What are the responsibilities and job description for the AOUSC - Detection Engineering Lead position at cFocus Software Incorporated?
cFocus Software seeks a Detection Engineering Lead to join our program supporting the Administrative Office of the United States Courts (AOUSC). This position is Hybrid with the onsite location being in Washington, DC. This position requires a Public Trust clearance.
Qualifications:
Qualifications:
- Active Public Trust clearance
- B.S. Computer Science, Information Technology, or a related field
- 5 years within IR in a large SOC (over 5,000 endpoints) with at least 3 years focused on proactive detection engineering, threat hunt, or adversary emulation.
- 3 years of experience with demonstrated proficiency in forming hypothesis, querying large datasets and identifying APT behavior.
- 2 years’ experience with demonstrated proficiency in scripting languages including Python and PowerShell to develop new tools.
- 2 years’ experience with demonstrated proficiency developing detections in a SIEM (utilizing Splunk ES or Microsoft Sentinel).
- This role most closely aligns with the NICE work role PD-WRL-006 (Threat Analysis).
- Active OSCP or GXPN certification
- Lead Detection Engineering operations supporting AOUSC Security Operations Division (SOD) mission objectives and defensive cybersecurity operations.
- Provide full lifecycle support for cybersecurity detection engineering activities, including research, testing, implementation, tuning, deployment, and maintenance of detection capabilities.
- Research emerging cyber threats, adversary capabilities, attack methodologies, and Tactics, Techniques, and Procedures (TTPs) to improve detection coverage and SOC visibility.
- Develop, test, validate, and deploy new SIEM detection signatures, analytics, rules, and workflows to enhance threat detection capabilities and minimize analyst burden.
- Maintain and manage the Risk Based Alerting (RBA) framework within the Judiciary SIEM environment to ensure effective detection of risky or malicious activity.
- Coordinate weekly meetings with SOC analysts and stakeholders to review alert performance, analyst feedback, false positives, and detection tuning requirements.
- Analyze all false positive alerts to determine necessary tuning, whitelisting, suppression logic, and gaps in security monitoring or analytics.
- Develop and maintain detailed documentation for all detection engineering changes, configuration updates, rule logic, workflows, and implementation procedures.
- Coordinate with Threat Hunting, Cyber Threat Intelligence (CTI), Cybersecurity Triage, Incident Response, and Blue Team personnel to operationalize intelligence-driven detections.
- Develop new alerts and detections in response to emerging cybersecurity threats, active vulnerabilities, malicious campaigns, and government-directed priorities.
- Ensure critical vulnerability-related detections are deployed within required service level timelines, including 24-hour implementation for critical severity alerts.
- Conduct analysis and validation of new alerts from security devices and external telemetry sources to determine operational impact, detection value, and analyst workflow considerations.
- Track all detection engineering changes, modifications, additions, and removals through Jira stories and established Agile workflows.
- Develop weekly operational reports summarizing security events, alert dispositions, workforce metrics, tuning activities, detection improvements, and outstanding issues.
- Document and maintain all detection framework changes within configuration files, knowledge management portals, and operational repositories.
- Support development and implementation of detection engineering execution plans aligned to AOUSC operational priorities, organizational risks, and emerging threat vectors.
- Provide recommendations for improving telemetry collection, log visibility, event correlation, and security monitoring effectiveness across Judiciary systems and cloud environments.
- Collaborate with Blue Team personnel to improve detection coverage associated with Red Team findings, adversary emulation, and cyber exercises.
- Prepare and deliver technical briefings, operational status reports, executive summaries, and stakeholder presentations.
- Support transition-in, transition-out, operational readiness, and knowledge transfer activities in accordance with AOUSC requirements.