Threat Hunter

Threat Hunter

UK (Manchester, Cheltenham or London)

We are seeking a highly capable and hands-on Threat Hunter to design and lead a professional threat hunting capability focused on identifying sophisticated adversaries through hypothesis-driven analysis and automation. You will be responsible for proactively detecting and analysing advanced threats across the customers environment. Ensuring our threat models and threat hunts are tightly aligned to industry risks to the customer.

This is a high-impact role with significant autonomy. You’ll need to think critically, and hunt methodically.

As a Threat Hunter, you will actively search for cyber threats that evade traditional security solutions. Your role will involve conducting in-depth analysis, identifying indicators of compromise (IOCs), and working cross-functionally with the Security Operations Centre Analysts, Detection Engineers, Privacy Team and Engineering Team to mitigate risks.

Summary

Threat Detection and Monitoring:

- Design, build, and own a formal threat hunting program with a strong emphasis on hypothesis-based hunting methodologies.
- Use threat intelligence, MITRE ATT&CK, and risk models to form hypotheses and validate them through structured hunts.
- Leverage Jupyter Notebooks and other tools to automate hunts, visualise results, and create reusable artifacts for future investigations and detections.
- Collaborate with detection engineering to convert threat hunt findings into high fidelity detection content.
- Utilising both NCC Groups internal threat intelligence feeds and open-source threat intelligence, use these to operationalise detections for emerging threats.
- Support the mapping of threat models to monitoring use cases in partnership with teams across the business.
- Document and maintain a robust repository for hunting methodologies, tooling, and findings to enable continuous improvement and team scaling.
- Provide regular reports and presentations to stakeholders, with clear articulation of threats, methods, and risk impact.
- They have 3-5+ years of hands-on experience in Threat Hunting, Red Team, Blue Team, or Incident Response roles, with a deep understanding of the MITRE ATT&CK framework and a proven ability to detect and investigate advanced threats beyond signature-based solutions.
- Adept at leveraging Splunk for data analysis and detection development, they bring strong scripting capabilities (e.g., Python, PowerShell, SQL) and experience using Jupyter Notebooks to automate hunts and visualise results.
- This individual has successfully built or significantly contributed to threat hunting programs, translating threat intelligence into actionable insights and working alongside detection engineers and security analysts to operationalise findings.
- They should be driven by curiosity and methodical thinking, constantly seeking to improve visibility and detection coverage across complex environments—including hybrid or cloud-native architectures like AWS, Azure, or GCP.
- They will be comfortable presenting findings to stakeholders and documenting methodologies, they are also committed to continuous learning, with certifications such as GCTI, GCFA, or OSCP highlighting their depth and breadth of knowledge.
- They would be a self-starter with strong autonomy and analytical acumen; they thrive in dynamic environments and are passionate about staying ahead of evolving threats.

What we are looking for in you

Minimum Requirements
- Minimum 3-5 + years of experience within a Threat Hunter, Red Team, Incident Response, or Blue Team role.
- Solid understanding of the MITRE ATT&CK framework, TTP analysis, and adversary emulation.
- Deep familiarity with hypothesis-driven threat hunting frameworks and methodologies.
- Ability to work autonomously while collaborating across security, engineering, and business teams.
- Strong use of Splunk Programming Language.
- Strong scripting/query language skills (e.g., Python, KQL, SQL, PowerShell).

Desirable Requirements
- Hands-on experience using Jupyter Notebooks for data exploration, automation, and visualization in a security context.
- Knowledge of cloud products and log events such as Azure, Amazon Web Services, Google Cloud Platform.
- Experience building a threat hunting capability from scratch.
- Familiarity with data science and machine learning techniques in security analysis.
- Background in building automated hunting pipelines and/or detection-as-code.

Desirable Certifications
- GCFA
- OSCP
- GDAT
- GCIH
- Or similar certifications, not required but certainly desirable.

Ways of working

Focusing on Clients and Customers.

Working as One NCC.

Always Learning.

Being Inclusive and Respectful.

Delivering Brilliantly.

Our company

At NCC Group, our mission is to create a more secure digital future. That mission underpins everything we do, from our work with our incredible clients to groundbreaking research shaping our industry. Our teams' partner with clients across a mult