Detection Engineer
Join Us
At Vodafone, we’re not just shaping the future of connectivity for our customers – we’re shaping the future for everyone who joins our team. When you work with us, you’re part of a global mission to connect people, solve complex challenges, and create a sustainable and more inclusive world. If you want to grow your career whilst finding the perfect balance between work and life, Vodafone offers the opportunities to help you belong and make a real impact.
Cyber Defence Operations (CDO) is Vodafone Group’s Cyber Defence Operations Centre of Excellence. CDO’s mission is to protect Vodafone customers against global cyber risk. CDO is specifically accountable for delivering:
- Cyber Defence operational leadership across Vodafone.
- Cyber Defence operational capabilities to Vodafone Group, the Local Market Operating Companies, and Partner Markets to enhance Vodafone’s global cyber defence posture and reduce its cyber risk.
The purpose of this role is to own the end‑to‑end strategy and operational assurance of threat relevant telemetry and adversary coverage to strengthen detection effectiveness across the CSOC. The role ensures that security telemetry is strategically onboarded, normalised, enriched and governed to support effective, scalable, adversary aligned detection and response across Vodafone’s environments. It strengthens CSOC maturity through a consistent, threat-led approach to telemetry strategy, coverage visibility and ingestion assurance. The role works closely with CSOC, Cyber Prevent platform teams and Local Markets to align data strategy, coverage intent, and operational outcomes, providing a strong foundation for detection engineering, threat hunting, and response.
The Detection Engineer works within the Cyber Security Operations team and operates at the intersection of threat modelling, telemetry strategy, and detection coverage.
This role is accountable for:
- Defining what telemetry is required to detect adversary behaviour across Vodafone environments
- Ensuring that ingested data is complete, timely, well‑structured, and fit for behavioural detection use cases
- Providing transparent, ATT&CK‑aligned visibility of coverage gaps and data‑driven risk
The role operates with minimal supervision and requires strong collaboration across Vodafone’s global cyber security community.
What you’ll do
- Own the threat‑led strategy for onboarding and prioritising security telemetry, ensuring data sources are aligned to MITRE ATT&CK coverage, threat modelling outputs and adversary behaviour relevant to Vodafone;
- Own the definition of minimum viable logging requirements for CSOC, ensuring each critical platform (endpoint, identity, network, cloud, SaaS) provides the logs required to reliably observe adversary behaviour aligned to current threat models;
- Determine which log sources are security‑critical versus informational, ensuring CSOC ingestion is intentional and prioritised based on detection value rather than volume;
- Define and govern acceptance criteria for telemetry consumed by CSOC, including data quality, enrichment, completeness, and timeliness, ensuring logs are fit for adversary aligned detection;
- Maintain ATT&CK‑aligned coverage views that demonstrate how telemetry sources map to adversary techniques, highlighting coverage gaps and their impact across platforms, environments, and Local Markets;
- Provide clear, actionable insight into how telemetry quality and availability affect detection effectiveness, enabling Detection Engineering teams to build scalable behavioural detections;
- Produce and maintain assurance artefacts (e.g. ATT&CK overlays, dashboards, runbooks) that demonstrate logging and monitoring effectiveness to Cyber Defence leadership, audit, and Local Market stakeholders;
- Act as the named authority for visibility and telemetry‑related risk, including documenting coverage gaps, authorising risk acceptance where required, and tracking remediation;
- Partner with Cyber Prevent and platform teams to ensure telemetry ingestion, performance, and cost are balanced against detection and response value;
- Influence and align Detection Engineering, Threat Intelligence, Incident Response, and Local Market SOCs on coverage priorities, standards, and ways of working;
- Maintain operational runbooks for source onboarding/validation and hand‑offs to CSOC operations and local market SOCs.
Who you are
- Bachelor/Master's Degree in related field;
- 4+ years in detection content, threat intelligence, hunting or offensive security;
- Expert with MITRE ATT&CK (enterprise/cloud), ATT&CK Navigator, and threat-led control validation;
- Hands-on with KQL/SPL/Sigma/YARA, Microsoft Defender (EDR/Identity), Sentinel, Splunk, QRadar SOAR, scripting (Python/PowerShell);
- Adversary emulation/simulation certifications (e.g., OSCP/OSEP, GXPN/GPEN or equivalent) to design and execute controlled emulation of attacker TTPs for validation, prior ownership of simulation labs;
- Microsoft: SC‑200 (Security Operations Analyst) , Google Cloud Security certifications;
- MITRE ATT&CK Defender training/badges (analyst, threat intel, detection mapping) or equivalent ATT&CK‑focused courses;
- Training in threat intel tradecraft (CTI lifecycle, STIX/TAXII, actor TTP analysis);
- AI/ML in SOC (model assurance, prompt engineering for LLM‑assisted triage);
- GCTI (Threat Intel), GCDA/GCED/GCIA (defence/monitoring/intrusion analysis);
- Strong analytical thinking and problem‑solving skills, with the ability to think like an adversary and understand how threat actors operate across complex enterprise environments;
- Deep expertise in MITRE ATT&CK (Enterprise and Cloud), with the ability to reason at technique and sub‑technique level from a coverage and visibility perspective;
- Proven ability to translate adversary behaviour into clear telemetry and logging requirements, enabling scalable, behaviour‑driven detection;
- Strong understanding of end‑to‑end security telemetry and logging architectures, from log generation through ingestion, enrichment, and analytic consumption;
- Ability to identify, articulate, and prioritise visibility and detection coverage gaps as data‑driven risk;
- Experience enabling Detection Engineering teams by ensuring access to high‑quality, well‑structured, and consistently enriched data;
- Confidence working across multiple security domains (endpoint, identity, network, cloud, SaaS) to assess coverage posture and response readiness;
- Excellent communication and collaboration skills, with the ability to align Detection Engineering, Threat Intelligence, Incident Response, platform teams, and Local Market SOCs around shared outcomes;
- Strong attention to detail when assessing telemetry quality, consistency, and completeness;
- Fluency in English.
Not a perfect fit?
Worried that you don’t meet all the desired criteria exactly? At Vodafone we are passionate about empowering people and creating a workplace where everyone can thrive, whatever their personal or professional background. If you’re excited about this role but your experience doesn’t align exactly with every part of the job description, we encourage you to still apply as you may be the right candidate for this role or another opportunity.
What's in it for you
- Hybrid Work Model - Flexible hybrid work model with 8-10 in-office days per month, managed by team leaders;
- Vodafone Products and Services - Employees get a mobile phone, free communication plan, data card, and various discounts on services and products;
- Recognition - Recognition programs for innovative, creative, high-potential employees and exemplary behaviors;
- Health and Well-being - Well-being Program offers nutrition and psychological consultations, webinars, workshops, and discounts on various services and products;
- Learning - Access to Communities of Practice and a customizable digital training platform with high-quality content (namely Harvard Business Publishing, Skillsoft and Speexx);
- Local and International Mobility - Internal recruitment with local and international rotation opportunities across departments and roles.
Who we are
We are a leading international Telco, serving millions of customers. At Vodafone, we believe that connectivity is a force for good. If we use it for the things that really matter, it can improve people's lives and the world around us. Through our technology we empower people, connecting everyone regardless of who they are or where they live and we protect the planet, whilst helping our customers do the same.
Belonging at Vodafone isn't a concept; it's lived, breathed, and cultivated through everything we do. You'll be part of a global and diverse community, with many different minds, abilities, backgrounds and cultures. ;We're committed to increase diversity, ensure equal representation, and make Vodafone a place everyone feels safe, valued and included.
If you require any reasonable adjustments or have an accessibility request as part of your recruitment journey, for example, extended time or breaks in between online assessments, please refer to https://careers.vodafone.com/application-adjustments/ for guidance.
Together we can.