Engineer III, Cyber Threat Hunter

About the role

The Cyber Security Operations team is critical to the strategic foundation of our products, most notably the secure delivery of our Digital SAT and AP programs. We are a highly motivated group of cyber security experts who take a proactive approach to ensuring a strong security posture. We partner across the organization to mature our Threat Management and Incident Response procedures and are constantly seeking and experimenting with new technologies. We are currently using a variety of cutting-edge tools that provide comprehensive cyber security operations for the College Board's critical infrastructure in support of the College Board's mission to connect students to college success and opportunity. College Board is committed to creating an inclusive environment where all team members feel valued, respected, and supported in their work. We welcome individuals from diverse backgrounds and experiences to join our team and contribute to our ongoing success. As a Cyber Threat Hunter, you will play a hands-on role in defending the cloud and enterprise environments that power the Digital SAT, AP, and other high-stakes programs. You will work in an AWS-heavy environment at national scale, where detection quality, investigation speed, and clear documentation directly support exam integrity and student trust. This role exists to strengthen our detection and response capabilities. You will build and improve SIEM detections, execute structured threat hunts, and help validate controls through purple team exercises. You will contribute to incident investigations, refine response playbooks, and use automation to make our workflows faster and more reliable. You will partner closely with engineers, architects, and product teams to close visibility gaps and reduce risk in practical, measurable ways. Success in this role means fewer blind spots, higher fidelity alerts, and a cyber defense program that is proactive rather than reactive. In this role, you will: Threat Hunting & Detection Engineering (45%) Execute hypothesis-driven threat hunts across AWS, identity, endpoint, and network telemetry, documenting findings and recommended control or detection improvements. Build, tune, and maintain SIEM detections focused on high-risk behaviors such as IAM misuse, persistence, privilege escalation, and data access or exfiltration. Reduce alert noise through structured tuning, baselining, and enrichment while preserving meaningful coverage. Map detections and hunts to MITRE ATT&CK techniques to identify and close visibility gaps. Incident Response & Investigation (30%) Support investigation and containment of security incidents, performing log analysis, scoping impact, and documenting findings. Contribute to the development and refinement of incident response playbooks for common cloud and identity-based scenarios. Produce clear after-action reports that identify root cause, control gaps, and prioritized remediation steps. Participate in periodic tabletop or fire drill exercises to validate readiness and improve response coordination. Purple Teaming & Continuous Improvement (15%) Participate in purple team exercises to validate detection effectiveness and help prioritize remediation of identified gaps. Partner with offensive testing and engineering teams to translate findings into improved detections and hardened configurations. Identify opportunities to strengthen logging, telemetry coverage, and control effectiveness across cloud and enterprise systems. Automation, Documentation & Knowledge Sharing (10%) Develop lightweight automation and scripts to improve investigation speed, enrichment, and reporting consistency. Maintain well-documented detection logic, hunt results, and response procedures to improve repeatability and team scalability. Share threat insights and lessons learned with the broader security and engineering community through briefings or written updates. About you, you have: 3 to 5 years of progressive experience in cyber defense, including threat hunting, detection engineering, and incident response in enterprise environments. Strong cloud security experience in AWS-heavy environments, including building detections and investigations using cloud-native telemetry (for example CloudTrail, IAM, VPC Flow Logs, CloudWatch logs, and compute or container logs). Hands-on experience developing, tuning, and maintaining SIEM detections and analytics, including writing high-quality queries, building dashboards, and improving signal-to-noise. Experience with Sumo Logic is strongly preferred. Ability to lead threat hunts end-to-end, including hypothesis creation, data collection, analysis, documentation of findings, and recommenda