Cybersecurity Threat Researcher (NATO-NCIA)

Brussels, Belgium, Sapienza Consulting [OCIO-0003]

Field(s) of expertise
Information Technology
Job type

About this job

Sapienza Consulting, a tpgroup company, is recruiting a Cybersecurity Threat Researcher to join NATO – NCIA in Brussels, Belgium.


To provide Cyber Threat Research services, the contractor will be responsible for supporting threat intelligence analysis by creating tools and performing net flow analysis to enable identifying and tracking sophisticated threat actors

Specific tasks include:

  • Write code to automate analyst workflows, and to improve our threat intelligence systems
    •  Measurement: Create Python and Bash scripts in the form of Git commits, describing the code commits and with additional comments in the code. Initial scripts developed within 60 days of arrival, and thereafter milestones will be ongoing and assessed on a quarterly basis
    • Measurement: Write ‘user manuals’ for the scripts and post on the CTAB confluence central document repository. This work is tied to the timelines of the script development: first user manual within 60 days of arrival, and thereafter milestones will be ongoing and assessed on a quarterly basis
  • Develop signatures to detect malware or network breaches;
    • Measurement: Store the developed signatures in our hypergraph database (Synapse Cortex). Provide first signatures within 30 days of arrival and provide additional signatures as required.
    • Measurement: Include documentation on our central documentation repository. Provide first documentation on malware signatures within 30 days of arrival and provide additional documentation as required
  • Apply In-depth technical knowledge of threat actor capabilities, infrastructure, and techniques to define, develop, and implement the techniques to discover and track cyber threat actors. Research threat actor activity, trends, tactics, techniques and procedures (TTPs) to facilitate understanding of hostile TTPs and possible countermeasures. As necessary, led teams of threat intelligence analysts to develop these reports.
    • Measurement: Support as directed, and post reports on the documentation repository. Initial draft of reports provided within 5 working days of tasking
  • Extract, manipulate, and summarize network data in the analysis of possible cyber incidents;
    • Measurement: Length of time to report is dependent upon the complexity of network traffic to analyse, but our internal goal is to provide initial findings within a half a working day of receipt of task



  • A currently active NATO Secret Security Clearance is required for this role
  • A university degree from a nationally recognised/certified University in a technical subject with substantial Information Technology (IT) content and 4 years of specific experience
  • Exceptionally, the lack of a university degree may be compensated by the demonstration of a contractor’s particular abilities or experience that is/are of interest to the OCIO; that is, at least 7 years extensive and progressive expertise in the tasks related to the function of the cyber security threat research

Expert level in at least three of the following areas and a high level of experience in the other areas:

  • Experience analysing and synthesizing threat intelligence in a high-speed environment
  • Experience producing actionable threat intelligence on targeted and advanced persistent adversaries enabling network and host defences in external organizations with demonstrable impact.
  • Tracked multiple distinct cyber threat actors over a period of at least one year ascertaining and characterizing various TTPs, capabilities, infrastructure, and campaigns.
  • Knowledge and experience in analysis of various threat actor groups, attack patterns and tactics, techniques, and procedures (TTPs), deep analysis of threats across the enterprise by combining security rules, content, policy and relevant datasets.
  • Experience with threat hunting, including mandatory knowledge of operating systems and windows internals



  • Applied knowledge across all critical elements and common data types used in threat intelligence analysis, including malware used in targeted adversary campaigns; host and log forensics including methods of data collection and analytic techniques; and network forensics including common protocols and how those are used in adversary operations
  • Applied knowledge of a variety of adversary command and control methods and protocols.
  • Experience supporting incident response and deeply familiar with common incident response procedures, processes, and tools
  • Strong knowledge of malware families and network attack vectors
  • Ability to analyse attack vectors against a particular system to determine attack surface
  • Ability to produce contextual attack models applied to a scenario
  • Hands on experience on monitoring cloud services

For information on how the personal data in your application is processed, please see the Sapienza Consulting Privacy Policy.