Threat-Led Detection Engineer in London

The Threat-Led Detection Engineer will design, build, and maintain high-quality threat detections within WTW's Global Information and Cyber Security Defence (ICSD) function, helping WTW detect adversary activity quickly and accurately across its global estate. This is a hands-on engineering role for someone with a strong cyber security mindset and a genuine interest in how attackers operate. You will write and tune detection rules, map coverage to real adversary behaviour, and contribute to a well-maintained, version-controlled detection library. Working closely with SOC, Threat Hunting, Cyber Threat Intelligence (CTI), and Incident Response, you will turn intelligence and hunt findings into reliable detections, embracing a threat-led, Detection-as-Code approach. The individual will work as part of a global, multi-disciplined security community with strong support across the business, helping to foster a security-aware culture while ensuring WTW remains a great place to work. With WTW's large global footprint, this role offers a varied and stimulating range of work, and occasional global travel may be required. The role is based in London and follows a hybrid working model, with the expectation of attending the office as and when required on business demand.

The Threat-Led Detection Engineer will build and maintain detections within WTW's Global Cyber Security Defence team. Responsibilities of this role will include:

• Design, write, test, and maintain high-fidelity detection rules across SIEM, EDR/XDR, cloud, identity, and network data sources.
• Apply a threat-led approach, developing detections mapped to adversary tradecraft using the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model.
• Rapidly create new detections in response to emerging threats, Cyber Threat Intelligence, and incident or hunt findings.
• Contribute to the detection library, ensuring detections are version-controlled, documented, tested, and mapped to MITRE ATT&CK coverage.
• Tune and optimise existing detections to reduce false positives and continuously improve fidelity.
• Practise Detection-as-Code, using Git-based workflows, peer review, and automated testing for detection content.
• Validate detections through adversary emulation and testing (e.g. Atomic Red Team) and collaborate on purple-team exercises.
• Support the integration of AI and automation into detection and triage workflows, and help build detections for AI/GenAI-specific threats.
• Collaborate with SOC, Threat Hunting, CTI, and Incident Response to close detection gaps surfaced during hunts and incidents.
• Write clear detection documentation and response guidance so each detection is actionable for analysts.
• Onboard and validate new log sources and telemetry to expand detection coverage.
• Contribute to detection coverage and quality metrics to help measure and improve detection effectiveness.

We are looking for a candidate for the Threat-Led Detection Engineer role who has the following:

Must-have:

• Strong background in cyber security with hands-on detection engineering, SOC, or threat-hunting experience.
• Strong cyber security mindset and a solid, thorough understanding of attacker behaviour and the modern threat landscape.
• Working knowledge of the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model, with the ability to map detections to them.
• Hands-on experience writing and tuning detection rules using query languages such as KQL, SPL, EQL, or Sigma on platforms like Microsoft Sentinel, Splunk, Elastic, CrowdStrike, or Microsoft Defender XDR.
• Ability to develop high-fidelity detections swiftly in response to emerging threats and intelligence.
• Experience maintaining detection content and contributing to a detection library.
• Familiarity with Detection-as-Code concepts: Git, version control, and automated testing of detection content.
• Awareness of AI/ML in security operations and AI-specific threats (e.g. prompt injection, sensitive-data exposure via GenAI), with awareness of the OWASP LLM Top 10 and MITRE ATLAS.
• Exposure to cloud detection across Azure, AWS, and/or GCP and to cloud and identity log sources (e.g. Entra ID, CloudTrail).
• Good written and verbal communication skills, able to document detections clearly and collaborate across teams.

Good to have:

• Threat-hunting mindset and experience hunting for novel or emerging threats to feed detection development.
• Experience with adversary emulation and breach-and-attack-simulation tooling (Atomic Red Team, Caldera) and purple teaming.
• Scripting skills (e.g. Python, PowerShell) for automation and enrichment.

Enjoy a benefits package designed to help you thrive, both professionally and personally. You'll receive 25 days of annual leave plus an extra WTW day to relax and recharge. Our comprehensive health and wellbeing offering includes private healthcare, life insurance, group income protection, and regular health assessments, all giving you peace of mind. Secure your future with our defined contribution pension scheme, featuring matched contributions up to 10% from the company. We support your growth and balance with hybrid working options, access to an employee assistance programme, and a fully paid volunteer day to make a difference in your community. On top of these, you can opt into a variety of additional perks including an electric vehicle car scheme, share scheme, cycle-to-work programme, dental and optical cover, critical illness protection, and much more. Start making the most of your career and wellbeing with a range of benefits tailored for you.

We're committed to equal employment opportunity and provide application, interview and workplace adjustments and accommodations to all applicants.