Insider Threat Engineer

• It is an 100% Onsite Position
  
• Selected candidate must be willing to work on-site in Woodlawn, MD 5 days a week.
  

• Technical Engineering and Automation, Cyber Threat Detection & Analysis, Policy, SOP Development & Reporting
  

• Engineer, implement, and maintain User Activity Monitoring (UAM) solutions, ensuring continuous visibility into user behavior and privileged activity.
  
• Build and maintain Splunk dashboards to visualize UAM data, insider threat indicators, and program metrics.
  
• Automate repetitive tasks and data pipelines using Ansible, Python, or JSON to enhance detection, alerting, and reporting efficiency.
  
• Support integration of UAM with other enterprise cybersecurity tools and platforms (e.g., SIEM, DLP, EDR, SOAR).
  
• Collaborate with the SOC, forensic analysts, and cyber threat intel units to enrich UAM data with contextual intelligence.
  

• Develop and refine methods to extract, analyze, and correlate data from clients IT systems to proactively detect potential insider threats.
  
• Monitor and analyze trends in cyber activity and anomalous behavior to assess risks to clients confidentiality, availability, and integrity.
  
• Leverage feeds, incident reports, and threat briefs to assess relevance to client environment and enhance the program's threat modeling capability.
  
• Collaborate with internal partners such as the cyber threat intelligence, supply chain risk, and forensic investigation teams to share findings and develop holistic mitigations.
  

• Assist with the enhancement and documentation of enterprise-wide Standard Operating Procedures (SOPs) related to Insider Threat use cases and detection logic.
  
• Prepare and present insider threat briefings to program leadership and executives, following agency writing and presentation standards.
  
• Contribute to Insider Threat Work Status Reports with detailed analytics, visuals (charts/dashboards), and recommendations.
  

Requirements

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field.
  
• Proven experience in cybersecurity, insider threat analysis, or a related area.
  
• Demonstrated experience deploying and managing User Activity Monitoring (UAM) solutions in production.
  
• Proficiency in Splunk ? including dashboard development, data ingestion, and search optimization.
  
• Hands-on skills with Ansible, Python, and JSON for automation and data parsing.
  
• Solid understanding of networking and firewall fundamentals, including how monitoring tools interact across segmented architectures.
  
• Familiarity with Palo Alto Networks firewalls and their logging capabilities (useful for correlating user activity across layers).
  
• Strong analytical and problem-solving skills; ability to make data-driven recommendations.
  
• Excellent written and verbal communication skills, particularly in conveying technical insights to leadership.
  
• Must be able to obtain and maintain a Public Trust. Contract requirement.
  

• Demonstrated experience deploying and managing User Activity Monitoring (UAM) solutions in production.
  
• Ability to make decisions based upon analysis of documentation.
  
• Experience with endpoint monitoring tools, SIEM/SOAR integrations, and identity-based risk scoring.
  
• Working knowledge of DLP, EDR, or behavioural analytics platforms in support of insider threat detection.
  
• Experience working in a classified environment and delivering briefings in SCIF settings.
  
• Understanding of NIST 800-53 and related to Insider Threat Programs.
  

• Experience with federal regulatory requirements and compliance standards related to cybersecurity.
  
• Knowledge of programming, Splunk automation, network and firewall operations.
  
• Familiarity with security tools and technologies used for threat detection and analysis.
  
• Security certifications (e.g., CISSP, CISM, CEH, CompTIA Security+) are a plus.