Job Description

The Senior Security Engineer on the TIDE team is a hybrid practitioner who writes detection rules, hunts adversary activity across the data lake, and builds the automation that ties it all together. This role requires functional depth in at least two of the following domains: detection engineering, threat intelligence, threat hunting, security automation, investigation analysis, and incident response.

This role reports to the Sr. Manager of Threat Intelligence & Detection Engineering and serves as a lead technical contributor on the TIDE team, with independent project horizons of up to 120 days.

Responsibilities

Detection Engineering

Design, develop, and maintain high-fidelity detection rules in CrowdStrike NG-SIEM (LogScale/CQL) across endpoint, email, identity, network, and cloud domains
Operationalize the full detection lifecycle: threat modeling, logic development, empirical testing, deployment, tuning, and retirement
Build detection content aligned to MITRE ATT&CK, threat actor TTPs, and internal threat model priorities
Translate threat intelligence findings, incident post-mortems, and hunt discoveries into durable detection logic
Enforce detection engineering standards including taxonomy, quality criteria, and review processes

Threat Intelligence

Collect, analyze, and operationalize tactical and technical threat intelligence from open-source, commercial, and internal sources
Produce actionable intelligence products including threat actor profiles, TTP summaries, and IOC packages that directly inform detection priorities and hunting hypotheses
Monitor threat actor campaigns targeting retail and e-commerce environments across email, endpoint, identity, supply chain, and insider risk vectors
Collaborate with CSIRT and SOC to enrich active investigations with adversary context
Apply AI-assisted tooling to accelerate intelligence processing, IOC enrichment, and adversary research

Threat Hunting

Design and execute hypothesis-driven threat hunts across endpoint, email, identity, network, and cloud telemetry
Apply structured hunting methodologies (MITRE ATT&CK-based, data-driven, indicator-based) to surface undetected adversary activity
Document hunt outcomes—including negative results—and feed confirmed patterns back into the detection library
Maintain visibility into coverage gaps and drive new hunt-to-detect cycles to close them

SOC & Incident Response Support

Provide technical escalation support for complex incidents involving identity compromise, endpoint intrusion, lateral movement, and data exfiltration
Conduct targeted forensic and log-based analysis during active investigations, contributing to root cause determination and containment decisions
Develop and maintain investigation runbooks and analyst guidance to improve SOC response fidelity
Translate post-incident lessons learned into detection and hunting improvements

Automation and Tooling

Build and maintain automation that accelerates detection deployment, alert triage, case enrichment, and threat intel processing
Develop integrations between SIEM, EDR, email security, SOAR, and threat intelligence platforms to reduce analyst toil
Apply scripting (Python, PowerShell) to operationalize repetitive workflows including IOC ingest, log parsing, and detection validation
Leverage AI and machine learning tools to improve detection quality, reduce false positive rates, and accelerate triage

Collaboration and Mentorship

Mentor less experienced team members through code review, knowledge transfer, and structured guidance
Partner with SOC, IAM, Platform Engineering, Email Security, and Cloud teams to ensure telemetry quality and detection coverage
Contribute to cross-functional initiatives including purple team exercises, tabletop scenarios, and platform migration readiness

Required Qualifications

4+ years of professional experience in detection engineering, threat intelligence, SOC/IR, threat hunting, or security automation
Demonstrated proficiency writing detection logic in at least one enterprise SIEM or XDR platform; CrowdStrike NG-SIEM (LogScale/CQL) experience strongly preferred
Working knowledge of MITRE ATT&CK at the technique and sub-technique level; ability to map adversary behaviors to telemetry sources and detection logic
Hands-on experience with EDR analysis, behavioral anomaly detection, and investigation of post-exploitation activity
Hands-on experience with hypothesis-driven threat hunting; ability to document and execute an end-to-end hunt
Scripting proficiency in Python and/or PowerShell for automation, log parsing, or investigative tooling
Experience contributing to incident response for malware incidents, identity-based attacks, or insider threats
Strong written communication skills; ability to produce clear, actionable documentation, detection rationale, and intelligence products
Bachelor’s degree in Computer Science, Information Security, or related field, or equivalent professional experience

Preferred Qualifications

Familiarity with identity attack patterns including AiTM, MFA fatigue, session hijacking, token replay, and adversarial abuse of SSO and federated identity platforms
Experience with enterprise email security platforms and email-based threat detection including phishing, BEC, and malicious delivery mechanisms
Exposure to SOAR platforms and workflow automation (CrowdStrike Fusion or equivalent)
Experience with threat intelligence platforms (MISP, ThreatConnect, Recorded Future) and structured intel formats (STIX/TAXII)
Knowledge of detection-as-code practices, version control (Git), and CI/CD integration for detection deployment
Experience with cloud security telemetry (Azure, AWS) and cloud-native attack detection
Demonstrated use of AI tools to accelerate detection development, security operations, or threat research
Intermediate or advanced certifications such as GIAC GCIA, GCIH, GCTI, GDAT, or equivalent

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.

$142,000.00 - $220,500.00 Annual

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

Medical/Vision, Dental, Retirement and Paid Time Away
Life Insurance and Disability
Merchandise Discount and EAP Resources

This position may be eligible for performance-based incentives/bonuses. Benefits include 401k, medical/vision/dental/life/disability insurance options, PTO accruals, Holidays, and more. Eligibility requirements may apply based on location, job level, classification, and length of employment. Learn more in the Nordstrom Benefits Overview by copying and pasting the following URL into your browser: https://careers.nordstrom.com/pdfs/Ben_Overview_17-19.pdf

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

For Los Angeles or San Francisco applicants: Nordstrom is required to inform you that we conduct background checks after conditional offer and consider qualified applicants with criminal histories in a manner consistent with legal requirements per Los Angeles, Cal. Muni. Code 189.04 and the San Francisco Fair Chance Ordinance. For additional state and location specific notices, please refer to the Legal Notices document within the FAQ section of the Nordstrom Careers site.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Job Description

This role reports to the Sr. Manager of Threat Intelligence & Detection Engineering and serves as a lead technical contributor on the TIDE team, with independent project horizons of up to 120 days.

Responsibilities

Detection Engineering

Design, develop, and maintain high-fidelity detection rules in CrowdStrike NG-SIEM (LogScale/CQL) across endpoint, email, identity, network, and cloud domains
Operationalize the full detection lifecycle: threat modeling, logic development, empirical testing, deployment, tuning, and retirement
Build detection content aligned to MITRE ATT&CK, threat actor TTPs, and internal threat model priorities
Translate threat intelligence findings, incident post-mortems, and hunt discoveries into durable detection logic
Enforce detection engineering standards including taxonomy, quality criteria, and review processes

Threat Intelligence

Collect, analyze, and operationalize tactical and technical threat intelligence from open-source, commercial, and internal sources
Produce actionable intelligence products including threat actor profiles, TTP summaries, and IOC packages that directly inform detection priorities and hunting hypotheses
Monitor threat actor campaigns targeting retail and e-commerce environments across email, endpoint, identity, supply chain, and insider risk vectors
Collaborate with CSIRT and SOC to enrich active investigations with adversary context
Apply AI-assisted tooling to accelerate intelligence processing, IOC enrichment, and adversary research

Threat Hunting

Design and execute hypothesis-driven threat hunts across endpoint, email, identity, network, and cloud telemetry
Apply structured hunting methodologies (MITRE ATT&CK-based, data-driven, indicator-based) to surface undetected adversary activity
Document hunt outcomes—including negative results—and feed confirmed patterns back into the detection library
Maintain visibility into coverage gaps and drive new hunt-to-detect cycles to close them

SOC & Incident Response Support

Provide technical escalation support for complex incidents involving identity compromise, endpoint intrusion, lateral movement, and data exfiltration
Conduct targeted forensic and log-based analysis during active investigations, contributing to root cause determination and containment decisions
Develop and maintain investigation runbooks and analyst guidance to improve SOC response fidelity
Translate post-incident lessons learned into detection and hunting improvements

Automation and Tooling

Build and maintain automation that accelerates detection deployment, alert triage, case enrichment, and threat intel processing
Develop integrations between SIEM, EDR, email security, SOAR, and threat intelligence platforms to reduce analyst toil
Apply scripting (Python, PowerShell) to operationalize repetitive workflows including IOC ingest, log parsing, and detection validation
Leverage AI and machine learning tools to improve detection quality, reduce false positive rates, and accelerate triage

Collaboration and Mentorship

Mentor less experienced team members through code review, knowledge transfer, and structured guidance
Partner with SOC, IAM, Platform Engineering, Email Security, and Cloud teams to ensure telemetry quality and detection coverage
Contribute to cross-functional initiatives including purple team exercises, tabletop scenarios, and platform migration readiness

Required Qualifications

4+ years of professional experience in detection engineering, threat intelligence, SOC/IR, threat hunting, or security automation
Demonstrated proficiency writing detection logic in at least one enterprise SIEM or XDR platform; CrowdStrike NG-SIEM (LogScale/CQL) experience strongly preferred
Working knowledge of MITRE ATT&CK at the technique and sub-technique level; ability to map adversary behaviors to telemetry sources and detection logic
Hands-on experience with EDR analysis, behavioral anomaly detection, and investigation of post-exploitation activity
Hands-on experience with hypothesis-driven threat hunting; ability to document and execute an end-to-end hunt
Scripting proficiency in Python and/or PowerShell for automation, log parsing, or investigative tooling
Experience contributing to incident response for malware incidents, identity-based attacks, or insider threats
Strong written communication skills; ability to produce clear, actionable documentation, detection rationale, and intelligence products
Bachelor’s degree in Computer Science, Information Security, or related field, or equivalent professional experience

Preferred Qualifications

Familiarity with identity attack patterns including AiTM, MFA fatigue, session hijacking, token replay, and adversarial abuse of SSO and federated identity platforms
Experience with enterprise email security platforms and email-based threat detection including phishing, BEC, and malicious delivery mechanisms
Exposure to SOAR platforms and workflow automation (CrowdStrike Fusion or equivalent)
Experience with threat intelligence platforms (MISP, ThreatConnect, Recorded Future) and structured intel formats (STIX/TAXII)
Knowledge of detection-as-code practices, version control (Git), and CI/CD integration for detection deployment
Experience with cloud security telemetry (Azure, AWS) and cloud-native attack detection
Demonstrated use of AI tools to accelerate detection development, security operations, or threat research
Intermediate or advanced certifications such as GIAC GCIA, GCIH, GCTI, GDAT, or equivalent

Pay Range Details

$142,000.00 - $220,500.00 Annual

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

Medical/Vision, Dental, Retirement and Paid Time Away
Life Insurance and Disability
Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Senior Security Engineer - Threat Intelligence & Detection Engineering (hybrid - Seattle)

What you'd actually do

Skills

Required

Nice to have

What the JD emphasized

Job Description

Responsibilities

Detection Engineering

Threat Intelligence

Threat Hunting

SOC & Incident Response Support

Automation and Tooling

Collaboration and Mentorship

Required Qualifications

Preferred Qualifications

Job Description

Responsibilities

Detection Engineering

Threat Intelligence

Threat Hunting

SOC & Incident Response Support

Automation and Tooling

Collaboration and Mentorship

Required Qualifications

Preferred Qualifications