Threat Intelligence Developer

Job type: 


Job location: 

  • City of London

The Treat Intelligence Developer will be working across these teams while they identify and investigate intrusions, evolve collection strategies, implement new red-team TTPs and much more. You will get the first shot at coming up with innovative techniques to solve a wide range of needs – from urgent scripts needed on an incident response case, to longer-term development and maintenance of our threat intelligence platforms, to methods to automate the creation of online personas and associated infrastructure to be used in red team engagements.


  • Owning the coordination and implementation of technical development requirements from red and blue teams (e.g. working with a reverse engineer to implement a configuration decoder for a malware family, integrating a new data source to a TI platform, automating the provision of VMs and domains etc. for an adversary simulation engagement).
  • Ownership of the end-to-end integration for our threat intelligence stack (ad-hoc collection scripts, malware sandboxes, Yara/OpenIOC distribution, sinkholes etc.);
  • Experience in Python, JavaScript, SQL, NoSQL (Elastic, Mongo), PowerShell desired;
  • Any UI/UX experience would also be a huge plus.
  • Maintaining a general understanding of open source and commercial red and blue team tooling.
  • Eagerness to get stuck in and help out with analysis on threat intel and incident response engagements in order to inform future technology requirements;
  • Experience of analytical tools and capabilities used in a Cyber Intelligence functions such as Maltego or MISP.
  • Understanding of open source and commercial information sources such as VirusTotal, Hybrid Analysis and OTX.
  • Deep understanding of the Cyber Kill Chain and the Diamond model and how they apply to threat intelligence.
  • Basic knowledge of security network architectures (e.g. Firewalls, DMZ, proxies, DNS, web and mail servers) and the principles of network security.
  • Experience of malware analysis and being able to interpret their findings as well as from vendor reporting.
  • Ability to normalise and analyse large datasets, often in unstructured formats.

job reference: