Threat Hunter

Threat Hunter

ShorePoint is a fast-growing, industry recognized and award-winning cybersecurity services firm with a focus on high-profile, high-threat, private and public-sector customers who demand experience and proven security models to protect their data. ShorePoint subscribes to a "work hard, play hard" mentality and celebrates individual and company successes. We are passionate about our mission and going above and beyond to deliver for our customers. We are equally passionate about an environment that supports creativity, accountability, diversity, inclusion and a focus on giving back to our community.

We are seeking a Threat Hunter to support and enhance our 24/7 Security Operations Center. This role combines advanced threat detection, incident investigation and threat hunting with hands-on development of SIEM use cases, automation and analytics to identify and respond to sophisticated threats, including lateral movement. The ideal Threat Hunter brings strong investigative expertise and a builder mindset to continuously improve detection capabilities and strengthen overall SOC effectiveness. This is a unique opportunity to shape the growth, development and culture of an exciting and fast-growing company in the cybersecurity market.

What you'll be doing:

• Provide first-line SOC support, including alert monitoring, triage, routing, escalation and response across 24x7x365 operations.
• Monitor, analyze and investigate security events, network traffic and host-based detections, distinguishing malicious activity from false positives.
• Perform proactive and creative threat hunting and anomaly detection across SIEM and security tools, identifying patterns, lateral movement and emerging threats.
• Conduct incident investigation, Cyber Threat Assessment and Remediation Analysis, including processing and correlating incident indicators with threat intelligence.
• Tune and develop SIEM correlation rules and detection logic and rapidly build detection use cases in collaboration with incident response (IR) teams.
• Develop and maintain scripts and tools (Python, Bash) to automate SOC and IR functions, including Indicator of compromise (IoC) ingestion, log processing and SIEM integrations via APIs.
• Research, develop and maintain dashboards, visualizations and analytics to support detection, reporting and SOC performance monitoring.
• Produce, review and maintain documentation and reporting, including cybersecurity briefings, metrics, incident reports and deliverables for stakeholders at all levels, ensuring alignment with editorial standards and government specifications.
• Support threat intelligence operations, including reviewing and actioning IoCs and translating intelligence into actionable detections.
• Coordinate with internal teams and stakeholders to support engagements such as Insider Threat, Rule of Engagement (ROE), threat hunting, testing activities and after-action reporting.
• Support SOC operations processes, including ticket tracking, customer security assessments, ad hoc investigations, tabletop exercises and lessons learned activities.
• Contribute to continuous SOC improvement by enhancing detection capabilities, processes, communication and overall operational effectiveness; participate in on-call rotation.

What you need to know:

• Deep understanding of cyber threat TTPs, threat hunting methodologies and application of the MITRE ATT&CK framework.
• Experience supporting 24x7x365 SOC operations, including alert monitoring, triage, analysis, response and review/action of threat intelligence and reported incidents.
• Ability to manage multiple alerts and tickets in parallel, perform end-to-end triage through resolution and appropriately prioritize response actions including coordination with end-users.
• Strong experience analyzing and correlating security events across multi-source ecosystem, including endpoint, network, email security tools, SIEM platforms and federal threat intelligence (e.g., CISA).
• Demonstrated proficiency with enterprise security tools and platforms, including but not limited to FireEye, Elastic, Sourcefire, Malwarebytes, Carbon Black/Bit9, Splunk, Prisma Cloud, Cisco IronPort, Bluecoat, Palo Alto, Cylance and OSSEC.
• Hands-on experience with enterprise SIEM or security analytics platforms (e.g., Elastic Stack, Splunk), including log analysis, event correlation and detection support.
• Experience with malware analysis and understanding of attack vectors involving malware, data exposure, phishing and social engineering techniques.
• Experience developing and maintaining SOPs, performing event timeline analysis and investigating logs across Windows/Linux environments and network security devices.

Must have's:

• 5+ years of technical experience.
• Ability to support working hours: 8:45 AM - 5:15 PM Eastern Time
• Ability to participate in a rotating SOC on-call; rotation is based on number of team members.
• Demonstrated proficiencies with one or more toolsets such as Bit9/CarbonBlack, CrowdStrike, FireEye ETP, Elastic Kibana.
• Solid understanding and experience analyzing security events generated from security tools and devices such as: Carbon Black, CrowdStrike, FireEye, Palo Alto, Cylance and OSSEC.

Beneficial to have:

• Bachelor's degree in Cybersecurity, Computer Science, Information Systems, Mathematics, Engineering or a related field.
• One or more of the following certifications: GIAC (GCIH, GCFE, GCFA, GREM, GNFA, GCTI, GPEN, GWAPT), CEPT, CASS, CWAPT or CREA.

Where it's done:

• Remote (Herndon, VA)