Threat Hunting Analyst

  • Location:
    RTP, North Carolina, US
  • Area of Interest
  • Job Type
  • Technology Interest
  • Job Id

Cisco's Security Visibility and Incident Command (SVIC) forms part of the investigative branch of Cisco's Security and Trust Organization (S&TO), and is Cisco's cyber investigations and forensics team. It provides Cisco with tailored security monitoring services in order to protect Cisco from cyber attacks and the loss of its intellectual assets. The primary mission of SVIC is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents, and to give to the prevention of such incidents by engaging in dedicated threat assessment, mitigation planning, incident trend analysis, and security architecture review. The Security Visibility and Incident Command is a highly-functioning, diverse, and globally distributed group of best-in-class professionals from various technical backgrounds. We're Open Source Software contributors, technical authors, tool builders, DFIR community members, lock pickers, makers, and breakers.

*No Full-time Remote*

What You'll Do

 SVIC is looking for an experienced security professional to join SVIC's Threat Intelligence Operations and Research Team. This is an opportunity to contribute to a highly transparent security operations function with global impact upon Cisco, its diversified business, business units, service ventures, partners, and customers. We are looking for a motivated individual with good team fit and the ability to focus on data security and incident analysis. You have a very strong interest in complex problem solving, ability to challenge assumptions, consider alternative perspectives, nimble thinking and perform in high-stress situations, while operating exceedingly well in a strong, tight-knit, collaborative team environment.


Role & Responsibilities

  • Document cases, procedures, analysis, and investigations accurately and thoroughly (including best-practice documentation).
  • Assist with setup and tuning of multiple security monitoring products and data feeds
  • Collaborate with data source SMEs in SVIC and InfoSec to enhance, improve, or modify cloud (IaaS, SaaS, etc) based security detection and response.
  • Update, modify, and enhance existing programs used for security detection and response.
  • Develop documentation on all custom solutions.
  • Identify attackers and their methods, but also use your IT and networking expertise to improve detection logic.

Role Specific Skills

Attack Analysis:

  • Malware Reverse Engineering
  • Attacker Tools
  • Log Analysis (System, Firewall, Application)

Cyber Threat Intelligence:

  • Threat Hunting
  • Intelligence Analysis
  • Attacker Methodology
  • Industry Peer Collaboration & Information Sharing

Incident/Investigations Handling:

  • CyberSecurity Impact Assessment
  • CyberSecurity Problem Management
  • Automation/SOAR
  • Root Cause ID / LTF

Non-Cisco Tools: Splunk, OSQuery, ThreatQuotient, MISP, RecordedFuture, Volatility, Cuckoo, Maltego, Powershell, Wireshark, Encase, Tableau

Cisco Tools: AMP4E, Network AMP, WSA, Firepower IPS, NGFW, ESA, CTA, ThreatGrid, Stealthwatch, Umbrella, SecureX, CPO

Languages: Python, Go, Java, Javascript, SQL, MySQL, STIX/TAXII, MITRE ATT&CK

Relevant Certifications:


Minimum Qualifications

  • Good technical skills in a variety of operating system, languages, and databases
  •  Some scripting/coding abilities
  •  Agility and willingness to deal with a high level of ambiguity and change
  •  Flexibility – willingness to pitch in where needed across program and team
  •  Ability to work at Cisco's Research Triangle Park, NC campus (No Full-time Remote)
  •  Occasional travel (<10%)
  •  US Citizenship required
  •  Existing Government Security Clearance is preferred or ability to obtain a clearance. 
U.S. Vaccination Requirements
Cisco requires all U.S. employees to be fully vaccinated or have an approved religious or medical accommodation. Candidates accepting an offer must provide proof of vaccination status on their first day. If someone anticipates requesting an accommodation for this requirement, they must receive approval before the start date. Candidates receiving an offer will receive additional information about the accommodation process at the time of the offer. All offers of employment are contingent upon complying with Cisco's vaccination policy.