Threat Intelligence Analyst

About the Role

Abnormal Security is looking for a Threat Intelligence Analyst with expertise in threat hunting, detection engineering, and operational intelligence to combat cloud-based phishing attacks, account takeovers (ATO), and business email compromise (BEC). In this role, you will perform threat hunts in Cloud/SaaS environments, extract actionable intelligence, and collaborate with R&D and Engineering teams to enhance security detections and counter evolving adversary tactics.

Who you are

• Deeply experienced in Threat Intelligence & Threat Hunting, with a focus on Cloud/SaaS threats.
• Strong understanding of phishing, cloud-native threats, and adversary TTPs targeting identity and email security.
• Data-driven mindset, with experience analyzing large datasets using SQL, PySpark, and other query-based analysis tools.
• Skilled at bridging threat intelligence with engineering teams, ensuring insights translate into effective security controls.
• Comfortable working in agile, cross-functional teams, driving threat research into practical security improvements.
• Proven ability to present complex technical concepts to both technical and non-technical audiences.
• Results-driven, highly collaborative, self-motivated, and adaptable in fast-paced environments.

What you will doThreat Hunting & Threat Intelligence

• Perform threat hunting and investigative research in Cloud/SaaS environments, focusing on email security, phishing, and account takeovers.
• Identify MFA bypass techniques, phishing infrastructure, and cloud-native attack methods targeting enterprise SaaS environments.
• Fuse internal telemetry, OSINT, and third-party intelligence sources to uncover and disrupt evolving threat actor campaigns.
• Develop threat models and attack hypotheses to identify new cloud-focused attack vectors.
• Conduct incident triage and investigative support for escalated incidents, providing internal teams with expertise on threat actors’ tools, techniques, and procedures (TTPs).

Detection Engineering

• Collaborate with R&D and Engineering teams to translate threat intelligence into scalable detections and mitigations.
• Design and refine cloud threat detection logic, hunting queries, and behavioral analytics to identify attacker activity.
• Analyze phishing toolkits, adversary infrastructure, and cloud-native attack methodologies to enhance proactive defenses.
• Work with product security teams to improve email security and identity protection mechanisms in Cloud/SaaS platforms.

Security Research

• Track and analyze threat actor groups, phishing campaigns, and cloud-based attack methodologies.
• Provide technical intelligence briefings to R&D and Engineering teams to inform security product improvements.
• Partner with internal stakeholders to evaluate emerging threats and recommend security enhancements for SaaS environments.

Must Haves 

• Deep Expertise: 5+ years in cyber threat intelligence, threat hunting, or security research.
• 3+ years of experience in threat hunting and threat research within cloud ecosystems.
• Expertise in cloud security, SaaS-based attacks, and email security threats (ATO, BEC, phishing, MFA bypass, etc.).

• Strong data analysis skills with experience using SQL, PySpark, or other query languages to investigate large-scale threats.
• Deep understanding of MITRE ATT&CK, phishing tactics, and adversary infrastructure analysis.
• Hands-on experience with email security platforms, cloud threat analytics, and security automation

• Collaborative Mindset: Ability to work cross-functionally with other departments such as R&D, Engineering, and Operations to achieve comprehensive cybersecurity coverage.

Nice to Have 

• Security certifications (GCTI, GCFA, CISSP, or similar).
• Experience in security engineering, cloud-native security, or advanced detection development.
• Background in threat modeling, adversary emulation, or attacker TTP analysis.
• Experience working in high-scale SaaS environments, analyzing large security datasets.

#LI-LB3