at least 2 years focused on EDR)/XDR and EPM platform administration and engineering.
  
• Bachelor's degree in Computer Science, Cybersecurity, or a related field, or equivalent practical experience.
  
• Demonstrated expertise with one or more enterprise security platforms (e.g., SentinelOne, CrowdStrike, Microsoft Defender for Endpoint, CyberArk, Delinea) including policy management, agent configuration, and console administration.
  
• Solid understanding of endpoint attack techniques, threat actor TTPs, and the MITRE ATT&CK framework.
  
• Experience leading endpoints across Windows and macOS in large enterprise environments; Linux experience a plus.
  
• Confirmed ability to solve complex agent performance, stability, and interoperability issues across a diverse endpoint ecosystem.
  
• Experience working in or closely supporting a SOC, detection engineering, or incident response function.
  
• Scripting proficiency in one or more languages (i.e., PowerShell, Python, etc.) for automation of operational and security tasks or experience working with management APIs.
  
• Familiarity with SIEM platforms and endpoint-to-SIEM data pipelines; experience with query languages such as KQL or SPL a plus.
  

Base Pay Range: $90,400.00 - $153,700.00 Annually

Primary Location: USA-MI-Ann Arbor-KLA

KLA's total rewards package for employees may also include participation in performance incentive programs and eligibility for additional benefits including but not limited to: medical, dental, vision, life, and other voluntary benefits, 401(K) including company matching, employee stock purchase program (ESPP), student debt assistance, tuition reimbursement program, development and career growth opportunities and programs, financial planning benefits, wellness benefits including an employee assistance program (EAP), paid time off and paid company holidays, and family care and bonding leave.

Interns are eligible for some of the benefits listed. Our pay ranges are determined by role, level, and location. The range displayed reflects the pay for this position in the primary location identified in this posting. Actual pay depends on several factors, including state minimum pay wage rates, location, job-related skills, experience, and relevant education level or training. We are committed to complying with all applicable federal and state minimum wage requirements where applicable. If applicable, your recruiter can share more about the specific pay range for your preferred location during the hiring process.

KLA is proud to be an Equal Opportunity Employer. We will ensure that qualified individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us at View email address on click.appcast.io or at View phone number on click.appcast.io to request accommodation.

Be aware of potentially fraudulent job postings or suspicious recruiting activity by persons that are currently posing as KLA employees. KLA never asks for any financial compensation to be considered for an interview, to become an employee, or for equipment. Further, KLA does not work with any recruiters or third parties who charge such fees either directly or on behalf of KLA. Please ensure that you have searched KLA's Careers website for legitimate job postings. KLA follows a recruiting process that involves multiple interviews in person or on video conferencing with our hiring managers. If you are concerned that a communication, an interview, an offer of employment, or that an employee is not legitimate, please send an email to View email address on click.appcast.io to confirm the person you are communicating with is an employee. We take your privacy very seriously and confidentially handle your information.