Detection Engineer

This role is for a Detection Engineer within the Cyber Defense Capabilities team, responsible for designing, implementing, and continuously validating detection capabilities for CSIRT. This includes building high-fidelity detection logic, regression testing to ensure detections remain effective over time, and executing breach and attack simulations (BAS) to align detection coverage with evolving adversary techniques and threat intelligence.

The detection engineer works closely with incident responders, threat hunters, and threat intelligence analysts to drive continuous improvement and reduce mean time to detect (MTTD).

Your role

• Develop, test, and maintain detection rules, signatures, and correlation logic in SIEM and related platforms.
• Conduct regression testing of detection rules to ensure accuracy, resilience, and functionality following system updates or logic changes.
• Perform breach and attack simulations (BAS) to validate detection use cases, tied directly to threat intelligence and adversary TTPs.
• Map detection logic to adversary techniques using frameworks such as MITRE ATT&CK and ensure coverage of priority threat scenarios.
• Integrate threat intelligence feeds, IOCs, and behavioral patterns into detection workflows.
• Regularly tune and refine detection logic to reduce false positives and optimize alert fidelity.
• Partner with incident response and threat hunting teams to validate detections, perform purple team exercises, and address detection gaps.
• Automate enrichment, correlation, and triage processes through SOAR playbooks and custom scripts.
• Implement lessons learned from incidents and simulations into new or improved detections.
• Maintain documentation, detection repositories, and test playbooks for operational continuity.
• Contribute to SOC metrics, including detection coverage, false positive ratios, regression test outcomes, and BAS validation reports.

You're the right fit if

• Bachelor’s degree in Cybersecurity, Computer Science, or related field.
• Minimum 2 years of experience in areas such as Security Architecture, Network Security, Cybersecurity Technology, Information Security or equivalent.
• Strong experience with SIEM platforms (e.g., Splunk, Sentinel).
• Proficiency in detection engineering, log parsing, and data normalization.
• Working knowledge of artificial intelligence concepts and practical experience applying AI or machine learning techniques within cybersecurity functions, such as threat analysis, automation, or analytics.
• Familiarity with adversary simulation tools (e.g., AttackIQ, Caldera, commercial BAS platforms).
• Knowledge of threat intelligence integration and frameworks (MITRE ATT&CK).
• Scripting ability in Python, PowerShell, or similar languages.
• Experience with cloud environments (AWS, Azure, GCP, Aliyun) and associated security telemetry; strong understanding of network protocols, endpoint security, and common attack techniques.
• Hands-on experience with SOAR platforms and automation development.
• Prior exposure to purple team exercises and continuous validation methodologies.
• Familiarity with detection engineering in containerized or modern application environments (Kubernetes, serverless).

About Philips

We are a health technology company.