At a Glance
- Tasks: Lead detection engineering strategy and mentor a team to combat cyber threats.
- Company: Join WTW, a global leader in information and cyber security.
- Benefits: Competitive salary, career growth, and opportunities for global travel.
- Other info: Dynamic role with a focus on innovation and collaboration across global teams.
- Why this job: Make a real impact in cyber security while working with cutting-edge technology.
- Qualifications: 5+ years in cyber security with strong leadership and technical skills.
The predicted salary is between 80000 - 90000 £ per year.
The Threat-Led Detection Engineer Lead will drive WTW’s detection engineering capability within the Global Information and Cyber Security Defence (ICSD) function, owning the strategy, quality, and continuous improvement of how WTW detects threats across its global estate in the AI era. This role blends deep technical detection expertise with team leadership, driving a threat-led, intelligence-informed approach to detection that maps directly to real adversary behaviour. The Lead will set the standard for how detections are designed, written, tested, documented, and maintained – championing Detection-as-Code, measurable detection coverage, and a strong engineering culture. Working closely with SOC, Threat Hunting, Cyber Threat Intelligence (CTI), Incident Response, and Vulnerability Management teams, the Lead will ensure WTW’s detection library evolves ahead of the threat landscape. The individual will work as part of a global, multi-disciplined security community with strong support across the business, helping to foster a security-aware culture while ensuring WTW remains a great place to work. With WTW’s large global footprint, this role offers a fascinating range of work, and occasional global travel may be required.
Responsibilities
- Drive WTW’s detection engineering strategy, setting the vision, standards, and roadmap for threat-led detection across cloud, endpoint, identity, network, and SaaS environments.
- Lead, mentor, and grow a team of detection engineers, establishing engineering best practices, peer review, and a culture of high-quality, well-documented detections.
- Drive a threat-led detection approach, prioritising detection development against adversary tradecraft using the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model of Intrusion Analysis.
- Translate Cyber Threat Intelligence and threat-hunting findings into robust, high-fidelity detections with low false-positive rates.
- Establish, own, and maintain the central detection library, ensuring detections are version-controlled, tested, documented, and mapped to MITRE ATT&CK coverage.
- Champion Detection-as-Code, implementing Git-based workflows, CI/CD pipelines, automated testing, and peer review for all detection content.
- Define and track detection coverage, efficacy, and quality metrics (e.g. ATT&CK coverage, detection fidelity, time-to-detect) and report on detection posture to senior leadership.
- Lead detection validation and tuning through adversary emulation, purple-team exercises, and breach-and-attack-simulation tooling (e.g. Atomic Red Team, Caldera).
- Support the integration of AI and automation into detection workflows – including AI-assisted detection authoring, enrichment, and triage – and lead detection efforts for AI/GenAI-specific threats.
- Partner with SOC, Threat Hunting, CTI, Incident Response, and Vulnerability Management to close detection gaps identified during incidents and hunts.
- Govern the full detection lifecycle: intake, development, testing, deployment, monitoring, tuning, retirement, and continuous improvement.
- Evaluate and onboard new log sources, telemetry, and tooling to expand detection coverage across the global estate.
- Set standards for detection documentation, runbooks, and response guidance so every detection is clear and actionable for the SOC.
Qualifications
We are looking for a candidate for the Threat-Led Detection Engineer Lead role who has the following:
Must-have
- 5+ years in cyber security with detection engineering experience, including a track record of leading, mentoring, or coordinating technical teams.
- Strong cyber security mindset with a deep, thorough understanding of adversary behaviour, attacker tradecraft, and the modern threat landscape.
- Expert knowledge of the MITRE ATT&CK framework, the Cyber Kill Chain, and the Diamond Model, with proven ability to map and drive detection coverage against them.
- Proven expertise writing, testing, and maintaining detection rules across SIEM and EDR/XDR platforms (e.g. Microsoft Sentinel, Splunk, Elastic, CrowdStrike, Microsoft Defender XDR), using query languages such as KQL, SPL, EQL, or Sigma.
- Demonstrated ability to develop high-fidelity detections swiftly in response to emerging threats, intelligence, and live incidents.
- Experience owning and maturing a detection library, including detection lifecycle governance and ATT&CK coverage mapping.
- Hands-on experience with Detection-as-Code: Git, version control, CI/CD pipelines, and automated testing of detection content.
- Understanding of AI/ML in security operations and awareness of AI-specific threats (prompt injection, model/data poisoning, sensitive-data exposure via GenAI), with familiarity with the OWASP LLM Top 10 and MITRE ATLAS.
- Exceptional written and verbal communication skills, able to convey complex technical concepts to both engineers and non-technical stakeholders, including executives.
Good to have
- Strong threat-hunting mindset and hands-on hunting experience to proactively surface detection gaps and feed detection development.
- Scripting and automation skills (e.g. Python, PowerShell) for tooling, enrichment, and SOAR integration.
- Familiarity with detection data pipelines (log routing, parsing, normalisation, data lakes) and how they affect detection quality.
We’re committed to equal employment opportunity and provide application, interview and workplace adjustments and accommodations to all applicants. If you foresee any barriers, from the application process through to joining WTW, please email.
Threat-Led Detection Engineer - Lead in London employer: WTW
WTW is an exceptional employer that fosters a dynamic and inclusive work culture, prioritising employee growth and development within the Global Information and Cyber Security Defence team. With a commitment to innovation and excellence, employees benefit from a collaborative environment that encourages mentorship and the sharing of expertise, while also offering opportunities for global travel and engagement with cutting-edge technologies in the ever-evolving cyber security landscape.
StudySmarter Expert Advice🤫
We think this is how you could land Threat-Led Detection Engineer - Lead in London
✨Get Involved in the Cybersecurity Community
Diving into the cybersecurity community is key for landing that full-time gig. Join forums like Reddit's r/cybersecurity or attend local meetups to connect with industry veterans and other job seekers. Networking is everything in this field—don’t just be a passive lurker!
✨Show Off Your Skills with Capture the Flag Competitions
Participate in Capture the Flag (CTF) competitions; these are not just a fun way to boost your skills but also a chance to showcase your talent to potential employers. Many companies, including WTW, love seeing candidates who actively engage in these challenges.
✨Tailor Your Online Presence
Make sure your LinkedIn and any professional profiles reflect your cybersecurity expertise. Share your projects, whether they’re personal or from a previous role, to catch the eye of hiring managers. This is how they’ll find your passion and commitment to the field!
✨Apply Directly Through WTW
Don’t forget to head straight to our website and check out any openings for cybersecurity roles at WTW. Applying directly can sometimes give you an edge, especially if you can mention that you've been following our work or engaging in the community.
We think you need these skills to ace Threat-Led Detection Engineer - Lead in London
Some tips for your application 🫡
Show off your technical skills:In cybersecurity, it's crucial to highlight your technical prowess. Make sure your CV showcases specific skills like network security, penetration testing, or threat analysis. If you have relevant certifications (like CEH or CISSP), pop those on the front page to grab attention!
Tailor your portfolio for the role:Even for a full-time role, a portfolio can set you apart. If you've worked on any cybersecurity projects—be it CTF challenges, security assessments, or research papers—include these in your application. This demonstrates not just your skills, but also your hands-on experience!
Use real-world examples:When writing your cover letter, don’t just stick to your qualifications. Share real-world examples of how you’ve tackled security issues or vulnerabilities. This gives the hiring team at WTW insight into your practical problem-solving abilities and makes your application memorable.
Demonstrate your passion for cybersecurity:Cybersecurity is an ever-evolving field, so show us that you’re always learning! Mention any recent courses, webinars, or industry events you’ve attended. This not only exhibits your enthusiasm but also signals to WTW that you’re committed to staying ahead in the game.
How to prepare for a job interview at WTW
✨Sharpen Your Technical Skills
For a role in cybersecurity, it’s essential to be up-to-date with the latest tools and techniques. Brush up on your knowledge of firewalls, intrusion detection systems, and vulnerability assessment tools. Be ready to discuss specific scenarios where you’ve applied these skills, as hands-on experience can really set us apart in interviews.
✨Prepare for Scenario-Based Questions
Expect the interviewers at WTW to throw in some hypothetical situations to see how you’d handle them. Think about common security breaches or incidents and be prepared to explain how you would respond. This not only shows your problem-solving skills but also your understanding of real-world cybersecurity challenges.
✨Highlight Your Certifications
Certifications like CompTIA Security+, CISSP, or CEH can give you a significant edge in a full-time role in cybersecurity. Make sure to mention these during your interview and be prepared to discuss what you learned through those certifications and how they relate to the position at WTW.
✨Show Your Passion for Cybersecurity
Since you’re going for a full-time gig, showing genuine enthusiasm for the field can make all the difference. Share any personal projects, blogs, or communities you’re part of that relate to cybersecurity. This not only showcases your passion but also your commitment to staying engaged in this ever-evolving field.