Threat Hunt Senior Associate

Threat Hunt Senior Associate

Are you ready to make an impact at DTCC?

Do you want to work on innovative projects, collaborate with a dynamic and supportive team, and receive investment in your professional development? At DTCC, we are at the forefront of innovation in the financial markets. We are committed to helping our employees grow and succeed. We believe that you have the skills and drive to make a real impact. We foster a thriving internal community and are committed to creating a workplace that looks like the world that we serve.

The Information Technology group delivers secure, reliable technology solutions that enable DTCC to be the trusted infrastructure of the global capital markets. The team delivers high-quality information through activities that include development of essential, building infrastructure capabilities to meet client needs and implementing data standards and governance.

Pay and Benefits:

• Competitive compensation, including base pay and annual incentive
• Comprehensive health and life insurance and well-being benefits, based on location
• Pension / Retirement benefits
• Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.
• DTCC offers a flexible/hybrid model of 3 days onsite and 2 days remote (onsite Tuesdays, Wednesdays and a third day unique to each team or employee).

The Impact you will have in this role:

Being a member of CISO Team and as a Threat Hunt Senior Associate, you will execute hypothesis-driven hunts across endpoint, identity, network, and cloud telemetry; track and document hunt activity end-to-end; and translate findings into actionable improvements, detections, response playbooks, hardening tasks, and prioritized engineering work.

This role is hands-on and requires a practitioner mindset: you'll spend your time asking better questions of the data, validating what "normal" looks like in complex systems, and proving or disproving attacker behaviors using repeatable methods. You'll also provide surge support to incident response during investigations where hunt techniques accelerate containment and root cause analysis.

This is a mid-level role for someone who can operate independently on scoped hunts, communicate clearly, and contribute to a sustained, measurable hunting program.

Your Primary Responsibilities:

Hunt Execution & Documentation (Core)

• Execute hypothesis-based threat hunts mapped to MITRE ATT&CK tactics/techniques, focusing on realistic adversary behaviors (credential access, persistence, lateral movement, defense evasion, and cloud abuse).
• Use behavioral analytics and anomaly detection to identify suspicious patterns across endpoint + identity + cloud + network telemetry, then validate with deeper artifact review.
• Perform, track, and record hunt activity in a structured way: hypotheses, datasets queried, query versions, findings (positive/negative), evidence, confidence, and follow-up actions.
• Maintain clean, audit-ready hunt notes that allow another analyst to reproduce your work and understand decisions made under uncertainty.

Investigative Workflows & Telemetry Correlation

• Correlate logs across EDR/XDR, SIEM, cloud control plane logs, identity logs, and container/Kubernetes telemetry to build a coherent narrative from partial signals.
• Investigate attacker tradecraft such as:
• Credential theft and replay (token theft, OAuth abuse, suspicious refresh patterns)
• "Living off the land" execution (PowerShell, WMI, LOLBins on Windows; bash/curl/wget/systemd on Linux)
• Persistence mechanisms (scheduled tasks/cron, service modifications, registry run keys, launch agents)
• Command-and-control behaviors and egress anomalies (beaconing, domain fronting indicators, unusual TLS fingerprints where available)
• Cloud and Kubernetes abuse (suspicious role assumptions, unusual API call sequences, kubeconfig access, container escape precursors)
• Triage and deepen suspicious signals into defensible findings: timeline, scope, impact, root cause, and containment recommendations.

Detection Engineering & Continuous Improvement

• Translate hunt results into durable controls: new detections, tuning improvements, telemetry onboarding, or gaps to address (instrumentation, logging coverage, parsing, enrichment).
• Draft and iterate detection logic (e.g., Sigma/YARA, SIEM analytics rules, EDR custom IOAs) with measurable success criteria: false-positive rate, time-to-detect improvements, and coverage mapped to ATT&CK.
• Partner with SOAR/automation engineers to operationalize repetitive enrichment and triage steps into playbooks.

Purple Teaming & Adversary Simulation

• Collaborate with Red Team / Purple Team efforts to validate detection coverage, refine alerts, and ensure hunts align to current and relevant TTPs.
• Help design and execute controlled simulations (atomic tests, adversary emulation plans), then close the loop by updating detections, documentation, and response procedures.
• Incident Support (When Needed)
• Provide incident surge support: rapid scoping queries, hunting for related activity, identifying patient-zero candidates, and strengthening containment decisions with evidence.
• Contribute to post-incident reviews by identifying detection gaps, improving playbooks, and capturing lessons learned as backlog items.

**NOTE: The Primary Responsibilities of this role are not limited to the details above. **

Qualifications:

• Min 3-6 years of relevant experience
• Bachelor's Degree and/or equivalent experience
• 3-6 years in Threat Hunting, Detection Engineering, Incident Response, or SOC investigations in a production environment (financial services/fintech experience is a plus but not required).
• Demonstrated experience running hypothesis-driven hunts and documenting outcomes in a way that supports repeatability and measurement.
• Strong log analysis skills and comfort working across multiple telemetry sources (endpoint, identity, network, cloud).
• Practical detection and query experience in one or more:
• KQL (Microsoft Sentinel / Defender)
• Splunk SPL
• Elastic/Kibana (EQL/KQL/Lucene)
• Chronicle/Google SecOps query language or equivalent
• Solid operating system fundamentals:
• Windows internals basics (process ancestry, services, scheduled tasks, registry persistence)
• Linux fundamentals (systemd, cron, auth logs, process/network inspection)
• Familiarity with attacker tradecraft and investigative methods aligned to MITRE ATT&CK ability to map raw evidence to techniques without forcing it.
• Ability to communicate clearly—writeups that separate observation from inference, quantify confidence, and identify next steps.
• Proven ability to prioritize: know when you have enough evidence to escalate vs. when to keep iterating.

Talents Needed for Success:

• Experience hunting across cloud + containerized environments (AWS/Azure/GCP; Kubernetes; CI/CD telemetry).
• Experience developing or tuning detections using Sigma, YARA, EDR custom detections, or SIEM correlation rules.
• Familiarity with NIST CSF / NIST 800-61 incident response concepts and how hunting feeds detection/response maturity.
• Experience with SOAR automation, enrichment pipelines, and case management workflows.
• Comfortable scripting for analysis and automation (Python, PowerShell, Bash) and using tools like jq, osquery, CyberChef.

Certifications (any of the following are valued):

• GCFA, GCIH, GCIA
• OSCP (useful signal for investigative depth; not required)
• CISSP (helpful for program maturity context; not required)

Tools & Technologies

You won't need every item day one—but you should be comfortable learning quickly and working across a modern stack.

EDR/XDR: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne (