Detection Engineer United States (Remote)

GreyNoise Intelligence is a mission driven security startup focused on helping organizations understand and mitigate risks from Internet scanning and exploitation. GreyNoise provides real-time, verifiable intelligence on all actors scanning the Internet and how some of them are attempting to exploit vulnerabilities on assets connected to corporate networks. The intelligence is highly trusted because it's generated from a global fleet of thousands of purpose built sensors observing the Internet. Advanced data science techniques and AI are used to process millions of observed events into real-time intelligence for customers.The GreyNoise Global Observation Grid observes and analyzes unique threat data at-scale that no one else can. GreyNoise provides the most actionable threat intelligence against perimeter threats, so that no attack works twice.All US based positions are fully remote within the US, with optional office attendance at our DC area headquarters, unless otherwise specified. Applicants must have US work authorization.Please see the specific job description for all international position locations.The RoleGreyNoise is hiring a Detection Engineer to own the high-volume, foundational detection work that keeps our datasets accurate and our customers protected. This role is intentionally focused on operational execution: building, validating, and maintaining detections at scale.ResponsibilitiesDetection and Traffic Tagging OperationsWrite and tune Intrusion Detection System rules grounded in observed network behavior.Maintain and improve tag coverage and quality: adding new tags, fixing broken ones, and de-duplicating overlaps.Maintain benign actor classifications and known-scanner lists so non-malicious traffic is accurately labeled.Resolve accumulated detection issues that degrade data quality for users and customers.Use internal CLI tooling to lint, test, and deploy detection rules and tags at scale.Read and analyze packet captures (pcaps) and related network artifacts during routine validation and debugging.Validate detections against real traffic and own the trade-offs between false positives and false negatives for individual rules.Triage and Pipeline HygieneTriage a steady stream of inbound detection requests, CVEs, and internal coverage questions. The team processes dozens of new items weekly.Ensure detections are wired correctly end-to-end: from raw data through rule logic to tag output.Flag edge cases, collisions, and unexpected behavior in tags or rules for deeper follow-up.Work closely with researchers to keep them focused on longer-horizon projects.Communicate clearly about what you are working on, blockers, and trade-offs when priorities shift.Help sales, support, and customer success get faster, clearer answers on detection coverage questions.What Success Looks LikeThe backlog of smaller yet important detection work stops growing and quietly gets handled.Tag and detection coverage feels predictable and systematic rather than ad hoc.Internal teams get faster, clearer answers on coverage questions.The rest of the research team has noticeably more uninterrupted time for complex work and bigger bets.You develop reliable instincts for which detection issues matter most and can prioritize without constant direction.Who This Role Is Good ForWe are flexible on the level. This could be filled by someone in early to mid-career or by a senior practitioner willing to own operational detection work as a primary focus, with a possible path toward deeper research responsibilities over time.Early-Career or Mid-LevelComfortable with networking fundamentals and common protocols.Can read pcaps today, or is eager to get to "pcaps in your sleep" quickly.Understands basic security concepts: CVEs, exploit vs. vulnerability, false positives vs. false negatives.Thrives on clear queues of work and shipping lots of small, concrete things.Wants broad exposure to real-world internet traffic and detection engineering.SeniorStrong background in detection engineering, DFIR, SOC operations, or network security.Sees operational detection work as the foundation for credible research, not a stepping stone past it. Expect to own this for 6 to 9+ months before the role naturally expands.Can turn vague problems into scoped, repeatable workflows.Understands that high-leverage impact often comes from unglamorous, highly reliable execution.Required SkillsDemonstrated ability to read and analyze packet captures (pcaps).Experience writing or maintaining Suricata rules or similar network detection signatures.Comfort with high context-switching: moving between tags, rules, pcaps, and internal requests throughout the day.Strong attention to detail; small mistakes in tags or rules have outsized downstream effects.Clear, concise written communication, especially when something is broken, ambiguous, or blocked.Nice to HavesExperience with IDS/IPS platforms, Suricata, Zeek, Sigma, Nuclei, or Snort.Prior exposure to large-scale internet telemetry, threat intelligence feeds, or SOC operations.A Few of our GreyNoise Labs PrinciplesPut your best understanding of the truth first in all that you do.DecencyTreat yourself and others with respect.OpinionsFrame opinions using data or experience; they are still opinions.ComputersComputers are cool, but that doesn't mean you won't hate them.BenefitsEquity in a high-growth, Series-A startup.100% covered health, dental, vision, and life plans for all employees.Competitive 401k employer match of 6%, which is special for a startup. This will be 100% matched and vested from day 1.Flexible paid time off. To encourage time off from work and ensure overall employee health and wellness, GreyNoise strongly recommends each employee to take at least 120 hours of PTO (3 weeks) annually, including at least five consecutive business days.Remote-first culture. While we are headquartered in the Washington DC area, we have a distributed workforce – with the majority of our team working remotely from across the country.Equipment budget. Every new employee gets an Apple Mac laptop and a $500 stipend for any equipment accessories.Paid family leave for all employees. We offer 4 months of paid leave (birth or adoption), plus 2 months of optional unpaid leave, so new parents have time to adjust to the new life (and work) schedule.Learning & development budget. All employees receive an annual $1,500 towards professional development related to their job function. The stipend can be applied to tuition, books, conferences, and more.Company offsites and monthly local hangouts to encourage team bonding.Why You Should Work at GreyNoiseYou enjoy identifying and solving hard problems.You are comfortable taking an idea from concept to customer.You are open to both explaining your stance and questioning others in a clinical, open-minded, and respectful manner.You want to directly impact users.You want to grow beyond your current skill set.Equal Employment OpportunityAs set forth in GreyNoise Intelligence's Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.#J-18808-Ljbffr

GreyNoise Intelligence is a mission driven security startup focused on helping organizations understand and mitigate risks from Internet scanning and exploitation. GreyNoise provides real-time, verifiable intelligence on all actors scanning the Internet and how some of them are attempting to exploit vulnerabilities on assets connected to corporate networks. The intelligence is highly trusted because it's generated from a global fleet of thousands of purpose built sensors observing the Internet. Advanced data science techniques and AI are used to process millions of observed events into real-time intelligence for customers.The GreyNoise Global Observation Grid observes and analyzes unique threat data at-scale that no one else can. GreyNoise provides the most actionable threat intelligence against perimeter threats, so that no attack works twice.All US based positions are fully remote within the US, with optional office attendance at our DC area headquarters, unless otherwise specified. Applicants must have US work authorization.Please see the specific job description for all international position locations.The RoleGreyNoise is hiring a Detection Engineer to own the high-volume, foundational detection work that keeps our datasets accurate and our customers protected. This role is intentionally focused on operational execution: building, validating, and maintaining detections at scale.ResponsibilitiesDetection and Traffic Tagging OperationsWrite and tune Intrusion Detection System rules grounded in observed network behavior.Maintain and improve tag coverage and quality: adding new tags, fixing broken ones, and de-duplicating overlaps.Maintain benign actor classifications and known-scanner lists so non-malicious traffic is accurately labeled.Resolve accumulated detection issues that degrade data quality for users and customers.Use internal CLI tooling to lint, test, and deploy detection rules and tags at scale.Read and analyze packet captures (pcaps) and related network artifacts during routine validation and debugging.Validate detections against real traffic and own the trade-offs between false positives and false negatives for individual rules.Triage and Pipeline HygieneTriage a steady stream of inbound detection requests, CVEs, and internal coverage questions. The team processes dozens of new items weekly.Ensure detections are wired correctly end-to-end: from raw data through rule logic to tag output.Flag edge cases, collisions, and unexpected behavior in tags or rules for deeper follow-up.Work closely with researchers to keep them focused on longer-horizon projects.Communicate clearly about what you are working on, blockers, and trade-offs when priorities shift.Help sales, support, and customer success get faster, clearer answers on detection coverage questions.What Success Looks LikeThe backlog of smaller yet important detection work stops growing and quietly gets handled.Tag and detection coverage feels predictable and systematic rather than ad hoc.Internal teams get faster, clearer answers on coverage questions.The rest of the research team has noticeably more uninterrupted time for complex work and bigger bets.You develop reliable instincts for which detection issues matter most and can prioritize without constant direction.Who This Role Is Good ForWe are flexible on the level. This could be filled by someone in early to mid-career or by a senior practitioner willing to own operational detection work as a primary focus, with a possible path toward deeper research responsibilities over time.Early-Career or Mid-LevelComfortable with networking fundamentals and common protocols.Can read pcaps today, or is eager to get to "pcaps in your sleep" quickly.Understands basic security concepts: CVEs, exploit vs. vulnerability, false positives vs. false negatives.Thrives on clear queues of work and shipping lots of small, concrete things.Wants broad exposure to real-world internet traffic and detection engineering.SeniorStrong background in detection engineering, DFIR, SOC operations, or network security.Sees operational detection work as the foundation for credible research, not a stepping stone past it. Expect to own this for 6 to 9+ months before the role naturally expands.Can turn vague problems into scoped, repeatable workflows.Understands that high-leverage impact often comes from unglamorous, highly reliable execution.Required SkillsDemonstrated ability to read and analyze packet captures (pcaps).Experience writing or maintaining Suricata rules or similar network detection signatures.Comfort with high context-switching: moving between tags, rules, pcaps, and internal requests throughout the day.Strong attention to detail; small mistakes in tags or rules have outsized downstream effects.Clear, concise written communication, especially when something is broken, ambiguous, or blocked.Nice to HavesExperience with IDS/IPS platforms, Suricata, Zeek, Sigma, Nuclei, or Snort.Prior exposure to large-scale internet telemetry, threat intelligence feeds, or SOC operations.A Few of our GreyNoise Labs PrinciplesPut your best understanding of the truth first in all that you do.DecencyTreat yourself and others with respect.OpinionsFrame opinions using data or experience; they are still opinions.ComputersComputers are cool, but that doesn't mean you won't hate them.BenefitsEquity in a high-growth, Series-A startup.100% covered health, dental, vision, and life plans for all employees.Competitive 401k employer match of 6%, which is special for a startup. This will be 100% matched and vested from day 1.Flexible paid time off. To encourage time off from work and ensure overall employee health and wellness, GreyNoise strongly recommends each employee to take at least 120 hours of PTO (3 weeks) annually, including at least five consecutive business days.Remote-first culture. While we are headquartered in the Washington DC area, we have a distributed workforce – with the majority of our team working remotely from across the country.Equipment budget. Every new employee gets an Apple Mac laptop and a $500 stipend for any equipment accessories.Paid family leave for all employees. We offer 4 months of paid leave (birth or adoption), plus 2 months of optional unpaid leave, so new parents have time to adjust to the new life (and work) schedule.Learning & development budget. All employees receive an annual $1,500 towards professional development related to their job function. The stipend can be applied to tuition, books, conferences, and more.Company offsites and monthly local hangouts to encourage team bonding.Why You Should Work at GreyNoiseYou enjoy identifying and solving hard problems.You are comfortable taking an idea from concept to customer.You are open to both explaining your stance and questioning others in a clinical, open-minded, and respectful manner.You want to directly impact users.You want to grow beyond your current skill set.Equal Employment OpportunityAs set forth in GreyNoise Intelligence's Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.#J-18808-Ljbffr

• 

• Government Careers