Senior Detection Creation Engineer

As a Detection Creation Engineer on the ASE Detection Team, you will: Develop security detections that identify active malicious activity across Apple’s services and infrastructure, implementing detection logic in Scala Spark (Databricks) and on-host detection frameworks (Falco rules) Analyze attacker behaviors and translate them into observable patterns across diverse telemetry sources including system call events, network logs, database access logs, endpoint security telemetry, Kubernetes audit logs, and other security-relevant data sources Collaborate with engineering teams to understand system architectures, identify detection opportunities, and develop detections that are both high-fidelity and operationally sustainable Tune and optimize detections based on real-world alert data, reducing false positives while maintaining coverage of malicious behaviors Operationalize detections by working with security operations teams to ensure alerts are actionable, triaged efficiently, and integrated into incident response workflows Document detection logic and rationale to enable knowledge sharing across the security organization 5+ years of experience in security detection, threat hunting, incident response, penetration testing, red teaming, or related security disciplines Demonstrated understanding of real attacker behaviors, tactics, and techniques Proficiency in at least one programming language (Python, Scala, Java, Go, or similar) with the ability and willingness to learn Scala Bachelor’s degree in Computer Science, Cybersecurity, Engineering, Information Systems, or related field, or equivalent professional experience Experience analyzing security telemetry data to identify malicious activity or anomalous behaviors Prior experience writing detections in Scala, Python, or other languages for large-scale data processing systems Experience with Apache Spark, Databricks, or similar large-scale distributed compute frameworks Hands-on experience with on-host detection rules engine systems (Falco or similar) Deep technical expertise in one or more areas: Linux system internals, network protocols, web application security, container/Kubernetes security, or cloud infrastructure Experience with multiple security-relevant telemetry sources: system call traces (network, process, file), endpoint detection and response (EDR) data, network traffic analysis, application logs, database audit logs, cloud provider audit logs Understanding of evasion techniques and how attackers attempt to avoid detection Contributions to open-source security projects or published research on detection techniques Experience with detection engineering at scale, including managing false positive rates and detection tuning methodologies

For more details click Job Post.