To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.
Job Category
Software Engineering
Job Details
Role Description:As a Principal Threat Researcher (Counter-Threat Ops), you don't just track threats-you neutralize them. You are a key pillar of the Threat Intelligence (TI) team, specifically focused on the art of adversary disruption. You will lead the charge in identifying, tracking, and imposing friction on threat actors targeting the Salesforce ecosystem. This is a "hands-on-keyboard" technical leadership role as an individual contributor. You will perform deep-dive research across massive datasets to extract tactics, techniques and procedures (TTPs), build complex attacker profiles, and turn that intelligence into action. Whether you are partnering with hyperscalers to take down attacker infrastructure or working alongside multi-national law enforcement to support criminal prosecution, your goal is to make it expensive and dangerous for adversaries to operate against Salesforce and our Customers.
Responsibilities- Adversary Disruption & Denial: Lead initiatives to disrupt threat actor operations by leveraging Salesforce infrastructure and strategic partnerships with hyperscalers (AWS, GCP, MAS), CDNs, and network security providers.
- Law Enforcement Collaboration: Develop high-fidelity technical evidence and attribution data to support US and European law enforcement in the successful criminal prosecution of threat actors.
- Strategic Intelligence Ecosystem: Deepen Salesforce's reach into the broader cyber intelligence community, fostering peer-to-peer partnerships with other industry disruption teams to build a collective defensive picture.
- Advanced Threat Tracking: Perform expert-level tracking of advanced e-crime and state-sponsored actors, distilling complex tactics, techniques, and procedures (TTPs) into actionable intelligence for executives and technical stakeholders.
- Tactical Tooling & Automation: Build custom scripts, investigative tools, and automation (Python, SQL, Splunk) to scale research and enable "on-the-fly" analysis during active campaigns or incident response.
- Technical Mentorship: Serve as a technical mentor on the Threat Intelligence team, guiding junior researchers and driving the direction of investigations through deep subject matter expertise. You will be collaborating on this with
- Cross-Functional Influence: Act as a central bridge between Incident Response, Security Engineering, and Platform Defense to ensure intelligence directly hardens our environment.
Minimum Requirements: - You have recognized, first-hand knowledge of how advanced adversaries operate and their tactics, techniques, and procedures (TTPs), with a focus on AWS, GCP, Azure, and other cloud providers
- 10+ years of hands-on experience identifying, tracking, and disrupting advanced cyber threat actors (government-backed and advanced e-crime adversaries), including successful referrals to international Law Enforcement agencies
- 5+ years hands-on experience with strategic intelligence writing and standard conventions (BLUF, Diamond Model, MITRE ATT&CK), with a proven track record of authoring dozens of research articles and public-facing blog posts
- Established threat intelligence practitioner and active member of private, invite-only Information Security trust groups with extensive industry and community contacts
- Experience with Cyber Threat Intelligence writing for both technical, non-technical, and executive audiences - ideally with threat briefings, threat reports, blog posts, or similar finished intelligence
- A capable oral and written communicator, you are able to engage others in the business at multiple levels to translate threat research into actionable recommendations to shape strategy and decisions
- Experience conducting and correlating threat research using OSINT and proprietary tools, including infrastructure analysis, malware telemetry, and full attack lifecycle tracking
- You operate autonomously to drive projects and have experience mentoring and supporting junior analysts in a globally distributed or remote team environment
- You have an understanding existing and emerging threats to an organization spanning multiple industries and threat profiles
- 3+ years experience scripting, automating, and building investigative tooling (Python, Bash, SQL, Splunk) and using YARA or Sigma for threat hunting
- Identify patterns and trends across various data sources and distill findings concisely
Preferred Requirements: - Extensive experience collaborating with global law enforcement agencies (e.g., FBI, Europol) on attribution and evidence collection resulting in successful prosecutions and takedowns
- Experience using Threat Intelligence Platforms, and building integrations with these platforms
- Extensive experience using Machine Learning automation for the detection and disruption of high-harm groups and platform-based abuse
- Deep familiarity with reverse engineering, malware analysis, and knowledge of underground communities
- Experience with security analysis tools (Jupyter notebooks, Splunk, ElasticSearch, etc)
- Extensive experience with uncovering threats in AWS, Microsoft Azure, and Google Cloud
- Expert-level use of hunting/IR tools for host and network analysis
- Recognized industry leader in the threat Community
- You have performed all of the above "at scale" in a large, complex environment
Unleash Your Potential
When you join Salesforce, you'll be limitless in all areas of your life. Our benefits and resources support you to find balance and be your best, and our AI agents accelerate your impact so you can do your best. Together, we'll bring the power of Agentforce to organizations of all sizes and deliver amazing experiences that customers love. Apply today to not only shape the future - but to redefine what's possible - for yourself, for AI, and the world.
