Senior Cyber Threat Intelligence Specialist

Join our Trust team as Senior Cyber Threat Intelligence Specialist (CTI) to turn raw intelligence into action. You will own our intelligence intake, tooling, and automations. Curate and enrich external and internal intel. Publish high‑quality, actionable reporting that directly sparks hunts and new detections for our SOC (Security Operations Center) and DFIR (Digital Forensics and Incident Response) team. Partnering tightly with Detection Engineering, Incident Response, and Cloud Security to translate adversary TTPs into hypotheses, hunts, and durable detection content mapped to MITRE ATT&CK. If you love building signal pipelines as much as writing clear, decision‑ready intel, then this role is for you.

We are flexible on remote working from home, if you are located in the USA and reside in one of the following states - CA, CO, CT, FL, GA, *IL, KS, MA, MD, ME, NJ, NC, NY, OR, TN, TX, VA, and WA. We have physical offices in Austin, TX and Tampa, FL, if you prefer a hybrid option.

We hire the best software engineers, but experience in our stack can’t hurt: NinjaOne is built on Java, Kotlin, C++, Golang and Postgres, supporting millions of user endpoints and running as a scalable cloud service in AWS. Knowing large‑scale datastore bottlenecks, asynchronous application design and client‑server architecture will help you.

• Intake, Curation & Enrichment Operate and improve the CTI pipeline: aggregate, normalize, deduplicate, and score intel from commercial, open‑source, ISAC/ISAO, and government feeds. Maintain PIRs (Priority Intelligence Requirements) with stakeholders and align reporting to those priorities. Enrich indicators and TTPs (WHOIS, passive DNS, sandboxing, URL/file reputations) and track adversary infrastructure changes over time.
• Tooling & Automations Own our TIP/TAXII ecosystem (e.g., MISP/OpenCTI or similar): uptime, schemas, tagging, TLP handling, data lifecycles, and automation jobs. Build/maintain ETL and enrichment automations (Python/PowerShell, serverless jobs, or pipelines) to reduce manual toil and noise. Integrate intel with SOC tooling (e.g., SIEM/EDR/SOAR) so hunts and detections stay fresh and relevant.
• Actionable Reporting Publish flash alerts, weekly intel briefs, and deep‑dive actor/TTP reports with clear “so‑what” and concrete actions for SOC/DFIR. Convert intel into hunt packages: hypotheses, data sources, SPL/KQL/Sigma starting points, and validation steps. Partner with Detection Engineering to propose new rules, hardening opportunities, and coverage mappings to ATT&CK/D3FEND.
• Collaboration & Governance Work side‑by‑side with SOC/DFIR during active incidents to provide rapid context (infrastructure pivots, likely next moves, IOCs). Establish sharing norms (TLP, NDA, distribution lists) and ensure compliant handling of sensitive intel. Track efficacy: closing the loop on which reports triggered hunts, detections adopted, and risk reduced.
• Other duties as needed

• Bullets on Education requirements or preferences, Required or suggested experience, Technical Skills, Cross functional partners
• CTI Core: Proven experience producing actionable intel (flash notes to deep dives) tied to SOC/DFIR outcomes.
• Frameworks: Strong grasp of MITRE ATT&CK (and ideally D3FEND) for mapping intel to hunts/detections.
• Tooling: Hands‑on with a TIP/TAXII platform (MISP/OpenCTI or similar) and integrating intel into SIEM/EDR/SOAR.
• Automation: Comfortable scripting (Python preferred) for ETL, enrichment, and API integrations; basic SQL/log querying.
• Communication: Excellent writing and visualization skills—concise “so‑what,” clear action items, audience‑appropriate tone.
• Ops Mindset: Pragmatic prioritization, PIRs discipline, and respect for TLP and legal/contractual boundaries.
• English: Near‑fluent (C1+) with strong cross‑functional communication.
• You will stand out if you have expertise in:
• Experience translating TTPs into Sigma/SPL/KQL starting points or YARA/EDR detection ideas.
• Familiarity with sandboxing and malware triage; comfort interpreting network and endpoint artifacts.
• Cloud familiarity (AWS) and common security logs for hunts/detections.
• Relevant certs (e.g., GCTI, GOSI, GCIA, GCFA, AWS Security, SSCP/CISSP) or equivalent hands‑on work.

NinjaOne automates the hardest parts of IT to deliver visibility, security, and control over all endpoints for more than 30,000 customers. The NinjaOne automated endpoint management platform is proven to increase productivity, reduce security risk, and lower costs for IT teams and managed service providers. NinjaOne is obsessed with customer success and provides free and unlimited onboarding, training, and support. NinjaOne is #1 on G2 in endpoint management, patch management, remote monitoring and management, and mobile device management.

We are a collaborative, kind, and curious community.

We honor your flexibility needs with full‑time work that is hybrid remote.

We have you covered with our comprehensive benefits package, which includes medical, dental, and vision insurance.

We help you prepare for your financial future with our 401(k) plan.

We prioritize your work‑life balance with our unlimited PTO.

We reward your work with opportunities for growth and advancement.

This position is NOT eligible for Visa sponsorship.

Due to federal government security requirements associated with our FedRAMP‑authorized environment, candidates must be U.S. citizens or lawful permanent residents.

*Due to operational policies, NinjaOne is unable to hire for this role within the city limits of Chicago. We will consider all qualified candidates who reside outside of the city properly or are willing to self‑relocate.

Starting pay for the successful applicant depends on a variety of job‑related factors, including but not limited to location, market demands, experience, job‑related knowledge, and skills. The benefits available for this position include medical, dental, vision, 401(k) plan, life insurance coverage and PTO. For roles based in California, Colorado, Maryland, New Jersey, or Washington the base salary hiring range for this position is $140,000 to $210,000 per year.

For roles based in New York, the base salary hiring range for this position is $140,000 to $210,000 per year.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, genetic information, marital status, veteran status, or any other status protected by applicable law. We are committed to providing an inclusive and diverse work environment.

#LI-MM1

#LI-Remote

#BI-Remote

#BI-Hybrid