Rapid7 is looking for security practitioners with engineering chops (or engineers with security chops) to support Rapid7's 24x7 Managed Detection and Response (MDR), Incident Response (IR), and Threat Intelligence and Detection Engineering (TIDE) teams. This role needs people that thrive off delivering practical solutions for the problems of today, iterating on existing solutions, and proactively prototyping to head off the security problems of tomorrow. A member of this team would act as a true force multiplier for front-lines security practitioners, unveiling new capabilities and automating any repetitive actions to both dramatically enhance the quality of life and optimize every click they make. Your ability to successfully carry out the core functions of this role will require strong communication skills, high ops-tempo, and unwavering sense of self-accountability.
Alignment: Take the initiative to make analytical decisions easier and less taxing. This is the ardent belief that an analyst shouldn't have to worry about fighting their tech stack and leveraging your familiarity with infosec to understand and predict what analysts need.
If given a 10 Gb CSV of log data, can you make the data inside of it do something useful other than make analysts cry uncontrollably or blow up an analyst's laptop?
Can you take the above log data and interrogate APIs to enrich important data points, decode and transform obfuscated PowerShell, and present matches against rule logic to the analyst?
Can you scalably tie together all these pieces in a system that launches forensic jobs, collects and transforms data, and displays results in an easy-to-explore manner (e.g. an ELK stack) with a push of a button by the analyst?.
Velocity: There is a natural tension between getting it done fast and getting it done right. We expect our engineers to find the right balance between these two competing priorities. If we stop innovating, we die in the water, but always work smarter. It's not just code: fix inadequate processes, teach, present, etc.
Can you work in an environment where each member of your team deploys a solution end-to-end, multiple times per week?
Can you be fluid enough to concurrently handle ops responsibilities in an environment where the delivery of a solution doesn't stop at deployment (think SRE/DevOps)?
Can you take a high-level view of existing systems and find gaps in logging, monitoring, alerting, and deployment testing to ensure ops work can be handled efficiently while also enhancing and enabling CI/CD to speed up turnaround time on planned work?
Accountability: Continuous progress, "picking up a shovel," and maintaining a strong relationship with practitioners via the quality and integrity of your work. Your products speak to your acumen as a technical expert — we don't do guesswork. With creative freedom comes trust, and that means accountability.
Do you possess the drive to independently run down problems? If given the tools and opportunity, can we trust that you can find your own personal gaps to proactively build yourself up?
Can you demonstrate a forthright account of what realistic capabilities and expectations are? We can train you to communicate solutions and outcomes cleanly and clearly, but we don't promote "salesmanship" in technical work.
When made aware of a needed feature, or issue, can you comfortably manage the research, scoping, implementation, deployment, and then monitoring of said resolution such that it's readily apparent that any issue you touch is well and truly handled in its entirety?
...Aligned to the SOC's needs
Data Analysis: Pandas, JQ, PostgreSQL, MongoDB, Elastic, and any AWS corollaries
Data Delivery: DBs/Forensic Artifacts/etc <-> JSON, CSVs, Datatables
Data Accessibility: API-first, scripts/CLI tools, web apps, controlled cloud access (AWS)
Data Relevance: what data the SOC needs, why they want it, and how they need it
...Deployed at a high cadence (DevOps):
CI/CD: Github -> Jenkins (Chef, Saltstack, Ansible, Puppet experience also works)
IAC: Terraform (Cloudformation, etc also works)
Local scripts made available and maintained for immediate use
programmatic: unit tests, integration tests, linting, etc
functional: locally via docker, in test environments, and via monitoring in prod
live: Log monitoring, alarms (datadog, etc), & rotating on-call. Think SRE