Note: The job is a remote job and is open to candidates in USA. Ocient is a company focused on data engines that process network and security telemetry at a large scale. They are seeking a Network Infrastructure & Security Engineer to lead the development of SQL-based detections and manage the technical program for network data capture and analysis.
Responsibilities
- Write detection logic. Design, write, and maintain SQL-based behavioral detections and anomaly-scoring logic on top of Ocient's engine — lateral movement, C2 beaconing, DNS tunneling, data exfiltration, and low-and-slow attack patterns using rolling 7/30/90-day baselines
- Run the technical program day to day. Build, test, tune, and validate detections against real and simulated telemetry, hands-on — not just define requirements for someone else to build
- Build the datasets and demo environment. Work with the team building the demo environment to generate the underlying datasets needed to develop and showcase detections and use cases, alongside the broader platform build-out
- Make the work reusable. Build detection logic so it generalizes (~90% reusability) across the industries we support — financial services, telecommunications, energy, healthcare, and government — rather than as vertical-specific one-offs
- Shape network probe & data collection strategy. Evaluate and help define our approach to high-volume network data capture, including tradeoffs between commercial probes (Gigamon, NetQuest) and lower-cost or open-source alternatives (e.g., Zeek/Suricata-based collection)
- Keep integrations clean. Make sure detections and enrichment output integrate cleanly with customers' existing SIEM/EDR stack (Splunk, Chronicle, Sentinel, CrowdStrike) so adoption doesn't require a rip-and-replace
- Deliver hands-on during customer pilots. Provide hands-on technical delivery during customer proof-of-value pilots — configuring ingestion, tuning baselines, and validating detections against a customer's actual telemetry
- Document as you go. Write up detection logic, runbooks, and technical playbooks so the team's detection library is maintainable and transferable as we grow
Skills
- 5+ years in network security engineering, detection engineering, or SOC/threat hunting roles, with direct, hands-on experience building detection content — not just consuming or tuning vendor-supplied rules
- Strong working experience with network telemetry: NetFlow/IPFIX, DNS logs, and PCAP analysis at scale
- Demonstrated experience writing detection logic or correlation content (Sigma rules, SIEM correlation rules, or custom SQL-based detections)
- Proficiency in SQL and comfort working directly in large-scale data platforms or data warehouses
- Familiarity with network probe/sensor technologies (Gigamon, NetQuest, or open-source equivalents such as Zeek or Suricata) and the tradeoffs between them
- Solid understanding of the MITRE ATT&CK framework and behavioral/statistical anomaly detection methods (baselining, z-score deviation, peer-group analysis)
- Experience integrating detection output with SIEM/SOAR/EDR platforms (Splunk, Chronicle, Sentinel, CrowdStrike, SentinelOne, or similar)
- Comfortable operating independently in a build-from-scratch, startup-within-a-company environment — this role will define as much process as it executes against
- Experience with carrier-scale signaling protocols (Diameter, SS7) relevant to telecom security use cases
- Scripting/programming ability (Python) for automation, enrichment pipelines, and tooling
- Experience with cloud audit log analytics (AWS CloudTrail, Azure Activity Log, GCP Cloud Audit)
- Experience with OT/ICS telemetry (Modbus, DNP3, IEC 61850) or protocols relevant to critical infrastructure
- Active security clearance, or eligibility to obtain one, for future government/defense engagements
Company Overview