Insider Risk Engineer

Dragonfli Group is a cybersecurity and IT consulting firm providing services to federal agencies and Fortune 100 enterprises. Headquartered in Washington, DC, Dragonfli supports clients in securing mission-critical systems across on-site, hybrid, and fully remote environments.

Dragonfli Group is seeking a Senior Security Engineer with deep Splunk content engineering expertise and a proven track record in insider risk detection. This is a detection-engineering-forward role requiring hands-on SPL development, alert fidelity improvement, and operational investigation support across a complex enterprise toolset including Splunk Enterprise Security, UEBA, CrowdStrike Falcon, Microsoft Purview/Defender/Entra, DLP, and Databricks.

This is a multi-year contract position supporting a large U.S. federal agency. Candidates with prior federal contracting experience are preferred. U.S. Citizenship required. All work must be performed within the continental United States.

Primary Responsibilities:

Detection Engineering and Content Development

• Design, build, and maintain insider risk detection use cases and monitoring workflows with a primary focus on Splunk Enterprise Security, UEBA, and SPL content engineering
• Write, optimize, and operationalize Splunk searches, correlation rules, dashboards, and alerts to improve fidelity and reduce false positives
• Develop and refine detection use cases targeting anomalous user behavior, data exfiltration, policy violations, and suspicious endpoint activity
• Investigate alert and case trends to identify opportunities for rule tuning, use case expansion, and operational maturity improvement

Incident Response and Investigation

• Support incident triage, investigation, and response related to insider risk, suspicious user behavior, and potential data misuse
• Perform CrowdStrike Falcon alert review, tuning, and incident response support including false positive identification and credible threat escalation
• Lead and assist in investigations involving potential insider threats, intellectual property matters, fraud, and high-stakes security incidents

Program and Tool Maturation

• Develop and maintain playbooks and response workflows for insider risk scenarios
• Administer and optimize the insider risk toolset: Splunk ES, UEBA, CrowdStrike, Microsoft Purview/Defender/Entra, DLP, and adjacent technologies
• Analyze current tool utilization and recommend enhancements to improve detection visibility, investigation efficiency, and operational coverage
• Support continuous improvement across Splunk, CrowdStrike, Microsoft, DLP, Databricks, and SOAR platforms
• Implement federal government and industry standards related to insider threat programs and maintain programmatic gap analyses

Stakeholder Coordination

• Partner with security operations, insider risk, cyber defense, and business stakeholders to improve detection coverage and response posture
• Coordinate with technology and business leaders to develop programmatic solutions and deliver executive-level presentations on findings and program status





Must-Have Qualifications:

• 7+ years of experience in cybersecurity, security operations, threat detection, insider risk, or incident response
• 3-5+ years of hands-on Splunk experience including Splunk Enterprise Security, UEBA, content development, alerting, and dashboarding
• Demonstrated experience writing and optimizing Splunk Search Processing Language (SPL)
• Experience with CrowdStrike Falcon including alert triage, incident response support, detection tuning, and false positive reduction
• 2+ years of investigation experience involving insider risk, security incidents, technical investigations, intellectual property matters, fraud, or related areas
• Experience developing and improving detection use cases, playbooks, and operational workflows
• Experience working in a heavily regulated environment (federal or financial sector preferred)
• Strong analytical, communication, and stakeholder coordination skills
• U.S. Citizenship required

Preferred Qualifications:

• Experience with DLP, Microsoft Purview, or other insider risk and data protection technologies
• Experience with SOAR workflows and security automation
• Familiarity with machine learning concepts applied to insider risk or anomaly detection
• Experience with endpoint, user behavior, and data activity monitoring in enterprise environments
• Exposure to Databricks for security analytics, data investigation, or large-scale data analysis use cases
• Experience in digital forensics and incident response (DFIR)
• Prior experience supporting large U.S. federal agency contracts
• BS/BA in a cybersecurity-related field (direct experience or professional certifications may substitute)
• Relevant certifications: Splunk Core Certified Power User, Splunk Enterprise Security Certified Admin, GCIA, GCIH, GCFE, CISSP, or equivalent

• Splunk ES / SPL / UEBA: Content engineering, alerting, dashboarding, and tuning
• Insider Risk Detection: Use case development, playbook creation, investigation support
• CrowdStrike Falcon: Alert triage, detection tuning, incident response
• Microsoft Security Stack: Purview, Defender, Entra
• DLP and Data Protection Technologies
• Analytical and Communication Skills: Executive-level reporting, cross-functional coordination
• Regulated Environment Experience: Federal or financial sector standards and compliance

• Insurance - health, dental, and vision
• Paid Time Off (PTO) and 11 Federal Holidays
• 401(k) employer match