Design, build, and validate SQL-based behavioral detections at petabyte scale; create reusable detection datasets and demo environments; define network probe and data-collection strategy; integrate detection output with customer SIEM/EDR stacks; deliver hands-on technical pilot support and produce runbooks and playbooks.
About Ocient:
Ocient is building OcientAIQ™ – a complete ecosystem for delivering trusted agentic AI solutions at petabyte scale, for the organizations that can't afford to get AI wrong. Our customers protect networks, secure nations, and power the global economy. The problems we solve are genuinely hard, and the work matters.
Founded in 2016 by the team that built Cleversafe (acquired by IBM in 2015), Ocient is headquartered in Chicago with a remote-first global team. We are a carbon-neutral company backed by leading investors including Greycroft, OCA Ventures, In-Q-Tel, and Buoyant Ventures.
Job Title: Network Infrastructure & Security Engineer (Detection Engineering)
Location: Remote (US Only)
Travel up to 10–25%, concentrated around customer pilots and detection validation on-site
*We cannot sponsor or transfer any visas, of any kind now or in the future (ex. OPT, EAD, H1B, H4, etc.)*
Estimated salary range:
Base: $170,000 to $210,000
Expected OTE: $226,000 to $280,000
• The salary offered for this position will be based on a candidate’s experience and skill demonstrated during interviews and other evaluations
Position Overview
Ocient's data engine already ingests and queries full-fidelity network and security telemetry — NetFlow/IPFIX, DNS, authentication, endpoint, and cloud audit data — at petabyte scale, retaining 12–24 months without sampling and querying it in seconds. We're putting that engine to work as the data layer behavioral baselining, threat hunting, and agentic AI detection run against, and we know exactly the kind of engineer it takes to build what runs on top of it.
We're hiring a Network Infrastructure & Security Engineer who leads by doing. This is a builder role, not a figurehead or advisory position: you'll be the one writing SQL-based detections, building the datasets and demo environment used to develop and prove them out, and making the calls on network probe and data-collection strategy as we grow. You'll work closely with the Practice Leader and the rest of the Solutions team, but the work happens with you down in the weeds, not above them.
customer outcomes.
Responsibilities
• Write detection logic. Design, write, and maintain SQL-based behavioral detections and anomaly-scoring logic on top of Ocient's engine — lateral movement, C2 beaconing, DNS tunneling, data exfiltration, and low-and-slow attack patterns using rolling 7/30/90-day baselines.
• Run the technical program day to day. Build, test, tune, and validate detections against real and simulated telemetry, hands-on — not just define requirements for someone else to build.
• Build the datasets and demo environment. Work with the team building the demo environment to generate the underlying datasets needed to develop and showcase detections and use cases, alongside the broader platform build-out.
• Make the work reusable. Build detection logic so it generalizes (~90% reusability) across the industries we support — financial services, telecommunications, energy, healthcare, and government — rather than as vertical-specific one-offs.
• Shape network probe & data collection strategy. Evaluate and help define our approach to high-volume network data capture, including tradeoffs between commercial probes (Gigamon, NetQuest) and lower-cost or open-source alternatives (e.g., Zeek/Suricata-based collection).
• Keep integrations clean. Make sure detections and enrichment output integrate cleanly with customers' existing SIEM/EDR stack (Splunk, Chronicle, Sentinel, CrowdStrike) so adoption doesn't require a rip-and-replace.
• Deliver hands-on during customer pilots. Provide hands-on technical delivery during customer proof-of-value pilots — configuring ingestion, tuning baselines, and validating detections against a customer's actual telemetry.
• Document as you go. Write up detection logic, runbooks, and technical playbooks so the team's detection library is maintainable and transferable as we grow.
Ideal Qualifications
• 5+ years in network security engineering, detection engineering, or SOC/threat hunting roles, with direct, hands-on experience building detection content — not just consuming or tuning vendor-supplied rules.
• Strong working experience with network telemetry: NetFlow/IPFIX, DNS logs, and PCAP analysis at scale.
• Demonstrated experience writing detection logic or correlation content (Sigma rules, SIEM correlation rules, or custom SQL-based detections).
• Proficiency in SQL and comfort working directly in large-scale data platforms or data warehouses.
• Familiarity with network probe/sensor technologies (Gigamon, NetQuest, or open-source equivalents such as Zeek or Suricata) and the tradeoffs between them.
• Solid understanding of the MITRE ATT&CK framework and behavioral/statistical anomaly detection methods (baselining, z-score deviation, peer-group analysis).
• Experience integrating detection output with SIEM/SOAR/EDR platforms (Splunk, Chronicle, Sentinel, CrowdStrike, SentinelOne, or similar).
• Comfortable operating independently in a build-from-scratch, startup-within-a-company environment — this role will define as much process as it executes against.
An Exceptional Candidate Will Have
• Experience with carrier-scale signaling protocols (Diameter, SS7) relevant to telecom security use cases.
• Scripting/programming ability (Python) for automation, enrichment pipelines, and tooling.
• Experience with cloud audit log analytics (AWS CloudTrail, Azure Activity Log, GCP Cloud Audit).
• Experience with OT/ICS telemetry (Modbus, DNP3, IEC 61850) or protocols relevant to critical infrastructure.
• Active security clearance, or eligibility to obtain one, for future government/defense engagements.
Interview Requirements: All interviews are conducted via video and require candidates to have their camera on for the duration of the session. The use of video filters, face-altering effects, or virtual backgrounds is not permitted for security and verification purposes.
We are not open to using an agency or staffing company at this time. We do not accept unsolicited agency or staffing resumes and we are not responsible for any fees related to unsolicited resumes.
Ocient is an equal employment opportunity employer. All qualified applicants will receive consideration for employment without regard to race, creed, color, religion, sex (including pregnancy status), sexual orientation, gender identity, national origin or ancestry, ethnicity, citizenship status, age, physical or mental disability, veteran status, marital status, parental status, genetic information, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, please contact [email protected] for more information.
All official Ocient job postings and recruiting communications will come directly from our team via our Careers page, LinkedIn, or from an ocient.com email address. If you receive communication about a role from any other source, please treat it with caution and direct questions to [email protected].
Ocient Chicago, Illinois, USA Office
100 N. RIverside Plaza Suite 800, Chicago, IL, United States, 60606
Similar Jobs
Big Data
Lead the cybersecurity solutions practice as a player-coach: translate market and customer signals into product direction, design scalable telemetry ingestion, build detection and analytics (SQL/schema-level), run technical pilots with Sales, shape integrations and partner strategy, and help hire and scale the practice.
Top Skills:
Authentication/IdentityDnsEdrLlm (Agentic Ai)Mitre Att&CkMpp Data WarehouseNetwork Flow TelemetryOcientaiqOt/IcsSIEMSoarSQLXdr
Big Data • Fintech • Mobile • Payments • Financial Services
Lead and scale a team of Key & Enterprise Account Executives across US Travel, New Markets, and Canada. Drive GTM strategy, executive stakeholder management, complex deal negotiation, cross-functional deal orchestration, forecasting rigor, and post-close launch/expansion. Recruit, coach, and hold the team accountable while traveling regularly to accelerate deals and represent Affirm at industry events.
Cloud • Computer Vision • Information Technology • Sales • Security • Cybersecurity
Lead technical onboarding for mid-market CrowdStrike customers post-sale, manage implementations, define 90-day success criteria, troubleshoot technical issues, escalate and coordinate cross-functional resolution, create knowledge base content, advocate for customers, identify renewal risks, and drive process improvements to ensure long-term customer success.
Top Skills:
Ai TechnologiesCrowdstrike PlatformEnterprise Web TechnologiesLinuxmacOSSaaSSecurityWindows Server
What you need to know about the Chicago Tech Scene
With vibrant neighborhoods, great food and more affordable housing than either coast, Chicago might be the most liveable major tech hub. It is the birthplace of modern commodities and futures trading, a national hub for logistics and commerce, and home to the American Medical Association and the American Bar Association. This diverse blend of industry influences has helped Chicago emerge as a major player in verticals like fintech, biotechnology, legal tech, e-commerce and logistics technology. It’s also a major hiring center for tech companies on both coasts.
Key Facts About Chicago Tech
- Number of Tech Workers: 245,800; 5.2% of overall workforce (2024 CompTIA survey)
- Major Tech Employers: McDonald’s, John Deere, Boeing, Morningstar
- Key Industries: Artificial intelligence, biotechnology, fintech, software, logistics technology
- Funding Landscape: $2.5 billion in venture capital funding in 2024 (Pitchbook)
- Notable Investors: Pritzker Group Venture Capital, Arch Venture Partners, MATH Venture Partners, Jump Capital, Hyde Park Venture Partners
- Research Centers and Universities: Northwestern University, University of Chicago, University of Illinois Urbana-Champaign, Illinois Institute of Technology, Argonne National Laboratory, Fermi National Accelerator Laboratory


