Required Threat Intelligence Researcher- CTI
The Job
We are on an expedition to find you, someone who is passionate about turning research into reliable, production-grade capabilities. Youll play a major role in building and shaping our next-gen CTI platform across attribution, pivoting, infrastructure prediction, EASM, and the STIX/OpenCTI knowledge base.
Responsibilities
Execute the CTI research roadmap across attribution, infra prediction, EASM, and the STIX knowledge base.
Design and implement graph-pivoting, attribution heuristics, and temporal/link models (sequence/survival/Hawkes-style).
Build high-signal EASM detectors: passive discovery and safe active probing per ROE; capture reproducible evidence.
Normalize, enrich, and deduplicate intel into STIX 2.1 aligned to our ontology; maintain/enhance TAXII/OpenCTI/MISP connectors.
Ship detectors/models and enrichment services with AI/Platform teams; contribute tests, docs, and runbooks.
Curate datasets, define ground truth, and evaluate KPIs (coverage, lead-time, precision/recall, FPR); iterate to improve signal-to-noise.
Produce watchlists, concise briefs, and early-warning hypotheses for stakeholders and priority investigations.
Uphold governance, ethics, provenance, and data-quality standards.
The Job
We are on an expedition to find you, someone who is passionate about turning research into reliable, production-grade capabilities. Youll play a major role in building and shaping our next-gen CTI platform across attribution, pivoting, infrastructure prediction, EASM, and the STIX/OpenCTI knowledge base.
Responsibilities
Execute the CTI research roadmap across attribution, infra prediction, EASM, and the STIX knowledge base.
Design and implement graph-pivoting, attribution heuristics, and temporal/link models (sequence/survival/Hawkes-style).
Build high-signal EASM detectors: passive discovery and safe active probing per ROE; capture reproducible evidence.
Normalize, enrich, and deduplicate intel into STIX 2.1 aligned to our ontology; maintain/enhance TAXII/OpenCTI/MISP connectors.
Ship detectors/models and enrichment services with AI/Platform teams; contribute tests, docs, and runbooks.
Curate datasets, define ground truth, and evaluate KPIs (coverage, lead-time, precision/recall, FPR); iterate to improve signal-to-noise.
Produce watchlists, concise briefs, and early-warning hypotheses for stakeholders and priority investigations.
Uphold governance, ethics, provenance, and data-quality standards.
Requirements:
4-7+ years in CTI/EASM/offensive research or adversary-infra analysis.
DNS, BGP/ASNs, TLS/PKI & CT logs, hosting/CDN/cloud patterns, domain lifecycle, phishing ecosystems.
Communities/embeddings/clustering; temporal/link modeling and practical evaluation.
Passive discovery and safe active probing; evidence discipline and noise reduction.
STIX 2.1, ATT&CK, TAXII; advantage for OpenCTI/MISP; ontology alignment and validation.
Python (pandas, notebooks, scikit-learn, networkx/igraph); Neo4j/Elasticsearch; Kafka/SQS/Redis; Docker/Kubernetes.
Prompting/tool-use for extraction/normalization; agentic patterns with guardrails and sanity checks.
Analytical writing; collaborative, version-controlled workflow (Git); documentation rigor.
4-7+ years in CTI/EASM/offensive research or adversary-infra analysis.
DNS, BGP/ASNs, TLS/PKI & CT logs, hosting/CDN/cloud patterns, domain lifecycle, phishing ecosystems.
Communities/embeddings/clustering; temporal/link modeling and practical evaluation.
Passive discovery and safe active probing; evidence discipline and noise reduction.
STIX 2.1, ATT&CK, TAXII; advantage for OpenCTI/MISP; ontology alignment and validation.
Python (pandas, notebooks, scikit-learn, networkx/igraph); Neo4j/Elasticsearch; Kafka/SQS/Redis; Docker/Kubernetes.
Prompting/tool-use for extraction/normalization; agentic patterns with guardrails and sanity checks.
Analytical writing; collaborative, version-controlled workflow (Git); documentation rigor.
This position is open to all candidates.
