Oracle
What you’ll do (key responsibilities)
Security research & threat modeling
Investigate emerging TTPs, business-logic abuse patterns, and identity/OAuth attack paths.
Build and maintain adversary playbooks mapped to MITRE ATT&CK; drive coverage roadmaps.
Detection engineering (detection-as-code)
Ship high‑quality detections using Sigma/KQL/SPL/OSQuery/eBPF, versioned as code with CI/CD.
Instrument cloud/SaaS telemetry pipelines; reduce noise via tuning, suppression, and risk scoring.
AI‑assisted analytics
Apply ML for anomaly detection, clustering, and outlier triage; prototype LLM/RAG assistants for playbook generation, enrichment, and hypothesis‑driven hunts.
Partner with data teams to productionize models with feedback loops (precision/recall tracked).
Threat intelligence integration
Build ingestion/enrichment pipelines (TIPs, OSINT, ISACs, vendor feeds); normalize IOCs/TTPs.
Correlate TI with detections & hunts; drive proactive hardening and hypothesis creation.
Proactive controls & response acceleration
Recommend/implement preventive controls (authz hardening, rate limits, token binding, WAF rules).
Automate response (SOAR/runbooks), shrinking MTTD/MTTR with measurable impact.
Metrics & continuous improvement
Own coverage and efficacy KPIs (FPR/FNR, time‑to‑detect, time‑to‑close, alert fatigue).
Run post‑incident detection reviews and continuously up‑level our catalog.
Minimum qualifications
5–8+ years in security engineering/detection engineering/threat research for cloud/SaaS.
Strong detection content skills (Sigma/KQL/SPL/OSQuery/eBPF) and detection‑as‑code practices (Git, tests, CI/CD).
Demonstrated threat hunting experience (hypothesis‑led, telemetry‑driven) at scale.
Hands‑on with SIEM/SOAR and cloud‑native telemetry (e.g., AWS/GCP/Azure, Kubernetes, API logs).
Solid programming for automation/data wrangling (Python/Go) and comfort with SQL.
Working knowledge of MITRE ATT&CK, adversary emulation, and identity‑centric threats (SSO/OIDC/OAuth).
Preferred qualifications
Applied AI/ML experience for security (feature engineering, anomaly detection, basic model evaluation).
Built TI pipelines/TIP integrations; mapping intel → detections/hunts/playbooks.
Experience tuning detections to reduce false positives without losing recall; risk‑based alerting.
Responsibilities Responsible for expert planning, design and build of security systems, applications, environments and architectures; oversees the implementation of security systems, applications, environments and architectures and ensures compliance with information security standards and corporate security policies and procedures. Evaluates existing and proposed technical architectures for security risk, provides expert technical advice to support the design and development of secure architectures and recommends security controls to mitigate those risks. Evaluations of internal security architecture may include design assessment, risk assessment, and threat modeling. Provides expert technical advice and direction to support the design and development of secure architectures. Maintain expert proficiency in emerging trends in information security. Determine the best practices for the large‑scale Big Data infrastructure used by some Oracle LOBs, including tooling, data architecture, and content. May lead incident management teams and provide expert level incident management expertise. Coordinates incidents with other business units and may act as incident commander of multiple serious incidents. Leads development of new methods, playbooks and provide thought‑leadership related to incident management throughout Oracle. May provide leadership in an incident management team, bringing expert‑level skills to respond to security events in line with Oracle incident response playbooks. Investigates purported intrusions and breaches, and oversees root cause analysis. Coordinates incidents with other business units and may act as Incident Commander on multiple serious incidents. Leads development of new methods, and playbooks, as well as highly sophisticated scripts, applications, and tools. Trains and mentors other staff, and may supervise incident management teams. Brings expert‑level skills to research, evaluate, track, and manage information security threats and vulnerabilities in situations where in‑depth analysis of ambiguous information is required, but no computer programming/scripting knowledge is required. Leads development of highly sophisticated scripts, applications, and tools, and trains others in their use. Focus on operational and strategic level tasks, and provide counsel and guidance to the junior level security operations engineers in the department.
Qualifications Career Level - IC5
About Us As a world leader in cloud solutions, Oracle uses tomorrow's technology to tackle today's challenges. We've partnered with industry‑leaders in almost every sector—and continue to thrive after 40+ years of change by operating with integrity. We know that true innovation starts when everyone is empowered to contribute. That's why we're committed to growing an inclusive workforce that promotes opportunities for all. Oracle careers open the door to global opportunities where work‑life balance flourishes. We offer competitive benefits based on parity and consistency and support our people with flexible medical, life insurance, and retirement options. We also encourage employees to give back to their communities through our volunteer programs. We're committed to including people with disabilities at all stages of the employment process. If you require accessibility assistance or accommodation for a disability at any point, let us know by emailing accommodation-request_mb@oracle.com or by calling +1 888 404 2494 in the United States.
Equal Employment Opportunity Statement Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans' status, or any other characteristic protected by law. Oracle will consider for employment qualified applicants with arrest and conviction records pursuant to applicable law.
#J-18808-Ljbffr
Investigate emerging TTPs, business-logic abuse patterns, and identity/OAuth attack paths.
Build and maintain adversary playbooks mapped to MITRE ATT&CK; drive coverage roadmaps.
Detection engineering (detection-as-code)
Ship high‑quality detections using Sigma/KQL/SPL/OSQuery/eBPF, versioned as code with CI/CD.
Instrument cloud/SaaS telemetry pipelines; reduce noise via tuning, suppression, and risk scoring.
AI‑assisted analytics
Apply ML for anomaly detection, clustering, and outlier triage; prototype LLM/RAG assistants for playbook generation, enrichment, and hypothesis‑driven hunts.
Partner with data teams to productionize models with feedback loops (precision/recall tracked).
Threat intelligence integration
Build ingestion/enrichment pipelines (TIPs, OSINT, ISACs, vendor feeds); normalize IOCs/TTPs.
Correlate TI with detections & hunts; drive proactive hardening and hypothesis creation.
Proactive controls & response acceleration
Recommend/implement preventive controls (authz hardening, rate limits, token binding, WAF rules).
Automate response (SOAR/runbooks), shrinking MTTD/MTTR with measurable impact.
Metrics & continuous improvement
Own coverage and efficacy KPIs (FPR/FNR, time‑to‑detect, time‑to‑close, alert fatigue).
Run post‑incident detection reviews and continuously up‑level our catalog.
Minimum qualifications
5–8+ years in security engineering/detection engineering/threat research for cloud/SaaS.
Strong detection content skills (Sigma/KQL/SPL/OSQuery/eBPF) and detection‑as‑code practices (Git, tests, CI/CD).
Demonstrated threat hunting experience (hypothesis‑led, telemetry‑driven) at scale.
Hands‑on with SIEM/SOAR and cloud‑native telemetry (e.g., AWS/GCP/Azure, Kubernetes, API logs).
Solid programming for automation/data wrangling (Python/Go) and comfort with SQL.
Working knowledge of MITRE ATT&CK, adversary emulation, and identity‑centric threats (SSO/OIDC/OAuth).
Preferred qualifications
Applied AI/ML experience for security (feature engineering, anomaly detection, basic model evaluation).
Built TI pipelines/TIP integrations; mapping intel → detections/hunts/playbooks.
Experience tuning detections to reduce false positives without losing recall; risk‑based alerting.
Responsibilities Responsible for expert planning, design and build of security systems, applications, environments and architectures; oversees the implementation of security systems, applications, environments and architectures and ensures compliance with information security standards and corporate security policies and procedures. Evaluates existing and proposed technical architectures for security risk, provides expert technical advice to support the design and development of secure architectures and recommends security controls to mitigate those risks. Evaluations of internal security architecture may include design assessment, risk assessment, and threat modeling. Provides expert technical advice and direction to support the design and development of secure architectures. Maintain expert proficiency in emerging trends in information security. Determine the best practices for the large‑scale Big Data infrastructure used by some Oracle LOBs, including tooling, data architecture, and content. May lead incident management teams and provide expert level incident management expertise. Coordinates incidents with other business units and may act as incident commander of multiple serious incidents. Leads development of new methods, playbooks and provide thought‑leadership related to incident management throughout Oracle. May provide leadership in an incident management team, bringing expert‑level skills to respond to security events in line with Oracle incident response playbooks. Investigates purported intrusions and breaches, and oversees root cause analysis. Coordinates incidents with other business units and may act as Incident Commander on multiple serious incidents. Leads development of new methods, and playbooks, as well as highly sophisticated scripts, applications, and tools. Trains and mentors other staff, and may supervise incident management teams. Brings expert‑level skills to research, evaluate, track, and manage information security threats and vulnerabilities in situations where in‑depth analysis of ambiguous information is required, but no computer programming/scripting knowledge is required. Leads development of highly sophisticated scripts, applications, and tools, and trains others in their use. Focus on operational and strategic level tasks, and provide counsel and guidance to the junior level security operations engineers in the department.
Qualifications Career Level - IC5
About Us As a world leader in cloud solutions, Oracle uses tomorrow's technology to tackle today's challenges. We've partnered with industry‑leaders in almost every sector—and continue to thrive after 40+ years of change by operating with integrity. We know that true innovation starts when everyone is empowered to contribute. That's why we're committed to growing an inclusive workforce that promotes opportunities for all. Oracle careers open the door to global opportunities where work‑life balance flourishes. We offer competitive benefits based on parity and consistency and support our people with flexible medical, life insurance, and retirement options. We also encourage employees to give back to their communities through our volunteer programs. We're committed to including people with disabilities at all stages of the employment process. If you require accessibility assistance or accommodation for a disability at any point, let us know by emailing accommodation-request_mb@oracle.com or by calling +1 888 404 2494 in the United States.
Equal Employment Opportunity Statement Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans' status, or any other characteristic protected by law. Oracle will consider for employment qualified applicants with arrest and conviction records pursuant to applicable law.
#J-18808-Ljbffr