We're not hiring a security engineer to keep up with threats. We're hiring someone to make threats irrelevant before they become incidents.
Most security teams react. They tune SIEM rules after the alert fires. They write playbooks after the incident closes. They patch after the scan flags. At Deriv, we're building an autonomous security operations platform that hunts proactively, responds automatically, and learns continuously. Real money, real regulations, real consequences - and a security function built to match.
Why This Matters
Deriv's mission is Trading for Anyone, Anywhere, Anytime. Millions of traders across the globe, around the clock, across regulatory environments. At this scale, a misconfigured WAF rule or undetected lateral movement isn't a technical inconvenience - it's a trader's funds at risk and a regulator on the phone.
Our Security Operations team isn't defending a perimeter. We're protecting a living, distributed system that processes transactions 24/7. When the threat surface never sleeps, your detection and response capabilities can't either - which is exactly why we're embedding AI and automation at every layer of the security stack.
The Challenge
Most of the job is quiet. Alerts fire, most of them are noise, you clear them and move on. Then one day something doesn't smell right - a login from a place it shouldn't be, a process spawning something it never has before - and the whole shift changes shape in five minutes. That's the job. Long stretches of discipline, then a sprint where the root cause has to be found before the damage does.
$600B moves through this platform every month. That draws real attention: state-sponsored crews, financially motivated groups, insiders. We don't wait for a vendor's threat intel feed to tell us something's wrong. We hunt for it.
If your idea of SOC work is clearing a queue against a runbook, this isn't for you. If you want to build the detections that catch what the runbook doesn't, and you're willing to be the one who says this exclusion is a blind spot before it becomes an incident, keep reading.
Why Deriv
We're in production, not planning.
- Autonomous security operations platform triaging real alerts in real time, not a roadmap slide
- Automated security review running on every pull request across engineering
- Detection coverage actively extending into our AI agent stack: prompt injection, tool misuse, credential exposure in agent workflows, ground most SOCs haven't even started mapping
- A Security & AI Engineering org where detection and response is treated as its own discipline, not a compliance checkbox tucked under IT
We share what we learn. Deriv is where we write about what we're building, what breaks, and what we figure out the hard way.
What You'll Do
- Hunt proactively across infrastructure, cloud, identity, and endpoint, working from hypotheses, not just waiting on alerts
- Build, tune, and maintain detections mapped to real attacker TTPs (MITRE ATT&CK), not whatever ships default from the vendor
- Own incidents end to end: triage, containment, root cause, and a report that leads to an actual fix
- Push back on any tuning decision, exclusion, or known good assumption that trades visibility for noise reduction, and catch it before it ships
- Partner with Red Team on purple-team exercises, turning every finding into a detection
- Extend detection and monitoring coverage into our AI agent stack: prompt injection, tool misuse, credential exposure in agent workflows
- Do enough malware analysis and reverse engineering to actually understand what you're looking at, not just what a sandbox report says
- Mentor junior analysts and raise the bar on what triaged actually means
Who You Are
- 6+ years in a SOC, threat hunting, or DFIR role, with real incident ownership, not just alert queue work
- GCFA, GCIH, GCIA, or equivalent DFIR/detection engineering credential strongly preferred
- Real depth in at least three of: EDR internals and endpoint telemetry, cloud security monitoring (AWS/GCP), network forensics, malware analysis, SIEM and detection-as-code, identity threat hunting
- Comfortable writing your own detection logic and tooling in Python or a proper query language, not copy-pasting from a vendor blog
- You think like an attacker when you write a detection, because that's the only way to catch one
- You know the difference between reducing noise and creating a blind spot, and you've caught that mistake before it cost someone
- You can write a report that gets fixed, not filed
The Honest Reality
You'll sit inside a Security & AI Engineering org that treats detection and response as a real discipline, not a compliance checkbox.
You'll work across Dubai and Malaysia with a team that runs actual incident response, not tabletop exercises with fake scenarios.
You'll have a direct line from catching something to it getting closed for good, and room to build the hunts and detections that shape how we defend the AI agents everyone else is still figuring out how to even think about.