Security Engineer - Threat Intel

About the Role: 

Anthropic sits at the frontier of AI development, which makes us one of the most interesting targets in the world for nation-state and advanced criminal actors. The Threat Intelligence function within our Detection & Response team exists to make sure we see them coming. As a Threat Intelligence Engineer, you'll be a hands-on practitioner responsible for producing the actionable intelligence that drives our detections, hunts, and defensive priorities. You'll track the adversaries most likely to target a frontier AI lab, build the tooling and pipelines that turn raw indicators into operational defenses, and work shoulder-to-shoulder with detection engineers and incident responders to make sure intelligence actually changes outcomes. This is a builder's role on a small, high-leverage team — you'll have broad latitude to shape how threat intelligence is collected, analyzed, and operationalized at Anthropic. 

Responsibilities: 

• Research, track, and report on threat actors and campaigns targeting AI labs, cloud infrastructure, and the broader technology sector — producing timely, actionable intelligence for Security Engineering stakeholders
• Build and maintain tooling and automated pipelines to collect, enrich, correlate, and operationalize indicators of compromise into our detection and alerting stack
• Develop and execute intelligence-driven threat hunts across endpoint, cloud, identity, and SaaS telemetry, and turn findings into durable detections
• Perform technical analysis of malware, phishing infrastructure, and attacker tooling to extract indicators, TTPs, and attribution signals
• Partner with Detection Engineering and Incident Response to translate intelligence into detection rules, hunting hypotheses, and incident context in near-real-time
• Curate and triage inbound intelligence from commercial feeds, open source, government, and trusted peer relationships — prioritizing what matters for Anthropic's threat model
• Contribute to threat models and risk assessments that inform security architecture and defensive investment across the enterprise
• Build and maintain external intelligence-sharing relationships with peer companies, ISACs, and government partners

You may be a good fit if you:

• Have 5+ years of hands-on experience in cyber threat intelligence, threat hunting, or intrusion analysis at an organization facing sophisticated adversaries
• Have deep, demonstrable knowledge of specific nation-state or advanced criminal threat actors — their tooling, infrastructure patterns, tradecraft, and targeting
• Are a strong engineer: you write production-quality Python (or similar), have built automation and data pipelines, and don't need to hand requirements to someone else to get tooling built
• Are comfortable performing malware analysis, infrastructure analysis (passive DNS, certificate pivoting, netflow), and log analysis to develop and validate your own findings
• Have experience authoring detection logic (YARA, Sigma, Snort/Suricata, or SIEM-native queries) and understand what makes a detection durable vs. brittle
• Can write clearly and concisely — your intelligence products are read and acted on, not filed away
• Have an existing network in the threat intelligence community and a track record of productive bidirectional sharing

Strong candidates may have:

• Experience defending cloud-native and research-heavy environments (AWS/GCP, Kubernetes, ML infrastructure, developer tooling and supply chain)
• Prior work operating in a threat intelligence role tracking sophisticated or state-sponsored adversaries, where your analysis directly informed detection, threat hunting, and incident response
• Experience applying LLMs or other AI tooling to accelerate intelligence collection, enrichment, and analysis
• Public research, conference talks, or open-source tooling contributions in the CTI space

Deadline to apply: None. Applications will be received on a rolling basis.