Principal ML/AI Threat Engineer

DNSFilter’s mission is to protect our customers and partners with products they love to use! We are revolutionizing network security by providing fast, accurate, and reliable threat protection and content filtering. We're a rapidly growing company dedicated to creating a safer internet for businesses and organizations worldwide. Leveraging AI-driven threat intelligence, DNSFilter empowers our customers to proactively block threats before they impact their networks. We foster a collaborative, innovative, and results-oriented culture where every team member contributes to our mission of making the internet safer.

As we continue our product-fueled growth by adding new features and broadening our solution to meet the needs of the global market, it's clear there's a missing piece. That's where you come in!

DNSFilter is seeking a Principal ML/AI Threat Engineer to design and deliver scalable, real-time threat intelligence systems from DNS telemetry. This hands-on Principal IC role focuses on architecting, training, and deploying adaptive ML/AI models for malicious and benign infrastructure clustering, pattern identification, content categorization, and high-confidence actor attribution at scale. You will build production-grade systems to transform raw DNS signals into campaign-aware, actor-linked detections.
Eligible candidates have and can work successfully in a small to mid-sized fast-paced, hyper-growth, SaaS start-up or scale-up, and are located in the United States or Canada.

We recognize that people come with a wealth of experience and talent beyond just the technical requirements of a job. If you feel like this job is for you, please apply. We believe diversity of experience and skills, including transferable skills, combined with passion, is a key to innovation and excellence; therefore, we encourage people from all backgrounds to apply to our positions!

In this role, You Will: 

• Infrastructure Clustering Systems
• Design and maintain clustering frameworks to group and categorize malicious network indicators/assets at scale.
• Analyze threat actor patterns and continuously evaluate cluster stability for adversarial drift, refining models for adaptation and resilience.
• What Success Looks Like: Increased, high-confidence coverage of malicious infrastructure clusters that remain stable despite adversarial mutation.
• Pattern Derivation & Model Development
• Identify persistent adversary fingerprints in DNS and convert them into functional products by building, training, and architecting performant AI/ML models at scale, utilizing hybrid detection and mitigation layers.
• What Success Looks Like: Measurable reduction in time-to-detection for emerging DNS-borne threats. Measurable increase in customer coverage.
• Real-Time Adaptive Detection
• Build systems for scaled analytical decision-making, training, branching, drift detection, and recognizing real-world threats. Integrate feedback and balance adaptability with precision to eliminate false-positive amplification.
• What Success Looks Like: Real-time detection systems that adapt without measurable degradation in precision.
• Attribution-Supporting Intelligence
• Develop infrastructure-linking methodologies, partner with researchers to validate attribution hypotheses, and implement informed confidence scoring.
• What Success Looks Like: Repeatable attribution-supporting infrastructure intelligence.
• Intelligence as a Service
• Deliver production services with clear SLAs/SLOs, explainability, confidence metrics, monitoring, and observability, ensuring compatibility with DNSFilter’s vision and tech stack.
• What Success Looks Like: Creating new methodologies, heuristics, and fingerprints to categorize threats at scale.
• Travel
• Present at security conferences, specifically ISAC.

To qualify for this role, You Have: 

• 10+ total years across the fields of AI engineering, applied ML, detection engineering, threat research, or threat intelligence automation.
• Experience building production AI/ML systems operating on high-volume telemetry.
• Strong background in: Statistical analysis, Clustering methods, and Feature engineering at scale.
• Deep understanding of adversarial tradecraft as observed in DNS or network data.
• Strong Python proficiency, cloud architectures, and experience with distributed processing systems.
• Experience designing technical systems independently at the principal scope.
• Ability to work hours overlapping with Eastern Time.
• Must be eligible to work in your region of hire without sponsorship from an employer now and/or in the future.

Bonus points for: 

• Direct experience with passive DNS or resolver telemetry.
• Examples of hands-on work that has led to measurable outcomes.
• Experience building network-based risk and/or confidence scoring mechanisms.
• Familiarity with modern AI-engineering techniques and adaptive model strategies.
• Background in cybersecurity, particularly nation-state APTs, major cyber groups, and threat actor automation.
• Experience building explainable detection systems for customer-facing products.

We Offer:

• Pathway to promotion to additional organizational positions and responsibilities based upon results and performance, not just time in the chair.  You help us grow, and we will help you grow.
• Passionate and intelligent colleagues who work hard and have a good time doing it
• Paid company-wide week off at the end of each year
• Flexible Vacation Policy
• Awesome company swag
• Full medical, dental, and vision benefits for US, UK, and Canada-based employees
• Full short-term disability and life benefits; available long-term disability
• Retirement savings account options with vested company matching for qualifying employees
• In-person annual gatherings. Last time we all spent a week on a beach in the Dominican Republic!

DNSFilter is a pay-for-performance organization, which means there is an opportunity to advance your compensation based on performance over time. The hiring base pay is dependent on several factors, including level, function, training, transferable skills, work experience, business needs, and geographic location. As a hybrid company, our compensation reflects the cost of labor across several U.S. and global geographic markets. We pay differently based on those defined markets. Our Talent Team can share more about the specific salary range for the job location during the hiring process.

DNSFilter participates in the E-Verify program.

At DNSFilter, we utilize sophisticated software and tools to identify and eliminate Deepfake candidates. This approach helps us maintain the integrity of our hiring process, ensuring that we select the most qualified and genuine individuals to join our team.