Senior Threat Researcher

Do you want to help make the world safe from cyber attack? At Corelight, we believe that the best approach to cybersecurity risk starts with the network. Attackers can evade endpoint detection, firewalls and many other technologies - but they can’t avoid leaving digital footprints on the networks they traverse. Built on open-source innovations from Zeek, Suricata and YARA and refined through years of real-world use, Corelight transforms network footprints from physical, virtual and cloud networks into actionable insights. Our customers use these insights to speed incident response and proactively hunt for threats.

At Corelight, we don't just find threats; we decode the language of the network to stay steps ahead of the adversary. As a Senior Threat Researcher, you sit at the strategic intersection of our Detection Engineering and Machine Learning (ML) teams. You are the "expert bridge"—translating complex attacker behaviors into the high-fidelity data signals that power our advanced AI models. By leveraging your deep understanding of network traffic and threat actor psychology, you will guide our data scientists to solve concrete security challenges, ensuring our detections are not just innovative, but devastatingly effective against real-world attacks.

Specific Responsibilities:

• Architect AI-Driven Detections: Lead the independent delivery of high-quality research and code for complex network detections, authoring clear design documents that articulate technical trade-offs to stakeholders.
• Bridge Detection & Data Science: Act as the network security subject matter expert for ML/AI teams, pinpointing critical signals within telemetry (Zeek, NetFlow, PCAPs) to drive feature engineering and model training.
• Simulate Adversary Behavior: Utilize offensive frameworks like Caldera and Cobalt Strike to generate the synthetic lab data necessary to train and validate robust, real-world ML models.
• Roadmap Alignment: Align individual research and prototyping tasks with quarterly milestones and the overarching 12-month roadmap to ensure maximum product impact.
• Optimize Research Workflows: Identify gaps in current processes and actively propose improvements to team-level tools, testing frameworks, and documentation to increase overall velocity.
• Mentor and Uplevel: Guide newer team members and interns through technical workflows and conduct constructive research reviews to maintain a high standard of collective output.

Knowledge/Skills/Abilities needed to be successful:

• Network Protocol Mastery: Deep competence in the OSI model and TCP/IP, with the ability to map emerging adversary tactics to quantitative detection strategies across protocols like HTTP/S, DNS, SMB, and TLS.
• Data Science Translation: A strong understanding of the practical application of ML for behavioral data, including the ability to navigate challenges like model drift, false positives, and latency.
• Network Telemetry Expertise: Proficiency in extracting and transforming network logs (Zeek, Suricata) using Python and SQL to identify subtle indicators of C2 beaconing or lateral movement.
• Offensive Security Insight: Familiarity with Red Team operations and the ability to reverse-engineer attacker behaviors into programmatic detection logic.
• Product-Centered Thinking: The ability to navigate ambiguity and ensure technical research projects directly support long-term product objectives and milestones.
• Effective Technical Liaison: A proactive communicator who can simplify complex AI concepts for security stakeholders while providing deep domain context to data science peers.
• Collaborative Mentorship: A low-ego approach to peer review and a commitment to elevating team capability through shared knowledge and constructive feedback.

Qualifications/Requirements:

• Professional Experience: 5+ years of experience in Threat Research, Detection Engineering, or Network Threat Hunting.
• Technical Proficiency: Extensive experience analyzing network traffic with Zeek/Bro, Suricata, and Wireshark.
• Scripting & Data: Strong working knowledge of Python and SQL for manipulating and analyzing massive datasets.
• Security Domain Knowledge: Proficiency in mapping detections to the MITRE ATT&CK framework and simulating threats with offensive security tools.
• Autonomy: Demonstrated ability to act independently on moderate-to-complex projects, exercising strong judgment in selecting technical methods.
• Education: Bachelor’s or Master’s degree in Computer Science, Cybersecurity, Data Science, or equivalent practical experience.

Fueled by investments from top-tier venture capital organizations such as Crowdstrike, Accel and Insight, Corelight is the fastest growing network detection and response platform in the industry. Our customers trust us to protect mission-critical assets in leading enterprises, government, and research institutions worldwide. We are leading the way with AI-assisted workflows, machine learning models, cloud security and SaaS-based solutions to arm defenders with the tools and knowledge they need to disrupt cyber attacks. Our team of passionate innovators are dedicated to solving some of the toughest challenges in cybersecurity, while fostering a collaborative, inclusive, and growth-oriented culture. Corelight is committed to a geographically distributed yet connected employee base with employees working from home and office locations around the world. At Corelight, we take pride in the diversity of our backgrounds and perspectives, and we are committed to fostering an inclusive environment that strengthens our company. By embracing a wide range of experiences, backgrounds, neurodiversity, talents, and approaches to problem-solving, we aim to create a workplace where everyone can thrive and contribute their best.

We are looking forward to meeting you. Check us out at www.corelight.com