Job Details:

Job Title:             CrowdStrike threat detection consultant

Location:             100% Remote

Duration:            6+ Months. Contract is highly possible to extend

Job Description

We''re hiring a Senior Security Operations Engineer on a 6-month contract to strengthen Life360''s security operations capacity while we build out the team. 

The role is to keep operational throughput high, build production-quality detection content, and own incident response shoulder-to-shoulder with the rest of Information security. 

You''ll inherit a working environment, not a blank slate. CrowdStrike Falcon is deployed and Expel is the MSSP. Jira drives case management. Slack drives incident workflow. Playbooks for vishing/AiTM, phishing triage, DLP, and insider threat exist and are actively used. We need a senior practitioner who can plug in fast, take cases off the queue, and leave behind detections and documentation that the Life360 team owns the day the contract ends.

What you''ll do

Run security operations

Participate in the security on-call rotation as a primary responder. Lead tier-2 and tier-3 incident response for cases the SOC and MSSP escalate. Drive cases from triage through containment and post-incident review. Hit measurable TTD and TTR targets and contribute to the metrics program that tracks them.

Manage the Expel escalation queue end-to-end. Provide structured feedback to the MSSP on alert quality, false positives, and missed signals so the relationship gets more valuable over time, not less.

Ship detection content

Build and tune detections in CrowdStrike and adjacent platforms across cloud, identity, endpoint, email, and SaaS. Every detection comes with a documented hypothesis, MITRE ATT&CK mapping, expected precision, a tuning plan, and a runbook the on-call engineer can follow.

Close coverage gaps identified through threat hunts and post-incident reviews. Existing priorities include USB exfiltration patterns, DPRK IT worker TTPs, AiTM and session-hijack patterns, and insider threat indicators.

Write the playbooks the team will keep using

Author and update incident response playbooks. Every playbook is executable, not aspirational. It leads with action, names the tools and queries, defines decision points, and gets tested against a real or simulated incident before it ships.

Hunt and harden

Run scoped threat hunts against documented hypotheses. Convert hunt findings into detections, tickets, or written-down accepted risks. Never leave a hunt result undocumented. 

Hand off cleanly

Knowledge transfer is a graded deliverable, not a closeout task. Every detection, playbook, dashboard, and investigation artifact is in a state where a Life360 engineer can own it the day the contract ends. Document the tradeoffs you made, the gaps you didn''t close, and any assumptions that weren''t validated, so the team inheriting the work knows what''s solid and what still needs attention.

What we''re looking for

Required

• 4-6 years of hands-on detection engineering, incident response, or SOC engineering experience. Operates at the level of a Senior Security Engineer 2 or higher: solves complex incidents independently, mentors others, and makes well-reasoned decisions about detection content and response actions without needing direction.
• Production detection content experience in a modern SIEM or XDR platform - CrowdStrike, Splunk, Elastic, Sentinel, Panther, or similar. You can show specific detections you authored, the precision they ran at, and how you tuned them.
• Strong incident response background. You''ve led multi-hour, multi-stakeholder incidents end-to-end and written the post-incident review afterward.
• Cloud detection experience - AWS CloudTrail, IAM, GuardDuty at minimum. Google Cloud Platform and identity (Okta or equivalent) experience strongly preferred.
• Comfort writing production-grade code or directing AI coding tools to do it. Detections, queries, parsers, and small automation in Python or similar. We use Claude Code heavily and expect the contractor to do the same.
• Excellent written communication. Playbooks, post-incident reviews, and detection documentation are core deliverables, not afterthoughts.

Strongly preferred

• CrowdStrike detection authoring experience.
• MSSP relationship management experience from the customer side.
• Insider threat investigation experience, especially data exfiltration cases.
• Familiarity with Atlassian (Jira, Confluence) and Slack as the primary case and incident workflow surface.

Nice to have

• Prior contractor experience in security operations. You know how to plug into an existing team without reorganizing it.
• DPRK IT worker, nation-state TTP, or M&A integration security experience.
• Detection content published openly (Sigma rules, blog posts, conference talks).