Senior Threat Researcher

The Senior Threat Researcher will specialize in monitoring, collecting, and analysing intelligence from underground forums, darknet markets, encrypted messaging platforms, and closed communities. This role complements the Threat Intelligence researchers by providing raw and contextual underground data that feeds into adversary profiling, enrichment pipelines, and client deliverables. The researcher will also help shape automation strategies for dark web monitoring within the CTI platform, working closely with analysts, AI/ML engineers, and incident responders.

• Underground Monitoring & Collection: Identify and infiltrate dark web marketplaces, forums, and closed channels (Telegram, IRC, Discord, etc.). Track threat actors’ chatter related to exploits, malware, credentials, and attack tools. Conduct HUMINT-style engagement when permissible and safe.
• Threat Data Harvesting: Extract and validate IOCs (hashes, domains, wallet addresses, C2 servers). Correlate underground findings with OSINT, malware telemetry, and CTI feeds. Provide early warning on data leaks, ransomware negotiations, and credential dumps.
• Collaboration with CTI & AI Teams: Feed structured underground intelligence into the CTI platform for enrichment and scoring. Partner with ML engineers to train NLP models for dark web text mining. Work with TI analysts to transform raw chatter into tactical and strategic intelligence.
• Reporting & Dissemination: Produce periodic dark web monitoring reports and client-specific alerts. Contribute to threat actor profiles, campaign tracking, and risk advisories. Provide insights to incident response and red team exercises.

• Technical Expertise: Deep knowledge of Tor, I2P, Freenet, and underground marketplaces. Familiarity with cryptocurrency ecosystems (Bitcoin, Monero, mixers, blockchain tracing). Proficiency in harvesting IOCs and mapping to frameworks like MITRE ATT&CK. Understanding of STIX/TAXII, MISP, and TI platform ingestion formats.
• Research & Intelligence: Strong OSINT/HUMINT tradecraft, ability to pivot from dark web to surface intel. Experience monitoring ransomware leak sites, carding forums, and exploit brokers. Analytical ability to contextualize underground activity in geopolitical/cybercrime terms.
• Tooling & Automation: Hands‑on with dark web monitoring tools (Flashpoint, KELA, DarkOwl, CyberSixgill, custom scrapers). Scripting for data extraction (Python, Scrapy, APIs). Familiarity with data visualization tools (Maltego, Kibana, Power BI).
• Soft Skills: Ability to communicate highly technical underground findings in executive-friendly language. Discretion, OPSEC awareness, and strong ethical boundaries. Collaborative mindset with TI analysts, IR, and platform engineers.

• 7–10 years in cybersecurity/cyber threat intelligence, with 5+ years focused on dark web research or underground monitoring.
• Demonstrated experience infiltrating and monitoring dark web communities.
• Strong record of correlating dark web findings with threat intelligence and incident response cases.
• Hands‑on exposure to CTI platforms (MISP, Anomali, ThreatConnect, Recorded Future, etc.). Familiarity with malware ecosystems, data leaks, and exploit sales.

• GCTI, GIAC Cyber Threat Intelligence, OSINT-specific certifications (Bellingcat, SANS OSINT), blockchain tracing certifications.