Chain-Platform Engineer
Indexed description
Adversary Chain Engine (ACE)
THG Ventures
Location UK, or remote across compatible time zones.
Reports to Chief Product Officer (CPO) alongside AI Architecture Lead and Black team Lead.
Stage The company is well-funded, The platform runs end to end in private use with existing Chains.
ASE is a chain-native detection platform. It captures adversary attack chains as structured graphs, maps them against a customer's detection estate, and ships the rules their existing SIEM and EDR are missing.
Chains are live and the platform runs end to end. The next two quarters take the product from its design-Partner stage into full chain runtime. You would be the third engineer on the platform, reporting directly to the CPO.
- Grow the current rule manifest into a declarative chain manifest that carries the whole graph: the steps, how they connect, the timing and cross-silo joins, and the detection leaves each step compiles to.
- Refine per-stack leaf translators for Splunk SPL, Sentinel KQL, CrowdStrike and Defender. One generator per dialect, all reading a single chain-step representation.
- Extend the estate model from a static tool inventory to a rule inventory keyed against each customer's actually deployed content.
- Tighten the gap report so a customer downloads a coherent, manifest-bound bundle, not a zip of disconnected rules.
With the founder and the first design-partner SOCs:
- A stateful correlator that consumes evidence events from customer SIEMs and scores how strongly the live evidence supports each chain.
- A lean evidence return channel: HTTPS ingest, schema validation, and resolution back to the manifest.
- Per-tenant isolation across the Postgres schema and artefact store.
- Enhance the statefulness to interpret real time status and infer next steps
The parts that make the correlation and confidence model work are the ones we do not put in a public post. We walk through them at interview.
- Backend: Python 3.12, FastAPI, SQLAlchemy 2.0 async, Alembic, Postgres 16, S3/R2 for artefacts.
- Frontend: React 18, TypeScript, Vite.
- LLM: AI Assisted coding, server-sent events for streaming generation.
- Dev: Docker Compose locally, GitHub for source, Claude Code as the daily driver.
- Strong Python. Comfortable with async, ORMs, schema migrations and FastAPI in production.
- TypeScript and React to the level of “can ship a polished modal without supervision”.
- Detection engineering grounding. SIGMA and YARA in your day to day, MITRE ATT&CK and D3FEND as a working reference, and fluency in at least one SIEM dialect (SPL or KQL).
- Pragmatic about LLMs. You have used Claude Code or an equivalent to move at multiples of unaided speed, and you know when to trust the model, how to maintain architectural integrity within the tactical limits of Claude Code, and when to write the spec.
- Ideally built or operated detection content in a SOC, a vendor, or a red team.
- Fluency across several SIEM and EDR query languages, not just one.
- Experience building correlation engines, streaming pipelines, or stateful event processors.
- Red team tooling or adversary emulation (Atomic Red Team, Caldera, Stratus).
- Shipped a developer tool or security platform from MVP to first paying customer.
- Wrestling with Kubernetes. The platform runs on Docker Compose today and moves to a managed PaaS next.
- Building another SIEM. ASE sits above the SIEM, it does not replace it.
- Writing rule packs to throw over the wall. Every rule we ship is wrapped in the chain manifest that explains why it matters.
- Full time.
- Direct line to the founders. First users are the design-partner SOCs.
- Expected ramp: production contribution by week three, first manifest-bound release inside two months.
Send a CV, a paragraph on the most interesting detection or correlation system you have built, and a link to something public or a GitHub repo we can read. [email protected].
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search