DTCC

Threat Hunt Senior Associate

DTCC$100K — $130K *
Information Technology
Less than 5 years of experience
Job Overview by Ladders

Qualifications

  • 3-6 years of relevant experience in Threat Hunting or Security Operations.
  • Bachelor's Degree or equivalent experience in cybersecurity.
  • Proven experience in executing hypothesis-driven hunts with clear documentation.
  • Strong log analysis skills across multiple data sources including endpoint, identity, and cloud.
  • Familiar with languages such as KQL, Splunk SPL, Elastic (EQL/KQL), and Google SecOps query language.
  • Understanding of operating systems including Windows and Linux internals.
  • Clear communication skills for documenting findings and escalation procedures.

Responsibilities

  • Execute hypothesis-based threat hunts aligned with MITRE ATT&CK techniques.
  • Utilize behavioral analytics for identifying suspicious activity across diverse telemetry sources.
  • Maintain detailed documentation of hunt activities, including evidence and follow-up actions.
  • Correlate logs from multiple sources to construct narratives from partial signals.
  • Investigate attacker methodologies and recommend containment strategies.
  • Translate hunt results into effective detection and control measures.
  • Collaborate with Red and Purple teams to improve detection coverage and response playbooks.

Benefits

  • Opportunities for professional growth and continuous learning.
  • Access to advanced tools and technologies in a supportive environment.
  • Collaboration with experienced teams in a dynamic setting.
  • Involvement in innovative cybersecurity projects.
  • Potential participation in cybersecurity competitions and training sessions.
Full Job Description
Job Description

The Impact you will have in this role:

Being a member of CISO Team and as a Threat Hunt Senior Associate, you will execute hypothesis-driven hunts across endpoint, identity, network, and cloud telemetry; track and document hunt activity end-to-end; and translate findings into actionable improvements, detections, response playbooks, hardening tasks, and prioritized engineering work.

This role is hands-on and requires a practitioner mindset: you'll spend your time asking better questions of the data, validating what "normal" looks like in complex systems, and proving or disproving attacker behaviors using repeatable methods. You'll also provide surge support to incident response during investigations where hunt techniques accelerate containment and root cause analysis.

This is a mid-level role for someone who can operate independently on scoped hunts, communicate clearly, and contribute to a sustained, measurable hunting program.

Your Primary Responsibilities:

Hunt Execution & Documentation (Core)
  • Execute hypothesis-based threat hunts mapped to MITRE ATT&CK tactics/techniques, focusing on realistic adversary behaviors (credential access, persistence, lateral movement, defense evasion, and cloud abuse).
  • Use behavioral analytics and anomaly detection to identify suspicious patterns across endpoint + identity + cloud + network telemetry, then validate with deeper artifact review.
  • Perform, track, and record hunt activity in a structured way: hypotheses, datasets queried, query versions, findings (positive/negative), evidence, confidence, and follow-up actions.
  • Maintain clean, audit-ready hunt notes that allow another analyst to reproduce your work and understand decisions made under uncertainty.

Investigative Workflows & Telemetry Correlation
  • Correlate logs across EDR/XDR, SIEM, cloud control plane logs, identity logs, and container/Kubernetes telemetry to build a coherent narrative from partial signals.
  • Investigate attacker tradecraft such as:
    • Credential theft and replay (token theft, OAuth abuse, suspicious refresh patterns)
    • "Living off the land" execution (PowerShell, WMI, LOLBins on Windows; bash/curl/wget/systemd on Linux)
    • Persistence mechanisms (scheduled tasks/cron, service modifications, registry run keys, launch agents)
  • Command-and-control behaviors and egress anomalies (beaconing, domain fronting indicators, unusual TLS fingerprints where available)
  • Cloud and Kubernetes abuse (suspicious role assumptions, unusual API call sequences, kubeconfig access, container escape precursors)
  • Triage and deepen suspicious signals into defensible findings: timeline, scope, impact, root cause, and containment recommendations.

Detection Engineering & Continuous Improvement
  • Translate hunt results into durable controls: new detections, tuning improvements, telemetry onboarding, or gaps to address (instrumentation, logging coverage, parsing, enrichment).
  • Draft and iterate detection logic (e.g., Sigma/YARA, SIEM analytics rules, EDR custom IOAs) with measurable success criteria: false-positive rate, time-to-detect improvements, and coverage mapped to ATT&CK.
  • Partner with SOAR/automation engineers to operationalize repetitive enrichment and triage steps into playbooks.

Purple Teaming & Adversary Simulation
  • Collaborate with Red Team / Purple Team efforts to validate detection coverage, refine alerts, and ensure hunts align to current and relevant TTPs.
  • Help design and execute controlled simulations (atomic tests, adversary emulation plans), then close the loop by updating detections, documentation, and response procedures.
  • Incident Support (When Needed)
  • Provide incident surge support: rapid scoping queries, hunting for related activity, identifying patient-zero candidates, and strengthening containment decisions with evidence.
  • Contribute to post-incident reviews by identifying detection gaps, improving playbooks, and capturing lessons learned as backlog items.

**NOTE: The Primary Responsibilities of this role are not limited to the details above. **

Qualifications:
  • Min 3-6 years of relevant experience
  • Bachelor's Degree and/or equivalent experience
  • 3-6 years in Threat Hunting, Detection Engineering, Incident Response, or SOC investigations in a production environment (financial services/fintech experience is a plus but not required).
  • Demonstrated experience running hypothesis-driven hunts and documenting outcomes in a way that supports repeatability and measurement.
  • Strong log analysis skills and comfort working across multiple telemetry sources (endpoint, identity, network, cloud).
  • Practical detection and query experience in one or more:
    • KQL (Microsoft Sentinel / Defender)
    • Splunk SPL
    • Elastic/Kibana (EQL/KQL/Lucene)
    • Chronicle/Google SecOps query language or equivalent
  • Solid operating system fundamentals:
  • Windows internals basics (process ancestry, services, scheduled tasks, registry persistence)
  • Linux fundamentals (systemd, cron, auth logs, process/network inspection)
  • Familiarity with attacker tradecraft and investigative methods aligned to MITRE ATT&CK; ability to map raw evidence to techniques without forcing it.
  • Ability to communicate clearly-writeups that separate observation from inference, quantify confidence, and identify next steps.
  • Proven ability to prioritize: know when you have enough evidence to escalate vs. when to keep iterating.


Talents Needed for Success:
  • Experience hunting across cloud + containerized environments (AWS/Azure/GCP; Kubernetes; CI/CD telemetry).
  • Experience developing or tuning detections using Sigma, YARA, EDR custom detections, or SIEM correlation rules.
  • Familiarity with NIST CSF / NIST 800-61 incident response concepts and how hunting feeds detection/response maturity.
  • Experience with SOAR automation, enrichment pipelines, and case management workflows.
  • Comfortable scripting for analysis and automation (Python, PowerShell, Bash) and using tools like jq, osquery, CyberChef.

Certifications (any of the following are valued):
  • GCFA, GCIH, GCIA
  • OSCP (useful signal for investigative depth; not required)
  • CISSP (helpful for program maturity context; not required)

Tools & Technologies

You won't need every item day one-but you should be comfortable learning quickly and working across a modern stack.

EDR/XDR: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne (or equivalent)

SIEM / Analytics: Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL/KQL), Chronicle/Google SecOps

Cloud & Identity: Azure/AWS logs, Entra ID/Azure AD, Okta (or equivalent), CloudTrail/Activity Logs, IAM telemetry

Containers: Kubernetes audit logs, container runtime signals, registry, and CI/CD telemetry

Detection Content: Sigma, YARA, ATT&CK mappings, custom IOAs, correlation rules

Workflow: Case management, runbooks/playbooks, SOAR tooling, structured reporting, and metrics

The salary range is indicative for roles at the same level within DTCC across all US locations. Actual salary is determined based on the role, location, individual experience, skills, and other considerations.

About DTCC

The Depository Trust & Clearing Corporation (DTCC) is a financial services company that provides clearing, settlement, and information services for the global financial industry. DTCC was founded in 1999 and is headquartered in New York City. The company operates through subsidiaries that provide services such as trade matching, risk management, and asset servicing. DTCC is owned by its users, which include broker-dealers, banks, and other financial institutions. The company is committed to reducing risk and increasing efficiency in the financial markets.
Learn more about DTCC
Size
4,000 employees
Industry
Founded
1973

Similar Jobs

More Jobs at DTCC

More Information Technology Jobs

Find similar Threat Hunt Senior Associate jobs: