You could be the one who changes everything for our 28 million members by using technology to improve health outcomes around the world. As a diversified, national organization, Centene's technology professionals have access to competitive benefits including a fresh perspective on workplace flexibility.
Position Purpose:
Centene’s Detection Engineering team drives threat‑informed defense by designing, implementing, and continuously improving high‑fidelity detections across endpoint, identity, network, cloud, and SaaS telemetry. As a Senior Detection Engineer, you will lead complex detection initiatives, architect coverage strategies, and mentor engineers while partnering closely with SOC/CSMT, CSIRT, Threat Intelligence, and platform owners. Your work will measurably reduce risk and alert fatigue through high‑quality analytics, detection‑as‑code practices, and compelling operational outcomes.
Design & Delivery:
- Own end‑to‑end development of multi‑signal detections (endpoint, identity, network, cloud/SaaS) using Splunk (SPL), Microsoft Sentinel/Defender & Azure (KQL), FortiNDR Cloud (IQL), and Databricks (SQL)
- Translate threat intel (IOCs/TTPs, ATT&CK mapping) into battle‑tested analytics; convert vetted Sigma rules to SPL/KQL where applicable
Detection‑as‑Code & Quality:
- Implement version control, change notes, suppression logic, and CI/CD pipelines for detections; champion detection replay/backtesting to improve precision/recall and reduce noise
- Establish and maintain reusable detection content libraries, curated views/tables, and documentation/runbooks that accelerate operations
Coverage Strategy & Telemetry:
- Lead data onboarding and schema alignment; articulate coverage plans and quality gates for priority threats and control gaps
- Partner with platform teams to improve data prerequisites (tables, fields, latency) and ensure telemetry health and resilience
Operations & Collaboration
- Work directly with SOC/CSMT and CSIRT to tune, triage, and validate detections; convert hunts into detections and run purple‑team validations
- Build tabletop exercises/training for analysts; advise on automation opportunities across SOC/IR workflows
Leadership & Mentorship:
- Provide technical mentorship for DE I/II; conduct peer reviews of detection logic; contribute to sprint planning aligned to quarterly OKRs
- Influence roadmap, standards, and governance for the DE program in partnership with the Principal/Lead Detection Engineer
Success Indicators:
- Signal quality: detection precision/recall, FP rate, MTTD improvements
- Coverage depth: ATT&CK technique coverage and telemetry readiness across key domains
- Operational impact: validated detections adopted by SOC/IR, reduction in alert fatigue, hunts‑to‑detections conversion rate
- Content velocity & hygiene: time‑to‑deliver new analytics, documentation completeness, CI pipeline health
- Mentorship & enablement: growth of DE I/II competencies, quality of peer reviews, training outcomes
- Performs other duties as assigned
- Complies with all policies and standards
Education/Experience:
A Bachelor's degree in a quantitative or business field (e.g., statistics, mathematics, engineering, computer science) and Requires 4 – 6 years of related experience.
Or equivalent experience acquired through accomplishments of applicable knowledge, duties, scope and skill reflective of the level of this position.
Technical Skills:
- 3+ years in information security with hands‑on detection engineering (or SOC/IR roles with demonstrated analytics creation)
- Proficiency in SPL, KQL, and one of IQL/Databricks SQL for multi‑event correlation, enrichment, and replay
- Demonstrated experience turning IOCs/TTPs into durable analytics; strong ATT&CK fluency and coverage planning
- Practical detection‑as‑code habits: versioning, change control, backtesting, suppression strategy, CI/CD familiarity
- Ability to partner with SOC/CSIRT/Threat Intel; communicate trade‑offs clearly and drive measurable outcomes
Preferred Qualifications:
- Experience integrating detections with Wiz and Varonis contexts (identity/data exposure)
- Prior work in purple teaming and/or running detection validation exercises
- Familiarity with cloud telemetry (Azure, Entra ID, MDE) and network/HTTP/DNS/SSL flow analysis via NDR
- Contributions to internal content libraries, runbooks, and detection KPIs (precision/recall/coverage)
Soft Skills:
- Intermediate - Seeks to acquire knowledge in area of specialty
- Intermediate - Ability to identify basic problems and procedural irregularities, collect data, establish facts, and draw valid conclusions
- Intermediate - Ability to work independently
- Intermediate - Demonstrated analytical skills
- Intermediate - Demonstrated project management skills
- Intermediate - Demonstrates a high level of accuracy, even under pressure
- Intermediate - Demonstrates excellent judgment and decision making skills
License/Certification:
- Certified Threat Intelligence Analyst (CTIA)-ECCOUNCIL, Certified Information Security Manager (CISM), CISSP Certified Information Systems Security Professional, GIAC Cyber Threat Intelligence (GCTI) preferred
Pay Range: $87,000.00 - $161,300.00 per year
Centene offers a comprehensive benefits package including: competitive pay, health insurance, 401K and stock purchase plans, tuition reimbursement, paid time off plus holidays, and a flexible approach to work with remote, hybrid, field or office work schedules. Actual pay will be adjusted based on an individual's skills, experience, education, and other job-related factors permitted by law, including full-time or part-time status. Total compensation may also include additional forms of incentives. Benefits may be subject to program eligibility.
Centene is an equal opportunity employer that is committed to diversity, and values the ways in which we are different. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, or other characteristic protected by applicable law.
Qualified applicants with arrest or conviction records will be considered in accordance with the LA County Ordinance and the California Fair Chance Act