JOB SUMMARY

Cyber Security at the Home Office is critical to protecting a large government department and safeguarding critical digital infrastructure. The Cyber Security Operations Centre (CSOC) Threat Intelligence team is tasked with understanding and contextualising the Home Office’s cyber threat landscape. The team manages the department’s intelligence requirements, based on assessed threats to Home Office systems, then seeks to obtain and analyse data to identify threats and their potential impact. The specialised team of six works alongside other CSOC areas to provide awareness of threats, allowing for the deployment of targeted defences and the sharing of timely and actionable guidance.

JOB DESCRIPTION

The Detection Content Lead sets the strategy for developing and maintaining detection rules across security tools. This role blends technical expertise in threats and adversaries with hands-on experience in tooling, data ingestion, and rule deployment. The post holder leads a team of detection engineers and works closely with threat, monitoring, and onboarding teams to deliver high-quality, scalable, and actionable detection content aligned with adversary techniques.

Your day-today responsibilities will be to:

• Design, test, and document detection rules to ensure effective coverage with minimal false positives.
• Prioritise rule deployment based on threat relevance, data quality, and system performance.
• Define and maintain a detection strategy aligned with evolving threats, regularly reviewing coverage and proposing improvements.
• Coordinate across threat, monitoring, incident response, onboarding, and engineering teams to align efforts and track progress.
• Recommend tooling enhancements, including integrations, technical add-ons, automation, and detection-as-code solutions.
• Manage the full content lifecycle—from creation to tuning—ensuring version control and documentation are maintained.
• Lead the Detection Content team, aligning work with CSOC operations and supporting the broader Threat Operations strategy.

Due to the requirements of the role, the successful candidates will be required to work full-time (37 hours per week).

ESSENTIAL SKILLS

You’ll bring a strong interest in threat intelligence and demonstrate experience in:

• Experience in a Security Operations Centre (SOC), including threat and risk analysis, ideally in a large government, enterprise, or managed service environment.
• Familiarity with security platforms such as SIEM, EDR, and threat intelligence tools.
• Proven ability to manage the full lifecycle of detection content—developing, documenting, and maintaining rules.
• Skilled in detection methodologies including modelling, configuration analysis, behavioural patterns, and indicators of compromise.
• Ability to analyse and present complex threat and risk information clearly, tailored to different audiences.
• Experience operating at tactical, operational, and strategic levels, translating technical insights for non-technical stakeholders.
• Experience leading and coaching diverse, distributed teams, ideally in cyber security.

SFIA TECHNICAL SKILLS

The essential technical skills required for this role are listed below and are reflective of the Home Office Government Digital and Data Profession Career Framework.

TECHNICAL SKILLS

We’ll assess you against these technical skills during the selection process:

• Threat Intelligence (THIN) – Level 4
• Incident management (USUP) – Level 4
• Service Level Management (SLMO) – Level 4
• Security Operations (SCAD) – Level 3
• Performance Management (PEMT) – Level 3
• Stakeholder relationship management (RLMT) – Level 4

CAPABILITY & SKILLS ALLOWANCE

The advertised role is part of the Home Office Government Digital and Data Profession. This role has access to a Digital Capability-Based Allowance. Applicants who are successful at interview will be invited to complete a Capability and Skills Assessment post-interview. Any allowance awarded will be based on the assessment of your capability against the six skills advertised for this role. Please see the attached candidate pack for more information.
The allowance values are set by the Home Office, subject to remaining in a qualifying role, and are non-pensionable. This allowance is non-contractual, subject to an annual review and could be withdrawn at any time.
For both new entrants and existing civil servants, the total compensation offer is a combination of base salary and, if applicable, a capability-based allowance. New entrants to the Civil Service will start on the pay range minimum. For existing civil servants, our policies on level transfer and promotion will apply.

NATIONALITY REQUIREMENTS

This job is broadly open to the following groups:

• UK nationals
• nationals of the Republic of Ireland
• nationals of Commonwealth countries who have the right to work in the UK
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
• Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service

Further information on nationality requirements

Your day-today responsibilities will be to:

• Design, test, and document detection rules to ensure effective coverage with minimal false positives.
• Prioritise rule deployment based on threat relevance, data quality, and system performance.
• Define and maintain a detection strategy aligned with evolving threats, regularly reviewing coverage and proposing improvements.
• Coordinate across threat, monitoring, incident response, onboarding, and engineering teams to align efforts and track progress.
• Recommend tooling enhancements, including integrations, technical add-ons, automation, and detection-as-code solutions.
• Manage the full content lifecycle—from creation to tuning—ensuring version control and documentation are maintained.
• Lead the Detection Content team, aligning work with CSOC operations and supporting the broader Threat Operations strategy