DFIR Automation Engineer - Global Security Organization

ikTok's Global Forensics team is responsible for the company's technical investigations and digital forensics work. We are seeking a DFIR Automation Engineer (Investigation Enablement & Threat Hunting). This role focuses on tooling, automation, and AI-assisted engineering to scale cross-domain investigations by accelerating data retrieval, correlation, timeline reconstruction, evidence packaging, and report drafting-while preserving audit-ready, defensible, and reproducible evidence chains. The role also drives case-informed proactive hunting to discover additional risk signals and convert them into reusable playbooks, tools, and detection/controls improvements.

Responsibilities

• Build and maintain investigation enablement tooling and automation: data retrieval/export, enrichment, correlation, entity normalization, timeline generation, evidence indexing, and report skeleton drafting.
• Apply AI-assisted development ("vibe coding" for rapid prototyping) to accelerate delivery of scripts/tools, while enforcing engineering guardrails (human review, tests, change control, and auditability).
• Engineer scenario-based playbooks, templates, and query packs to standardize cross-domain investigations and reduce manual, repetitive work.
• Provide L2 technical support for complex/adversarial cases and productize high-frequency steps discovered in real cases.
• Drive proactive risk discovery through case-informed hunting and data mining: generalize patterns from cases, run targeted hunts across multi-source telemetry, validate signals, and produce actionable findings.
• Convert investigation and hunting outcomes into reusable improvements: playbooks, dashboards, detection use cases, data quality requirements, logging gaps, and control/process recommendations.

Qualifications

Minimum Qualifications

• Hands-on scripting/engineering ability for automation (Python,Go)
• Experience working with enterprise telemetry at scale (querying, correlation, pivoting) across multiple sources (internal platform audit logs, identity/cloud logs, endpoint/server telemetry, network logs, DLP).
• Ability to design workflows that produce defensible outputs: clear reasoning, evidence traceability, repeatable analysis steps, and auditable metadata.
• Solid understanding of investigation/DFIR fundamentals and common investigation patterns (data access, staging, exfiltration/misuse, and scope assessment).

Preferred Qualifications

• Background in one or more of: DFIR, incident response engineering, security automation/SOAR, threat hunting, detection engineering, security data engineering, or technical investigations (years of experience not a hard requirement).
• Experience building investigation/forensics tooling or automation that measurably reduces manual effort and improves consistency (e.g., one-click exports, auto-timeline, evidence index generation, report drafting).
• Experience with AI-assisted engineering workflows for building security tooling (code generation, refactoring, test generation, documentation), with strong discipline around code review, testing, and change control.
• Familiarity with evidence defensibility requirements in regulated environments (audit support, evidence requests, privacy constraints, minimization).
• Experience with cross-domain investigations combining DLP + identity/cloud + endpoint/EDR/HIDS + network telemetry + internal platform audit logs.