SC2023-002715 Cyber Security Content Engineer (NS) - WED 1 Mar

Deadline Date: Wednesday 1 March 2023

Requirement: Cyber Security Content Engineer

Location: Mons, BE

Full time on-site: Yes

NATO Grade: A/115

Total Scope of the request (hours): 1254

Required Start Date: 3 April 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Specific Working Conditions: Secure environment with standard working hours, with the exception of working in non-standard working hours up to 360 hours annually.

In addition it may exceptionally be required to work non-standard hours in support of a major Cyber Incident, or on a shift system for a limited period of time due to urgent operational needs.

Duties & Role:

As a Cyber Security Content Engineer (CSCE), the service provider will work alongside a team of Senior Cyber Security Analysts to proactively develop new content to detect and mitigate cyber security attacks targeting NATO networks. The successful candidate should be capable of developing and testing detection content without supervision.


The main duties as CSCE will be to:

  • Provide subject matter expertise, continuously developing and testing detection content within the Network Monitoring and Incident Detection Cell.
  • Create security tool content such as searches, reports and dashboards to facilitate the detection and analysis of cyber security incidents.
  • Manage and create use case documentation.
  • Review and develop logging configurations to enable a comprehensive detection capability, working with Security Tool Managers in order to ensure data collected meets the expected level of quality.
  • Track the effectiveness of use cases using KPIs, prioritizing areas for improvement.
  • Continuously evaluate security tool data quality and suggest improvements where necessary.
  • Work with security analysts and automation engineers to develop and automate complex analysis processes.
  • Contribute to regular cyber security operations, performing in depth analysis of suspicious activity to deliver conclusions and recommendations.
  • Support project activities and the wider operational teams as required.


The main deliverables as CSCE will be:

  • Provide an average of 139 hours/month working on-site, embedded in the NSCS Ops Branch located in SHAPE, Casteau, Belgium.
  • Develop new Splunk alerts, searches, reports and dashboards for security monitoring and detection. Each use case must reference the MITRE Attack framework. The service provider is expected to take the initiative to identify detection gaps, monitor the latest threats and offer suggestions for new content to the management team.
  • Provide and maintain full documentation for all use cases, detailing the purpose of the use cases, how the logic functions and the actions analysts should take during an investigation.
  • Track the false positive rate of use cases, tuning where necessary. The maximum allowable false positive rate for a use case is 5%.
  • Develop and maintain Splunk dashboards that identify log parsing issues or logs which are not correctly aligned to the Common Information Model. Any issues shall be immediately reported to the security tools engineers via ticketing systems.
  • Develop and maintain processes and/or dashboards, ensuring Splunk Data Models are utilising the entire available dataset. Any issues shall be immediately reported to the security tools engineers via ticketing systems.
  • Review 20 use cases per month, optimising existing queries, improving their design and updating documentation.
  • Perform regular maintenance and updates of existing detection use cases. All Splunk-related tuning requests shall be actioned within one working day.
  • Review reports and observables from threat hunting, red teaming, and purple teaming activities. Perform detection gap analysis and recommend solutions, and subsequently lead on the development, testing and implementation.
  • When required, to improve content, raise change requests and service requests to retrieve new logs, adjust logging levels or modify the configuration of tools such as Sysmon. To achieve success, the service provider must be able to provide expert level guidance to security tools managers and system administrators.
  • Respond to ad hoc tasks given by the service delivery manager and cell head.
  • The service provider is expected to provide accurate and complete deliverables in accordance with internal processes.


Skill, Knowledge & Experience:

  • The candidate must have a currently active NATO SECRET security clearance
  • Expert knowledge in cyber security use case development.
  • Expert knowledge of Splunk Processing Language and Splunk Enterprise Security.
  • Experience using, developing and testing content for security information event management products (SIEM) – e.g. Splunk.
  • Expert knowledge of malware families, network attack vectors and threat actor tools, techniques and procedures.
  • Experience developing security content aligned to the MITRE ATT&CK framework.
  • Experience in endpoint detection and analysis techniques.
  • Expert knowledge of the principles of computer and communications security, networking, and the vulnerabilities of modern operating systems and applications.
  • Knowledge and experience using Sigma.
  • Knowledge and experience using Git.


  • Experience writing custom Python scripts.
  • Experience customising Splunk dashboards with JavaScript.
  • Industry leading certifications in the area of cyber security or Splunk such as GCDA, GCIA.
  • Strong understanding of Security, Orchestrations, Automation and Response (SOAR) concepts.
  • Ability to analyse attack vectors against a particular system to determine attack surface.

Cyber Security Jobs by Category

Cyber Security Salaries