Threat-Led Detection Engineer - Lead

The Threat-Led Detection Engineer Lead will drive WTW’s detection engineering capability within the Global Information and Cyber Security Defence (ICSD) function, owning the strategy, quality, and continuous improvement of how WTW detects threats across its global estate in AI era. This role blends deep technical detection expertise with team leadership, driving a threat-led, intelligence-informed approach to detection that maps directly to real adversary behaviour.

The Lead will set the standard for how detections are designed, written, tested, documented, and maintained – championing Detection-as-Code, measurable detection coverage, and a strong engineering culture. Working closely with SOC, Threat Hunting, Cyber Threat Intelligence (CTI), Incident Response, and Vulnerability 

Management teams, the Lead will ensure WTW’s detection library evolves ahead of the threat landscape.
The individual will work as part of a global, multi-disciplined security community with strong support across the business, helping to foster a security-aware culture while ensuring WTW remains a great place to work. With WTW’s large global footprint, this role offers a fascinating range of work, and occasional global travel may be required.

The Threat-Led Detection Engineer Lead will grow WTW’s detection engineering function within the Global Cyber Security Defence team. Responsibilities of this role will include:

• Drive WTW’s detection engineering strategy, setting the vision, standards, and roadmap for threat-led detection across cloud, endpoint, identity, network, and SaaS environments.
• Lead, mentor, and grow a team of detection engineers, establishing engineering best practices, peer review, and a culture of high-quality, well-documented detections.
• Drive a threat-led detection approach, prioritising detection development against adversary tradecraft using the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model of Intrusion Analysis.
• Translate Cyber Threat Intelligence and threat-hunting findings into robust, high-fidelity detections with low false-positive rates.
• Establish, own, and maintain the central detection library, ensuring detections are version-controlled, tested, documented, and mapped to MITRE ATT&CK coverage.
• Champion Detection-as-Code, implementing Git-based workflows, CI/CD pipelines, automated testing, and peer review for all detection content.
• Define and track detection coverage, efficacy, and quality metrics (e.g. ATT&CK coverage, detection fidelity, time-to-detect) and report on detection posture to senior leadership.
• Lead detection validation and tuning through adversary emulation, purple-team exercises, and breach-and-attack-simulation tooling (e.g. Atomic Red Team, Caldera).
• Support the integration of AI and automation into detection workflows – including AI-assisted detection authoring, enrichment, and triage – and lead detection efforts for AI/GenAI-specific threats.
• Partner with SOC, Threat Hunting, CTI, Incident Response, and Vulnerability Management to close detection gaps identified during incidents and hunts.
• Govern the full detection lifecycle: intake, development, testing, deployment, monitoring, tuning, retirement, and continuous improvement.
• Evaluate and onboard new log sources, telemetry, and tooling to expand detection coverage across the global estate.
• Set standards for detection documentation, runbooks, and response guidance so every detection is clear and actionable for the SOC.

We are looking for a candidate for the Threat-Led Detection Engineer Lead role who has the following:      

Must-have

• 5+ years in cyber security with detection engineering experience, including a track record of leading, mentoring, or coordinating technical teams.
• Strong cyber security mindset with a deep, thorough understanding of adversary behaviour, attacker tradecraft, and the modern threat landscape.
• Expert knowledge of the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model, with proven ability to map and drive detection coverage against them.
• Proven expertise writing, testing, and maintaining detection rules across SIEM and EDR/XDR platforms (e.g. Microsoft Sentinel, Splunk, Elastic, CrowdStrike, Microsoft Defender XDR), using query languages such as KQL, SPL, EQL, or Sigma.
• Demonstrated ability to develop high-fidelity detections swiftly in response to emerging threats, intelligence, and live incidents.
• Experience owning and maturing a detection library, including detection lifecycle governance and ATT&CK coverage mapping.
• Hands-on experience with Detection-as-Code: Git, version control, CI/CD pipelines, and automated testing of detection content.
• Understanding of AI/ML in security operations and awareness of AI-specific threats (prompt injection, model/data poisoning, sensitive-data exposure via GenAI), with familiarity with the OWASP LLM Top 10 and MITRE ATLAS.
• Exceptional written and verbal communication skills, able to convey complex technical concepts to both engineers and non-technical stakeholders, including executives.

Good to have

• Strong threat-hunting mindset and hands-on hunting experience to proactively surface detection gaps and feed detection development.
• Scripting and automation skills (e.g. Python, PowerShell) for tooling, enrichment, and SOAR integration.
• Familiarity with detection data pipelines (log routing, parsing, normalisation, data lakes) and how they affect detection quality.

We’re committed to equal employment opportunity and provide application, interview and workplace adjustments and accommodations to all applicants. If you foresee any barriers, from the application process through to joining WTW, please email candidate.helpdesk@willistowerswatson.com.