Detection Engineer
Indexed description
Cyber Defence Operations (CDO) is Vodafone Group’s Cyber Defence Operations Centre of Excellence. CDO’s mission is to protect Vodafone customers against global cyber risk. CDO is specifically accountable for delivering:
- Cyber Defence operational leadership across Vodafone
- Cyber Defence operational capabilities to Vodafone Group, the Local Market Operating Companies, and Partner Markets to enhance Vodafone’s global cyber defence posture and reduce its cyber risk
The Detection Engineer works within the Cyber Security Operations team and operates at the intersection of threat modelling, telemetry strategy, and detection coverage.
This role is accountable for:
- Defining what telemetry is required to detect adversary behaviour across Vodafone environments
- Ensuring that ingested data is complete, timely, well‑structured, and fit for behavioural detection use cases
- Providing transparent, ATT&CK‑aligned visibility of coverage gaps and data‑driven risk
What You’ll Do
- Own the threat‑led strategy for onboarding and prioritising security telemetry, ensuring data sources are aligned to MITRE ATT&CK coverage, threat modelling outputs and adversary behaviour relevant to Vodafone;
- Own the definition of minimum viable logging requirements for CSOC, ensuring each critical platform (endpoint, identity, network, cloud, SaaS) provides the logs required to reliably observe adversary behaviour aligned to current threat models;
- Determine which log sources are security‑critical versus informational, ensuring CSOC ingestion is intentional and prioritised based on detection value rather than volume;
- Define and govern acceptance criteria for telemetry consumed by CSOC, including data quality, enrichment, completeness, and timeliness, ensuring logs are fit for adversary aligned detection;
- Maintain ATT&CK‑aligned coverage views that demonstrate how telemetry sources map to adversary techniques, highlighting coverage gaps and their impact across platforms, environments, and Local Markets;
- Provide clear, actionable insight into how telemetry quality and availability affect detection effectiveness, enabling Detection Engineering teams to build scalable behavioural detections;
- Produce and maintain assurance artefacts (e.g. ATT&CK overlays, dashboards, runbooks) that demonstrate logging and monitoring effectiveness to Cyber Defence leadership, audit, and Local Market stakeholders;
- Act as the named authority for visibility and telemetry‑related risk, including documenting coverage gaps, authorising risk acceptance where required, and tracking remediation;
- Partner with Cyber Prevent and platform teams to ensure telemetry ingestion, performance, and cost are balanced against detection and response value;
- Influence and align Detection Engineering, Threat Intelligence, Incident Response, and Local Market SOCs on coverage priorities, standards, and ways of working;
- Maintain operational runbooks for source onboarding/validation and hand‑offs to CSOC operations and local market SOCs
- Bachelor/Master's Degree in related field;
- 4+ years in detection content, threat intelligence, hunting or offensive security;
- Expert with MITRE ATT&CK (enterprise/cloud), ATT&CK Navigator, and threat-led control validation;
- Hands-on with KQL/SPL/Sigma/YARA, Microsoft Defender (EDR/Identity), Sentinel, Splunk, QRadar SOAR, scripting (Python/PowerShell);
- Adversary emulation/simulation certifications (e.g., OSCP/OSEP, GXPN/GPEN or equivalent) to design and execute controlled emulation of attacker TTPs for validation, prior ownership of simulation labs;
- Microsoft: SC‑200 (Security Operations Analyst) , Google Cloud Security certifications;
- MITRE ATT&CK Defender training/badges (analyst, threat intel, detection mapping) or equivalent ATT&CK‑focused courses;
- Training in threat intel tradecraft (CTI lifecycle, STIX/TAXII, actor TTP analysis);
- AI/ML in SOC (model assurance, prompt engineering for LLM‑assisted triage);
- GCTI (Threat Intel), GCDA/GCED/GCIA (defence/monitoring/intrusion analysis);
- Strong analytical thinking and problem‑solving skills, with the ability to think like an adversary and understand how threat actors operate across complex enterprise environments;
- Deep expertise in MITRE ATT&CK (Enterprise and Cloud), with the ability to reason at technique and sub‑technique level from a coverage and visibility perspective;
- Proven ability to translate adversary behaviour into clear telemetry and logging requirements, enabling scalable, behaviour‑driven detection;
- Strong understanding of end‑to‑end security telemetry and logging architectures, from log generation through ingestion, enrichment, and analytic consumption;
- Ability to identify, articulate, and prioritise visibility and detection coverage gaps as data‑driven risk;
- Experience enabling Detection Engineering teams by ensuring access to high‑quality, well‑structured, and consistently enriched data;
- Confidence working across multiple security domains (endpoint, identity, network, cloud, SaaS) to assess coverage posture and response readiness;
- Excellent communication and collaboration skills, with the ability to align Detection Engineering, Threat Intelligence, Incident Response, platform teams, and Local Market SOCs around shared outcomes;
- Strong attention to detail when assessing telemetry quality, consistency, and completeness;
- Fluency in English
What's In It For You
- Hybrid Work Model - Flexible hybrid work model with 8-10 in-office days per month, managed by team leaders;
- Vodafone Products and Services - Employees get a mobile phone, free communication plan, data card, and various discounts on services and products;
- Recognition - Recognition programs for innovative, creative, high-potential employees and exemplary behaviors;
- Health and Well-being - Well-being Program offers nutrition and psychological consultations, webinars, workshops, and discounts on various services and products;
- Learning - Access to Communities of Practice and a customizable digital training platform with high-quality content (namely Harvard Business Publishing, Skillsoft and Speexx);
- Local and International Mobility - Internal recruitment with local and international rotation opportunities across departments and roles
Belonging at Vodafone isn't a concept; it's lived, breathed, and cultivated through everything we do. You'll be part of a global and diverse community, with many different minds, abilities, backgrounds and cultures. ;We're committed to increase diversity, ensure equal representation, and make Vodafone a place everyone feels safe, valued and included.
If you require any reasonable adjustments or have an accessibility request as part of your recruitment journey, for example, extended time or breaks in between online assessments, please refer to https://careers.vodafone.com/application-adjustments/ for guidance.
Together we can.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search