Principal Threat Detection Engineer - Blue Team
CVS Health · New York, NY
- On site
- Full-time
- $144,200 / year
- New York, NY
Job highlights
- Design advanced threat detection capabilities.
- Develop detection logic using Microsoft, CrowdStrike, Splunk.
- Lead proactive threat hunting and adversary emulation.
- Collaborate with incident response and purple teams.
- Strengthen enterprise cyber resilience and detection maturity.
About the role
Principal Threat Detection Engineer
We’re building a world of health around every individual — shaping a more connected, convenient and compassionate health experience. At CVS Health®, you’ll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger – helping to simplify health care one person, one family and one community at a time.
Position Summary
The Principal Threat Detection Engineer serves as a senior, highly technical individual contributor responsible for the design, implementation, and continuous evolution of advanced threat detection capabilities across the enterprise. This role owns the development and optimization of detection logic leveraging Microsoft Security tooling, CrowdStrike, Splunk Cloud, Cribl, and related SOC platforms to identify sophisticated adversary activity spanning endpoint, network, and cloud environments. A core focus of the role is proactive threat hunting and the identification of behavioral indicators that improve visibility into novel and emerging attack techniques.
In this capacity, the Principal Threat Detection Engineer leads detection engineering strategy and execution, building, tuning, and automating high‑fidelity alerts using SIEM and analytics platforms such as Splunk Cloud, Microsoft Sentinel, and Cribl. The role applies deep knowledge of query languages (including KQL) and custom detection logic to reduce noise, improve precision, and increase analyst efficiency. Detection capabilities are continuously iterated based on adversary tradecraft, environmental changes, and lessons learned from active investigations and simulations.
The role operates at the intersection of offensive and defensive security, collaborating closely with threat hunting, incident response, and purple team partners to translate adversary emulation and penetration testing findings into actionable detection improvements aligned to the MITRE ATT&CK framework. The position integrates threat intelligence and supports active incident investigations by providing insight into attacker behavior and detection blind spots. Through continuous innovation and a strong understanding of regulatory and compliance considerations (e.g., PCI-DSS, HIPAA, NIST, ISO 27001), the Principal Threat Detection Engineer strengthens the organization’s overall detection maturity and cyber resilience.
Role Responsibilities
Detection Engineering & Threat Hunting
- Design, deploy, and continuously optimize high‑fidelity detections across SIEM platforms including Microsoft Sentinel, Splunk Cloud, and Cribl.
- Lead proactive threat hunting using Microsoft Defender, CrowdStrike, and other SOC tools to identify advanced and emerging adversary activity.
- Develop custom detection logic and automation using KQL, SPL, and scripting, iterating based on threat intelligence and environmental changes.
Adversary Emulation & Purple Teaming
- Design and execute adversary emulation and purple team exercises to evaluate and improve detection and response effectiveness.
- Partner with defensive teams to translate offensive findings into actionable improvements aligned to the MITRE ATT&CK framework.
- Support penetration testing efforts and produce actionable assessments highlighting detection gaps and remediation opportunities.
Threat Intelligence & Incident Response Support
- Integrate internal and external threat intelligence into detection strategies to prioritize risk and adapt alert logic.
- Support active incident investigations by providing insight into adversary tactics, detection blind spots, and response opportunities.
Detection Strategy & Risk Visibility
- Contribute to the development of enterprise‑wide threat detection strategy aligned with risk management objectives.
- Communicate detection coverage, gaps, and effectiveness to security leadership through clear, actionable reporting.
Required Qualifications
- 10+ years of experience in threat detection, hunting, penetration testing, and/or offensive security.
- 7+ years of experience in Microsoft Security tools (Defender for Endpoint, Sentinel), CrowdStrike, Splunk Cloud, and Cribl.
- 5+ years of experience with KQL, SPL, Python, PowerShell, or Bash scripting for automation and detection logic.
Preferred Qualifications
- Relevant certifications such as OSCP, GCIH, GCIA, CISSP, CEH, or Microsoft Azure Certification.
- Experience in managing or participating in purple team exercises.
- Familiarity with compliance standards like PCI-DSS, HIPAA, or ISO 27001.
- Strong understanding of the MITRE ATT&CK framework and security standards (NIST, CIS).
- Strong communication skills to convey complex security issues to non-technical stakeholders.
Education
Bachelor’s degree or equivalent experience (High School Diploma and 4 years relevant experience)
Pay Range
The Typical Pay Range For This Role Is $144,200.00 - $288,400.00
This pay range represents the base hourly rate or base annual full-time salary for all positions in the job grade within which this position falls. The actual base salary offer will depend on a variety of factors including experience, education, geography and other relevant factors. This position is eligible for a CVS Health bonus, commission or short-term incentive program in addition to the base pay range listed above. This position also includes an award target in the company’s equity award program.
Our people fuel our future.
Our teams reflect the customers, patients, members and communities we serve and we are committed to fostering a workplace where every colleague feels valued and that they belong.
Great Benefits For Great People
We take pride in offering a comprehensive and competitive mix of pay and benefits that reflects our commitment to our colleagues and their families.
This full‑time position is eligible for a comprehensive benefits package designed to support the physical, emotional, and financial well‑being of colleagues and their families. The benefits for this position include medical, dental, and vision coverage, paid time off, retirement savings options, wellness programs, and other resources, based on eligibility.
Additional details about available benefits are provided during the application process and on Benefits Moments.
We anticipate the application window for this opening will close on: 05/11/2026
Qualified applicants with arrest or conviction records will be considered for employment in accordance with all federal, state and local laws.
Key skills/competency
- Threat Detection Engineering
- Threat Hunting
- SIEM (Splunk Cloud, Microsoft Sentinel)
- Endpoint Detection and Response (CrowdStrike, Microsoft Defender)
- Scripting (KQL, SPL, Python, PowerShell, Bash)
- Adversary Emulation
- Purple Teaming
- Threat Intelligence Integration
- Incident Response Support
- MITRE ATT&CK Framework
Skills & topics
- Principal Threat Detection Engineer
- Threat Detection
- Threat Hunting
- Cybersecurity
- Blue Team
- SIEM
- Splunk
- Microsoft Sentinel
- CrowdStrike
- KQL
- Offensive Security
- Adversary Emulation
- Purple Teaming
- IT Security
- Information Security
How to get hired
- Tailor your resume: Highlight experience with threat detection, hunting, and scripting languages (KQL, SPL, Python).
- Showcase tool proficiency: Emphasize expertise in Microsoft Security, CrowdStrike, Splunk Cloud, and Cribl.
- Demonstrate offensive/defensive skills: Detail experience with adversary emulation, purple teaming, and MITRE ATT&CK.
- Prepare for technical interviews: Be ready to discuss detection strategies and analyze security scenarios.
- Understand the company: Research CVS Health's commitment to innovation and patient care.
Technical preparation
Behavioral questions
Frequently asked questions
- What are the key tools used by a Principal Threat Detection Engineer at CVS Health?
- The Principal Threat Detection Engineer at CVS Health will primarily work with Microsoft Security tools (Defender for Endpoint, Sentinel), CrowdStrike, Splunk Cloud, and Cribl. Proficiency in query languages like KQL and SPL, as well as scripting languages like Python, PowerShell, and Bash, is essential for developing custom detection logic and automation.
- What is the expected experience level for a Principal Threat Detection Engineer at CVS Health?
- This is a senior individual contributor role requiring a minimum of 10 years of experience in threat detection, hunting, penetration testing, or offensive security. Additionally, 7 years of experience with specific tools like Microsoft Security, CrowdStrike, Splunk Cloud, and Cribl, and 5 years with scripting languages are required.
- How does the Principal Threat Detection Engineer role contribute to CVS Health's security posture?
- The Principal Threat Detection Engineer significantly enhances CVS Health's security posture by designing, implementing, and optimizing advanced threat detection capabilities. This includes proactive threat hunting, adversary emulation, and integrating threat intelligence to identify and respond to sophisticated cyber threats, thereby strengthening overall cyber resilience.
- Are there opportunities for professional development for a Principal Threat Detection Engineer at CVS Health?
- Yes, CVS Health offers a comprehensive benefits package that supports professional well-being. While not explicitly stated, roles at this level often involve continuous learning and staying updated with emerging threats and technologies, and preferred qualifications include relevant security certifications.
- What is the salary range for a Principal Threat Detection Engineer at CVS Health?
- The typical pay range for this Principal Threat Detection Engineer role at CVS Health is between $144,200.00 and $288,400.00 annually. This base salary may be supplemented by bonuses, incentives, and equity awards.
- How does CVS Health approach diversity and inclusion for this role?
- CVS Health is committed to fostering a workplace where every colleague feels valued and belongs, reflecting the diverse customers, patients, members, and communities they serve. This commitment extends to hiring practices, considering qualified applicants with arrest or conviction records in accordance with all applicable laws.