Detection and Response Engineer Budapest

Youll be the engineer who makes detections trustworthy and fast so
attacks are stopped not just logged. Youll design ship and tune content
in our security analytics stack turn high-signal detections into clean Jira
workflow and use safe automation to contain threats quickly. You will
partner closely with Chicago (identity/CSPM anchor) and our SOC analyst
to reduce noise and prove were getting faster month over month.

What youll do

• Own the detection pipeline end-to-end: onboard log sources normalize/parse and build correlation rules that target OAuth/token abuse dormant-to-privilege jumps exfiltration patterns and device posture drift.

• Integrate the right intel: wire up Google Threat Intelligence Gmail/Docs signals Threat Exchange VirusTotal and MISP (as needed) for enrichment and prioritization.

• Tune for trust: manage a tuning backlog track a false-positive budget and continuously measure rule performance with clear KPIs.

• Automate with guardrails: implement feature-flagged SOAR action (e.g. revoke Okta sessions on confirmed BEC; isolate SentinelOne hosts on high confidence) with clear rollback and ticket updates.

• Keep visibility healthy: monitor ingestion uptime/quality so detections dont silently fail; publish a weekly signal health snapshot.

• Hunt detect: maintain hunt playbooks and scheduled hunts that reflect current actor tradecraft; promote proven hunts to durable detections.

• Communicate outcomes: ensure every acted-on alert is tracked in Jira with owner SLA and evidence and contribute to the monthly executive scorecard.

What youll bring

• Experience: 36 years in detection engineering/SIEM operations (Chronicle Splunk Elastic or similar) including parser/UDM/ECS mapping rule authoring and tuning.

• Hands-on experience building and tuning detections in a modern SIEM/UDM (Chronicle or similar) plus comfort with log parsing/normalization and enrichment.

• Practical SOAR/automation experience (staged rollouts approvals rollback).

• Familiarity with Okta/identity signals EDR (e.g. SentinelOne) GoogleWorkspace security logs and CSPM findings as context for correlation.

• Strong troubleshooting documentation and bias for measurable results (MTTA/MTTR FP rate).

• Scripting for glue work (Python or similar).

• Comfortable working in a lean cross-functional environment and can participate in an on-call rotation as needed

Certifications (nice to have not required)

• GIAC GCDA GCIA GCTI GMON GCSA; Chronicle/Splunk content certs; AWS Security Specialty GCP Professional Cloud Security Engineer.

How well measure success (first 120 days)

• Detections are reliable and actionable with noise trending down and analyst trust trending up.

• High-priority alerts are acknowledged and resolved promptly with visibility via regular reporting.

• Safe automation is in place (with guardrails) and detection KPIs are visible on the scorecard.

• Threat hunting regularly produces improvements to the detection catalog.

LI-P6