Principal Threat Detection Engineer - Blue Team

We’re building a world of health around every individual — shaping a more connected, convenient and compassionate health experience. At CVS Health®, you’ll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger – helping to simplify health care one person, one family and one community at a time.

Position Summary

The Principal Threat Detection Engineer serves as a senior, highly technical individual contributor responsible for the design, implementation, and continuous evolution of advanced threat detection capabilities across the enterprise. This role owns the development and optimization of detection logic leveraging Microsoft Security tooling, CrowdStrike, Splunk Cloud, Cribl, and related SOC platforms to identify sophisticated adversary activity spanning endpoint, network, and cloud environments. A core focus of the role is proactive threat hunting and the identification of behavioral indicators that improve visibility into novel and emerging attack techniques.

In this capacity, the Principal Threat Detection Engineer leads detection engineering strategy and execution, building, tuning, and automating high‑fidelity alerts using SIEM and analytics platforms such as Splunk Cloud, Microsoft Sentinel, and Cribl. The role applies deep knowledge of query languages (including KQL) and custom detection logic to reduce noise, improve precision, and increase analyst efficiency. Detection capabilities are continuously iterated based on adversary tradecraft, environmental changes, and lessons learned from active investigations and simulations.

The role operates at the intersection of offensive and defensive security, collaborating closely with threat hunting, incident response, and purple team partners to translate adversary emulation and penetration testing findings into actionable detection improvements aligned to the MITRE ATT&CK framework. The position integrates threat intelligence and supports active incident investigations by providing insight into attacker behavior and detection blind spots. Through continuous innovation and a strong understanding of regulatory and compliance considerations (e.g., PCI-DSS, HIPAA, NIST, ISO 27001), the Principal Threat Detection Engineer strengthens the organization’s overall detection maturity and cyber resilience.

Role Responsibilities:

Detection Engineering & Threat Hunting

• Design, deploy, and continuously optimize high‑fidelity detections across SIEM platforms including Microsoft Sentinel, Splunk Cloud, and Cribl.
• Lead proactive threat hunting using Microsoft Defender, CrowdStrike, and other SOC tools to identify advanced and emerging adversary activity.
• Develop custom detection logic and automation using KQL, SPL, and scripting, iterating based on threat intelligence and environmental changes.

Adversary Emulation & Purple Teaming

• Design and execute adversary emulation and purple team exercises to evaluate and improve detection and response effectiveness.
• Partner with defensive teams to translate offensive findings into actionable improvements aligned to the MITRE ATT&CK framework.
• Support penetration testing efforts and produce actionable assessments highlighting detection gaps and remediation opportunities.

Threat Intelligence & Incident Response Support

• Integrate internal and external threat intelligence into detection strategies to prioritize risk and adapt alert logic.
• Support active incident investigations by providing insight into adversary tactics, detection blind spots, and response opportunities.

Detection Strategy & Risk Visibility

• Contribute to the development of enterprise‑wide threat detection strategy aligned with risk management objectives.
• Communicate detection coverage, gaps, and effectiveness to security leadership through clear, actionable reporting.

Required Qualifications

• 10+ years of experience in threat detection, hunting, penetration testing, and/or offensive security.
• 7+ years of experience in Microsoft Security tools (Defender for Endpoint, Sentinel), CrowdStrike, Splunk Cloud, and Cribl.
• 5+ years of experience with KQL, SPL, Python, PowerShell, or Bash scripting for automation and detection logic.

Preferred Qualifications

• Relevant certifications such as OSCP, GCIH, GCIA, CISSP, CEH, or Microsoft Azure Certification.
• Experience in managing or participating in purple team exercises.
• Familiarity with compliance standards like PCI-DSS, HIPAA, or ISO 27001.
• Strong understanding of the MITRE ATT&CK framework and security standards (NIST, CIS).
• Strong communication skills to convey complex security issues to non-technical stakeholders.

Education

• Bachelor’s degree or equivalent experience (High School Diploma and 4 years relevant experience)

Pay Range

The typical pay range for this role is:

$144,200.00 - $288,400.00

This pay range represents the base hourly rate or base annual full-time salary for all positions in the job grade within which this position falls.  The actual base salary offer will depend on a variety of factors including experience, education, geography and other relevant factors.  This position is eligible for a CVS Health bonus, commission or short-term incentive program in addition to the base pay range listed above.  This position also includes an award target in the company’s equity award program. 
 

Our people fuel our future. Our teams reflect the customers, patients, members and communities we serve and we are committed to fostering a workplace where every colleague feels valued and that they belong.

Great benefits for great people

We take pride in offering a comprehensive and competitive mix of pay and benefits that reflects our commitment to our colleagues and their families.

This full‑time position is eligible for a comprehensive benefits package designed to support the physical, emotional, and financial well‑being of colleagues and their families. The benefits for this position include medical, dental, and vision coverage, paid time off, retirement savings options, wellness programs, and other resources, based on eligibility.

Additional details about available benefits are provided during the application process and on Benefits Moments.

We anticipate the application window for this opening will close on: 05/11/2026

Qualified applicants with arrest or conviction records will be considered for employment in accordance with all federal, state and local laws.