Threat-Led Detection Engineer

The Threat-Led Detection Engineer will design build and maintain high-quality threat detections within WTWs Global Information and Cyber Security Defence (ICSD) function helping WTW detect adversary activity quickly and accurately across its global estate. This is a hands-on engineering role for someone with a strong cyber security mindset and a genuine interest in how attackers operate. You will write and tune detection rules map coverage to real adversary behaviour and contribute to a well-maintained version-controlled detection library. Working closely with SOC Threat Hunting Cyber Threat Intelligence (CTI) and Incident Response you will turn intelligence and hunt findings into reliable detections embracing a threat-led Detection-as-Code approach.

The individual will work as part of a global multi-disciplined security community with strong support across the business helping to foster a security-aware culture while ensuring WTW remains a great place to work. With WTWs large global footprint this role offers a varied and stimulating range of work and occasional global travel may be required. The role is based in London and follows a hybrid working model with the expectation of attending the office as and when required on business demand.

The Role:

The Threat-Led Detection Engineer will build and maintain detections within WTWs Global Cyber Security Defence team. Responsibilities of this role will include:

• Design write test and maintain high-fidelity detection rules across SIEM EDR/XDR cloud identity and network data sources.
• Apply a threat-led approach developing detections mapped to adversary tradecraft using the MITRE ATT&CK framework the Cyber Kill Chain and the Diamond Model.
• Rapidly create new detections in response to emerging threats Cyber Threat Intelligence and incident or hunt findings.
• Contribute to the detection library ensuring detections are version-controlled documented tested and mapped to MITRE ATT&CK coverage.
• Tune and optimise existing detections to reduce false positives and continuously improve fidelity.
• Practise Detection-as-Code using Git-based workflows peer review and automated testing for detection content.
• Validate detections through adversary emulation and testing (e.g. Atomic Red Team) and collaborate on purple-team exercises.
• Support the integration of AI and automation into detection and triage workflows and help build detections for AI/GenAI-specific threats.
• Collaborate with SOC Threat Hunting CTI and Incident Response to close detection gaps surfaced during hunts and incidents.
• Write clear detection documentation and response guidance so each detection is actionable for analysts.
• Onboard and validate new log sources and telemetry to expand detection coverage.
• Contribute to detection coverage and quality metrics to help measure and improve detection effectiveness.

What youll bring:

We are looking for a candidate for the Threat-Led Detection Engineer role who has the following:

Must-have:

• Strong background in cyber security with hands-on detection engineering SOC or threat-hunting experience.
• Strong cyber security mindset and a solid thorough understanding of attacker behaviour and the modern threat landscape.
• Working knowledge of the MITRE ATT&CK framework the Cyber Kill Chain and the Diamond Model with the ability to map detections to them.
• Hands-on experience writing and tuning detection rules using query languages such as KQL SPL EQL or Sigma on platforms like Microsoft Sentinel Splunk Elastic CrowdStrike or Microsoft Defender XDR.
• Ability to develop high-fidelity detections swiftly in response to emerging threats and intelligence.
• Experience maintaining detection content and contributing to a detection library.
• Familiarity with Detection-as-Code concepts: Git version control and automated testing of detection content.
• Awareness of AI/ML in security operations and AI-specific threats (e.g. prompt injection sensitive-data exposure via GenAI) with awareness of the OWASP LLM Top 10 and MITRE ATLAS.
• Exposure to cloud detection across Azure AWS and/or GCP and to cloud and identity log sources (e.g. Entra ID CloudTrail).
• Good written and verbal communication skills able to document detections clearly and collaborate across teams.

Good to have:

• Threat-hunting mindset and experience hunting for novel or emerging threats to feed detection development.
• Experience with adversary emulation and breach-and-attack-simulation tooling (Atomic Red Team Caldera) and purple teaming.
• Scripting skills (e.g. Python PowerShell) for automation and enrichment.

What we offer:

Enjoy a benefits package designed to help you thrive both professionally and personally. Youll receive 25 days of annual leave plus an extra WTW day to relax and recharge. Our comprehensive health and wellbeing offering includes private healthcare life insurance group income protection and regular health assessments all giving you peace of mind. Secure your future with our defined contribution pension scheme featuring matched contributions up to 10% from the company.

We support your growth and balance with hybrid working options access to an employee assistance programme and a fully paid volunteer day to make a difference in your community. On top of these you can opt into a variety of additional perks including an electric vehicle car scheme share scheme cycle-to-work programme dental and optical cover critical illness protection and much more. Start making the most of your career and wellbeing with a range of benefits tailored for you.

Equal Opportunity Employer

Were committed to equal employment opportunity and provide application interview and workplace adjustments and accommodations to all applicants. If you foresee any barriers from the application process through to joining WTW please email