Threat Intelligence Automation Developer (Orchestration)

Salesforce · Seattle, Washington

Our Threat Intelligence team focuses on defending our organization and our customers by cutting through the noise and identifying who’s targeting us and what emerging threats we need to prepare for. Our team includes those who have faced nation state, eCrime, and other types of adversaries in threat intelligence, incident response, and/or threat detection functions in past lives. We use our wide expertise to drive direction, support investigations, and uplift security as a whole across Salesforce.

Role Description:

In the capacity of a Threat Intelligence Automation Developer, you operate at the nexus of security analysis and systems development within our Counter-Threat Operations. Your objective is to convert massive streams of adversary data into meaningful insights by engineering and optimizing large-scale automated pipelines. Beyond simply processing data, you will architect the essential framework that empowers our TI, SOC, and IR practitioners to outpace modern threats. You will drive initiatives to expand our tracking of threat groups, analyze malicious campaigns, and streamline the delivery of intelligence across the entire security ecosystem.

Key Responsibilities:

  • Engineering & Systems Orchestration: Architect and implement bespoke programmatic solutions and cross-platform integrations within the Threat Intelligence Platform (TIP) and SOAR ecosystems to drive high-velocity security operations at scale.

  • Strategic Collaboration: Work alongside Threat Researchers to decode sophisticated adversary tradecraft, transforming manual investigative workflows into automated and repeatable detection frameworks.

  • Collections Leadership: Function as a pivotal member of the Collections Team; oversee the evaluation of novel data streams and serve as the technical authority for sophisticated data ingestion and normalization initiatives.

  • Intelligence Lifecycle Refinement: Optimize the intelligence production cycle by engineering automations that eliminate manual processing burdens, empowering practitioners to prioritize complex strategic analysis.

  • Design and orchestrate complex systems where AI agents integrate seamlessly into human workflows, driving efficiency and innovation at scale.

  • Contribute to building and maintaining the shared system context, an explicit repository of system designs, constraints, and standards that enables AI to operate accurately and reliably.

Minimum Requirements:

  • A minimum of three years within the cybersecurity domain, including at least one year dedicated to security engineering, DevSecOps, or automation workflows.

  • Advanced Python development ability for complex programmatic requirements; additional proficiency in Bash and JavaScript for orchestration and frontend-adjacent scripting is highly desirable.

  • Hands-on experience implementing SOAR platform orchestration utilizing industry-standard tools, such as Palo Alto Cortex XSOAR, Splunk Phantom, Tines, or Swimlane.

  • Familiarity with the administration and expansion of Threat Intelligence Platforms, specifically including environments like Vertex Synapse, ThreatConnect, Anomali, or MISP.

  • Demonstrated expertise in normalizing unstructured data via RESTful APIs and Regex, with a focus on mapping digital footprints into structured formats like JSON or the Synapse Data Model.

  • Technical mastery of version control systems, primarily git, and the integration of CI/CD best practices within security engineering workflows.

  • Experience building on top of managing solutions on Amazon Web Services (AWS).

  • Operational knowledge of Linux environments and Unix command-line utilities.

  • Experience using AI tools (e.g., Claude Code, GitHub Copilot, Codex, Cursor, etc.) in development workflows

  • Advanced prompt engineering skills and the ability to write precise, structured prompts and cultivate the system context that makes AI outputs reliable, secure, and production-ready.

  • Conceptual understanding of the design and operation of large-scale distributed systems.

  • Possess a builder’s mindset, characterized by an instinctive drive to architect programmatic solutions and scripts that eliminate inefficient manual tasks.

  • Ability to collaborate effectively within a global, geographically dispersed workforce using remote technologies.

  • Bachelor’s degree in Cybersecurity, Computer Science, or a related technical discipline; or, an equivalent history of successful technical delivery and professional expertise.

Preferred Requirements:

  • Experience using Threat Intelligence Platforms, and building integrations with these platforms

  • Experience with security analysis tools (Jupyter notebooks, Splunk, ElasticSearch, etc)

  • Experience with Microsoft Azure, and Google Cloud

  • Demonstrated expertise in graph modeling utilizing Vertex Synapse or comparable graph-based database technologies to map intricate adversary associations and digital footprints.

  • Proficiency in developing cloud-native automation and implementing serverless computing solutions, specifically within AWS Lambda or Azure Functions environments.

  • Relevant industry credentials such as GCTI, GPYC, or specialized professional certifications in SOAR platform orchestration.

  • You have performed all of the above “at scale“ in a large, complex environment

Apply →