Description

Cybersecurity Threat Hunter & Intelligence Specialist

Contract | Full-time | Onsite (Toronto)

Position Summary

This role is focused on proactive threat hunting and strategic threat intelligence within a complex enterprise environment. The Threat Hunter & Intelligence Specialist will hypothesize and execute advanced hunts across diverse telemetry sources, operationalize threat intelligence into high-fidelity detections, and lead investigations into sophisticated security findings.

The successful candidate will research emerging threats, adversary tactics, techniques, and procedures (TTPs), and active campaigns, translating intelligence into actionable insights that strengthen detection engineering, incident response, and overall security posture. This role emphasizes continuous improvement, executive-ready reporting, and close collaboration with Security Operations, Incident Response, Vulnerability Management, and external security partners.

Key Responsibilities

  • Plan and execute hypothesis-driven and IOC/TTP-based threat hunts across endpoint, network, cloud, identity, and application telemetry.
  • Correlate signals from SIEM, UEBA, EDR, and other security platforms with threat intelligence and environmental context to uncover malicious activity, lateral movement, and stealth persistence.
  • Operationalize threat intelligence (IOCs, adversary tradecraft, ATT&CK techniques) into hunt queries, detections, and enrichment workflows.
  • Lead investigations arising from hunt findings and intelligence reports, including scoping, containment, eradication, and recovery in partnership with incident response teams.
  • Develop, tune, and maintain high-fidelity detections and analytics (e.g., KQL, LEQL, Sigma, YARA) to convert hunt insights into durable monitoring with low false-positive rates.
  • Maintain hunting methodologies, playbooks, success metrics, and documentation; capture lessons learned and root-cause analysis.
  • Measure and report on hunt effectiveness, including detections created, gaps remediated, dwell time reduction, and control efficacy, for technical and executive audiences.
  • Participate in purple-team activities to validate detections, emulate adversary behavior, and prioritize defensive improvements.
  • Research emerging threats, tooling, campaigns, and cloud/identity attack paths; communicate relevant intelligence to stakeholders.
  • Collaborate with third-party vendors and partners to coordinate hunts, exchange indicators, and validate security tooling effectiveness.
  • Support policy development, standards, and evidence collection related to security monitoring and incident response compliance requirements.

Knowledge Transfer & Collaboration

  • Mentor SOC analysts and junior team members on threat hunting, intelligence analysis, and investigation techniques.
  • Provide technical guidance to platform owners and product teams on telemetry quality, logging, and coverage needed for effective detection and hunting.

Qualifications & Experience

  • Minimum 5 years of experience in cybersecurity, with at least 2 years focused on threat hunting, advanced detection engineering, or equivalent roles.
  • Minimum 6 years of experience in information technology or related disciplines.
  • Proven track record of leading complex investigations and translating hunt outcomes into sustainable detections and process improvements.
  • Experience with scripting languages such as Python, PowerShell, or Bash for automation, parsing, or custom tooling.
  • Community contributions or research (e.g., Sigma rules, KQL queries, ATT&CK mappings, blogs, conference talks) are an asset.

Technical Skillset

  • Deep understanding of attacker TTPs, including credential access, defense evasion, living-off-the-land techniques, and cloud/identity attack paths.
  • Strong knowledge of cloud environments (particularly Azure) and the telemetry required to detect threats in cloud-native and SaaS platforms.
  • Proficiency in detection engineering languages and frameworks such as KQL, LEQL, Sigma, YARA, and common security data models.
  • Solid grasp of threat intelligence methodologies, kill-chain analysis, MITRE ATT&CK mapping, and requirements-driven intelligence collection.
  • Hands-on experience with security operations tooling, including SIEM, EDR, UEBA, NDR, and SOAR platforms.
  • Working knowledge of system administration and hardening principles across Windows, macOS, and Linux, including logging and audit policies.
  • Familiarity with privacy and regulatory frameworks (e.g., NIST, ISO 27001) as they relate to monitoring and incident response.

Certifications (Assets)

  • Industry-recognized certifications such as GCTI, GCFA, GCIH, OSCP, or similar.