Director of Cyber Threat Intelligence (CTI)

About AstraZeneca

AstraZeneca is a global science-led patient-focused biopharmaceutical company dedicated to discovering developing and commercialising prescription medicines for serious disease.Werecommitted to being a Great Place to Work.

About the Role

The Director of Cyber Threat Intelligence will lead a highly technical CTI function withinAstraZenecasCybersecurity Operationsdivision managing a team of analysts to deliver strategic operational and tactical intelligence that measurably reduces risk acrossthe enterprise includingmanufacturing clinical trial platforms and R&D environments. This role anchors CTI to intel-to-action outcomes partnering closely with Vulnerability Management Detection Engineering and Incident Response to harden controls prioritize patching improve detections and accelerate response.

Key Responsibilities

• Program Leadership and Strategy: Define CTI vision operating model and roadmap aligned toAstraZenecas cyber risk reduction strategy with special emphasis onmanufacturing continuity clinical data integrity and R&D IP protection.

• Adversary Prioritization Framework: Design andoperateascoring rubric that ranks actors based on intent/capability/relevance TTP emergence and prevalence organization-specific exposure to known vulnerabilities/CVEs and global viral eventsmaintainingdynamic watchlists and escalation triggers.

• MTTI Metric and Analytics: Implement analytic methods to estimate mean time-to-impact per adversary (frominitialaccess to material businessimpact) using internal telemetry historical incidents industry reporting and confidence levels performingcomparisons with IRs MTTC to drive control improvements.

• Attack Path Modeling: Build and maintain end-to-end attack path models from initial access to material impact across IT-to-OT pivots clinical platforms and R&D environmentsmappingsteps to MITRE ATT&CK (Enterprise/ICS) identify control gaps and choke points derive detections-as-code and hunt hypotheses andsupportvalidationefforts includingpurple-team exercises and adversary emulation to ensureenterprisehardening and measurable risk reduction.

• Dark Web and Closed-Source Monitoring: Establish collection and monitoring across dark web forums marketplaces breach dumps and closed channels to identify emerging TTPs credential leaks data exposure access-broker listings and targeting of manufacturing clinical or R&D assetsintegratingvalidated findings into TIP/SIEM pipelines trigger takedown requests where feasible and deliver rapid advisories with confidence ratings andspecific actionsfor Vulnerability Management Detection Engineering and IR.

• Third-Party and Ecosystem Intelligence: Deliver risk insights for CROs/CMOs/logistics/technology vendorsmonitorcredential leakage and domain spoofing and support/coordinate takedown operations when needed.

• Structured Threat Actor Attribution (Diamond Model): Lead disciplined attribution using the Diamond Model (adversary capability infrastructure victim) and complementary frameworkscorrelatingTTPs tooling lineage code-reuse infrastructure overlaps and victimology with confidence levels and analytic caveatsdocumentinghypotheses alternative explanations and disconfirming evidence andproducingreusable actor profiles and pivot paths that inform prioritization detections hunts and incident response playbooks.

• Support Vulnerability Management: Partner with Vulnerability Management to contextualize CVEs (exploitability weaponization external scanning telemetry compensating controls) and deliver risk-based patching prioritization across AstraZenecas estate including IT/OT clinical platforms and lab environments.

• SupportDetection Engineering: Develop detection use cases to feed our detection-as-code pipeline and support detection ATT&CK coverage mapping content tuning and false-positive reduction ensuring feedback loops from hunts and incidents continuously improve detection quality.

• Support GSOC/Incident Response: Provide real-time adversary context that is highly technical including kill-chain reconstruction containment recommendations and countermeasures producing post-incident intelligence retrospectives and detection/architecture improvements.

• Operationaland Executive Reporting: Producedaily threat intelligence highlightsthreatactor/campaign profilesquarterly threat briefingsandother ad hoc intelligence products ensuring products includequantified risk narratives for senior leadershipthat alsoalignfindings to regulatory expectations and business impact.

• Tooling and Automation:Optimizeintegrations across TIP SIEM EDR case management and telemetry; manage indicator lifecycle automate enrichment and measure source fidelity/bias.

• External Engagement: Lead participation with sector bodies (e.g. H-ISAC) peer sharing groups and government/industry partners; track and assess global events and rapidly translate into actionable enterprise guidance.

• Team Leadership and Development: Recruit mentor and grow a diverse team of CTI analysts; build career paths training plans and knowledge-sharing practices; foster a culture of technical excellence and clear actionable communication.

Minimum Qualifications

• Leadership and Strategic Impact: 10 years in cyber threat intelligence detection engineering incident response or related domains; 5 years leading technical CTI teams in global enterprises. Demonstrated ability to set vision influence strategy and deliver outcomes tied to enterprise risk reduction.

• Decision Making and Accountability: Proven ownership of adversary-centric CTI programs that directly drive vulnerability prioritization detections-as-code hunts and incident response. Comfortable making data-driven decisions with clear trade-offs and confidence levels.

• Technical Depth (ATT&CK Enterprise/ICS): Deepexpertisemapping TTPs to MITRE ATT&CK defining coverage strategies and translating gaps into high-fidelity detections and hunt hypotheses; skilled in industrial/OT contexts.

• Attack Path Modeling and Risk Translation: Hands-on delivery of end-to-end attack paths across IT-to-OT pivots clinical platforms and R&D environments; validation via purple-team/adversary emulation; ability to convert findings into prioritized control roadmaps and measurable risk reduction.

• Adversary Prioritization and Scoring: Designed andoperatedtailored actor scoring incorporating intent/capability TTP emergence/prevalence org exposure to CVEs and global/viral events;maintaineddynamic watchlists and escalation triggers.

• Structured Attribution Tradecraft: Applied the Diamond Model and complementary frameworks with documented hypotheses caveats disconfirming evidence and confidence statements; produced reusable actor profiles and pivot paths.

• Metrication (MTTI vs. MTTC): Built mean time-to-impact metrics per actor and operationalized comparisons to IRs mean time-to-containment to guide control improvements and track program effectiveness.

• Vulnerability Intelligence for Hardening: Delivered contextual CVE analysis (exploitability weaponization external scanning telemetry compensating controls) and risk-based patch recommendations across IT OT/ICS clinical and lab environments.

• Detection Engineering Collaboration: Co-developed detections-as-code (e.g. Sigma KQL SPL) tuned content to reduce false positives and closed ATT&CK coverage gaps with feedback loops from hunts/incidents.

• Incident Intelligence Support: Provided real-time adversary context kill-chain reconstruction containment recommendations and post-incident retrospectives that inform detection and architectural improvements.

• Collection Tooling and Automation: Operated dark web/closed-source monitoring; integrated findings into TIP/SIEM/EDR pipelines; managed indicator lifecycle automated enrichment and measured source fidelity/bias.

• Stakeholder Partnership and Communication: Clear concise communication of complex technical intelligence to executives and cross-functional partners (Vulnerability Management Detection Engineering SOC/IR OT Security Clinical Ops Research IT); ability to influence without authority.

• Education: Bachelors degree in a relevant field (Computer Science Information Security Intelligence Studies or equivalent experience).

Preferred Qualifications

• Sector Experience and Regulatory Context: Experience in pharmaceuticals life sciences healthcare or manufacturing; familiarity with GMP/CSV clinical data obligations and R&D IP protection.

• OT/ICS and Critical Operations: Hands-on work with MES SCADA PLC ecosystems; ATT&CK for ICS usage; understanding of OT-safe response practices and production continuity implications.

• Clinical/R&D Platforms: Exposure to CTMS EDC IRT ELN LIMS HPC and data lake environments; experience safeguarding data integrity and sensitive research/IP.

• Program Metrics and Outcomes: Built dashboards tracking MTTI by actor ATT&CK coverage indices intel-informed patch SLAs hunter ROI and executive risk narratives; experiencepresenting tosenior leadership and risk committees.

• Advanced Tooling/Automation: TIP administration SIEM/EDR content engineering enrichment/orchestration pipelines case management integration and indicator lifecycle automation at enterprise scale.

• Threat Modeling and Quantification: Ability to translate attack paths into quantified risk scenarios and prioritized control investments aligned to businessobjectivesand crown jewels.

• External Partnerships: Active engagement with H-ISAC/ISAOs and government/industry partners;track recordof rapidly converting global/viral cyber events into enterprise defenses and executive guidance.

• Certifications: One ormore ofGCTI GREM GRID GCIH CISSP or equivalentdemonstratedexpertise.

• People Leadership: Built diverse high-performing teams; established career paths coaching frameworks and a culture of analytic rigor technical excellence and continuous improvement.

Location

• Gaithersburg Maryland.

Office Working Requirements

When we put unexpected teams in the same room we unleash bold thinking with the power to inspire life-changing -person working gives us the platform we need to connect work at pace and challenge perceptions. Thats why we work on average a minimum ofthree days per weekfrom the office. But that doesnt mean were not flexible. We balance the expectation of being in the office while respecting individual flexibility. Join us in our unique and ambitious world.

The annual base pay for this position ranges from $162.53600- $243.80400USD Our positions offer eligibility for various incentivesan opportunity to receive short-term incentive bonuses equity-based awards for salaried roles and commissions for sales roles. Benefits offered include qualified retirement programs paid time off (i.e. vacation holiday and leaves) as well as health dental and vision coverage in accordance with the terms of the applicable plans.