ManpowerGroup Hiring! Full Time Security Engineer (Detection Engineering) in Federal Territory - Ricebowl

We are looking for a Security Engineer (Detection Engineering) – Contract to research and build new detection capabilities, with a primary focus on:

• Amazon EKS and containerized microservices
• AI / MCP and agentic systems security detections
• Autonomous vehicle / IOT platforms and supporting infrastructure
• Other emerging threats identified through incidents, threat intel, purple teaming, and ongoing findings

Beyond creating new detections, this role will actively participate in the detection lifecycle — supporting investigations, improving signal quality, and driving timely fine-tuning and maintenance of existing rules. This is a hands-on, engineering-heavy role that combines threat research, security operations experience, and software engineering to deliver high‑fidelity, well-documented detections for SIEM, EDR, SOAR, and our security data lake platforms.

About the Role

The day-to-day activities:

• Research & design new detections
• Research attacker TTPs relevant to focus areas and translate them into concrete detection opportunities.
• Perform focused analysis of log sources (e.g., Kubernetes/EKS, CloudTrail, GuardDuty, AV telemetry, AI/agent frameworks) to understand visibility, constraints, and potential blind spots.
• Collaborate with different teams (e.g. threat intel, red/purple team, and incident responders) to turn incident learnings and threat intel into proactive detections rather than one-off fixes.

• Build, test, and deploy detection logic
• Implement high‑fidelity detection rules and analytics across platforms such as SIEM, EDR, and custom detection frameworks, following detection‑as‑code practices (version control, code review, automated tests, CI/CD).
• Work with large‑scale log data in the Security Data Lake to prototype, validate, and iterate on detection logic using SQL/KQL.
• Ensure detection logic is operationally sound: performant at scale, resilient to data quality issues, and suitable for near real‑time and batch use cases.

• Own the detection lifecycle & tuning
• Participate in day‑to‑day detection lifecycle activities: backlog grooming, prioritisation, development, staging, deployment, monitoring, and iterative tuning.
• Review alert quality, false positive patterns, and coverage gaps; drive targeted fine‑tuning and suppression strategies to reduce alert fatigue while preserving coverage.
• Support the creation and tracking of detection metrics (e.g., time to deploy, false positive rate, coverage, detection MTTR inputs) and use them to guide continuous improvement.

• Incident & response support
• Work closely with CSIRT to triage and investigate alerts if required, validate detection hypotheses, and deliver emergency detections when active threats are discovered.
• Provide clear guidance on expected behaviour, triage steps, and response actions so responders can act confidently and consistently.
• Participate (where required) in ad‑hoc or rostered on‑call / incident support to address urgent security matters.

• Documentation, communication & collaboration
• Produce high‑quality detection documentation (goal, context, logic, false positives, blind spots, response playbook) aligned to our detection framework standards.
• Present new detections and significant alerts to Cyber Defence; explain the why, how, and operational impact.
• Proactively reach out to different teams to improve log coverage, validate assumptions, and drive adoption of new detection and response workflows

Qualifications

• A degree in Computer Science, Software Engineering, Cyber Security or related fields

Required Skills

• Hands-on security response experience (e.g., SOC, DFIR, security engineering) with a track record of investigating real incidents, writing timelines, and driving remediation.
• Experience with at least one cloud platform (Azure, AWS, GCP)
• Direct experience working with SIEM, EDR and/or SOAR platforms in an operational environment (e.g., building rules, dashboards, playbooks, or integrations).
• Strong coding skills in at least one general‑purpose language (ideally Python) for building detection logic, data processing scripts, and automation/integration workflows.
• Comfortable writing detection and investigation queries in SQL, including working with large security datasets in a data‑lake or big‑data environment.
• Demonstrated experience building and fine‑tuning detection rules across multiple log sources (cloud, endpoint, network, identity, SaaS) to reduce noise while maintaining coverage.
• Experience in using AI
• Ability and willingness to proactively communicate — reaching out to stakeholders, clearly presenting alerts and new detections, and driving alignment without waiting for direction