Apply on Employer Site

AstraZeneca · 7 hours ago

Director of Cyber Threat Intelligence (CTI)

Gaithersburg, MD

Full-time

Hybrid

Director/Executive

$163K/yr - $244K/yr

10+ years exp

AstraZeneca is a global, science-led, patient-focused biopharmaceutical company dedicated to discovering, developing, and commercialising prescription medicines for serious disease. The Director of Cyber Threat Intelligence will lead a highly technical CTI function within AstraZeneca’s Cybersecurity Operations division, managing a team of analysts to deliver strategic, operational, and tactical intelligence that measurably reduces risk across the enterprise.

BiopharmaBiotechnologyHealth CareMedicalPharmaceuticalPrecision Medicine

Comp. & Benefits

H1B Sponsor Likely

Responsibilities

Define CTI vision, operating model, and roadmap aligned to AstraZeneca’s cyber risk reduction strategy, with special emphasis on manufacturing continuity, clinical data integrity, and R&D IP protection

Design and operate a scoring rubric that ranks actors based on intent/capability/relevance, TTP emergence and prevalence, organization-specific exposure to known vulnerabilities/CVEs, and global 'viral' events, maintaining dynamic watchlists and escalation triggers

Implement analytic methods to estimate mean time-to-impact per adversary (from initial access to material business impact) using internal telemetry, historical incidents, industry reporting, and confidence levels, performing comparisons with IR’s MTTC to drive control improvements

Build and maintain end-to-end attack path models from initial access to material impact across IT-to-OT pivots, clinical platforms, and R&D environments, mapping steps to MITRE ATT&CK (Enterprise/ICS), identify control gaps and choke points, derive detections-as-code and hunt hypotheses, and support validation efforts including purple-team exercises and adversary emulation to ensure enterprise hardening and measurable risk reduction

Establish collection and monitoring across dark web forums, marketplaces, breach dumps, and closed channels to identify emerging TTPs, credential leaks, data exposure, access-broker listings, and targeting of manufacturing, clinical, or R&D assets, integrating validated findings into TIP/SIEM pipelines, trigger takedown requests where feasible, and deliver rapid advisories with confidence ratings and specific actions for Vulnerability Management, Detection Engineering, and IR

Deliver risk insights for CROs/CMOs/logistics/technology vendors, monitor credential leakage and domain spoofing, and support/coordinate takedown operations when needed

Lead disciplined attribution using the Diamond Model (adversary, capability, infrastructure, victim) and complementary frameworks, correlating TTPs, tooling lineage, code-reuse, infrastructure overlaps, and victimology with confidence levels and analytic caveats, documenting hypotheses, alternative explanations, and disconfirming evidence, and producing reusable actor profiles and pivot paths that inform prioritization, detections, hunts, and incident response playbooks

Partner with Vulnerability Management to contextualize CVEs (exploitability, weaponization, external scanning telemetry, compensating controls) and deliver risk-based patching prioritization across AstraZeneca’s estate including IT/OT, clinical platforms, and lab environments

Develop detection use cases to feed our detection-as-code pipeline and support detection ATT&CK coverage mapping, content tuning, and false-positive reduction, ensuring feedback loops from hunts and incidents continuously improve detection quality

Provide real-time adversary context that is highly technical including kill-chain reconstruction, containment recommendations, and countermeasures, producing post-incident intelligence retrospectives and detection/architecture improvements

Produce daily threat intelligence highlights, threat actor/campaign profiles, quarterly threat briefings, and other ad hoc intelligence products, ensuring products include quantified risk narratives for senior leadership that also align findings to regulatory expectations and business impact

Optimize integrations across TIP, SIEM, EDR, case management, and telemetry; manage indicator lifecycle, automate enrichment, and measure source fidelity/bias

Lead participation with sector bodies (e.g., H-ISAC), peer sharing groups, and government/industry partners; track and assess global events and rapidly translate into actionable enterprise guidance

Recruit, mentor, and grow a diverse team of CTI analysts; build career paths, training plans, and knowledge-sharing practices; foster a culture of technical excellence and clear, actionable communication

Qualification

Cyber Threat IntelligenceMITRE ATT&CKVulnerability ManagementDetection EngineeringIncident ResponseAdversary ScoringAttack Path ModelingDark Web MonitoringStructured AttributionCVE AnalysisTooling AutomationAnalytical SkillsStakeholder PartnershipEducationPeople LeadershipTeam LeadershipCommunication SkillsDecision Making

Required

10+ years in cyber threat intelligence, detection engineering, incident response, or related domains; 5+ years leading technical CTI teams in global enterprises

Demonstrated ability to set vision, influence strategy, and deliver outcomes tied to enterprise risk reduction

Proven ownership of adversary-centric CTI programs that directly drive vulnerability prioritization, detections-as-code, hunts, and incident response

Comfortable making data-driven decisions with clear trade-offs and confidence levels

Deep expertise mapping TTPs to MITRE ATT&CK, defining coverage strategies, and translating gaps into high-fidelity detections and hunt hypotheses; skilled in industrial/OT contexts

Hands-on delivery of end-to-end attack paths across IT-to-OT pivots, clinical platforms, and R&D environments; validation via purple-team/adversary emulation

Ability to convert findings into prioritized control roadmaps and measurable risk reduction

Designed and operated tailored actor scoring incorporating intent/capability, TTP emergence/prevalence, org exposure to CVEs, and global/viral events

Maintained dynamic watchlists and escalation triggers

Applied the Diamond Model and complementary frameworks with documented hypotheses, caveats, disconfirming evidence, and confidence statements

Produced reusable actor profiles and pivot paths

Built mean time-to-impact metrics per actor and operationalized comparisons to IR's mean time-to-containment to guide control improvements and track program effectiveness

Delivered contextual CVE analysis (exploitability, weaponization, external scanning telemetry, compensating controls) and risk-based patch recommendations across IT, OT/ICS, clinical, and lab environments

Co-developed detections-as-code (e.g., Sigma, KQL, SPL), tuned content to reduce false positives, and closed ATT&CK coverage gaps with feedback loops from hunts/incidents

Provided real-time adversary context, kill-chain reconstruction, containment recommendations, and post-incident retrospectives that inform detection and architectural improvements

Operated dark web/closed-source monitoring; integrated findings into TIP/SIEM/EDR pipelines; managed indicator lifecycle, automated enrichment, and measured source fidelity/bias

Clear, concise communication of complex technical intelligence to executives and cross-functional partners (Vulnerability Management, Detection Engineering, SOC/IR, OT Security, Clinical Ops, Research IT); ability to influence without authority

Bachelor's degree in a relevant field (Computer Science, Information Security, Intelligence Studies, or equivalent experience)

Preferred

Experience in pharmaceuticals, life sciences, healthcare, or manufacturing; familiarity with GMP/CSV, clinical data obligations, and R&D IP protection

Hands-on work with MES, SCADA, PLC ecosystems; ATT&CK for ICS usage; understanding of OT-safe response practices and production continuity implications

Exposure to CTMS, EDC, IRT, ELN, LIMS, HPC, and data lake environments; experience safeguarding data integrity and sensitive research/IP

Built dashboards tracking MTTI by actor, ATT&CK coverage indices, intel-informed patch SLAs, hunter ROI, and executive risk narratives; experience presenting to senior leadership and risk committees

TIP administration, SIEM/EDR content engineering, enrichment/orchestration pipelines, case management integration, and indicator lifecycle automation at enterprise scale

Ability to translate attack paths into quantified risk scenarios and prioritized control investments aligned to business objectives and crown jewels

Active engagement with H-ISAC/ISAOs and government/industry partners; track record of rapidly converting global/viral cyber events into enterprise defenses and executive guidance

One or more of GCTI, GREM, GRID, GCIH, CISSP, or equivalent demonstrated expertise

Built diverse, high-performing teams; established career paths, coaching frameworks, and a culture of analytic rigor, technical excellence, and continuous improvement

Benefits

Short-term incentive bonus opportunity

Equity-based long-term incentive program (salaried roles)

Retirement contribution (hourly roles)

Commission payment eligibility (sales roles)

Qualified retirement program [401(k) plan]

Paid vacation and holidays

Paid leaves

Health benefits including medical, prescription drug, dental, and vision coverage

Company

AstraZeneca

Glassdoor4.1

AstraZeneca is a pharmaceutical company that discovers, develops, manufactures, and markets prescription medicines. It is a sub-organization of Investor.

Founded in 1999

Cambridge, Cambridgeshire, GBR

10001+ employees

https://www.astrazeneca.com

H1B Sponsorship

AstraZeneca has a track record of offering H1B sponsorships. Please note that this does not guarantee sponsorship for this specific role. Below presents additional info for your reference. (Data Powered by US Department of Labor)

Distribution of Different Job Fields Receiving Sponsorship

Represents job field similar to this job

Trends of Total Sponsorships

2021 (2)

2020 (11)