DFIR Automation Engineer - Global Security Organization

Responsibilities

The mission of TikTok's Global Security Organization is to build and earn trust by reducing risk and securing our businesses and products. Also known as "GSO", this team is the foundation of our efforts to keep TikTok safe, secure, and operating at scale for over 1 billion people around the world. We work to ensure that the TikTok platform is safe and secure, that our users' experience and their data remains safe from external or internal threats, and that we comply with global regulations wherever TikTok operates.

Trust is one of TikTok's biggest initiatives, and security is integral to our success. In whatever ways users interact with us - whether they're watching videos on their For You page, interacting with a Live video, or buying products on TikTok Shop - GSO protects their data and privacy, so they can have a secure and trustworthy experience.

TikTok's Global Forensics team is responsible for the company's technical investigations and digital forensics work. We are seeking a DFIR Automation Engineer (Investigation Enablement & Threat Hunting). This role focuses on tooling, automation, and AI-assisted engineering to scale cross-domain investigations by accelerating data retrieval, correlation, timeline reconstruction, evidence packaging, and report drafting-while preserving audit-ready, defensible, and reproducible evidence chains. The role also drives case-informed proactive hunting to discover additional risk signals and convert them into reusable playbooks, tools, and detection/controls improvements.

Responsibilities
- Build and maintain investigation enablement tooling and automation: data retrieval/export, enrichment, correlation, entity normalization, timeline generation, evidence indexing, and report skeleton drafting.
- Apply AI-assisted development ("vibe coding" for rapid prototyping) to accelerate delivery of scripts/tools, while enforcing engineering guardrails (human review, tests, change control, and auditability).
- Engineer scenario-based playbooks, templates, and query packs to standardize cross-domain investigations and reduce manual, repetitive work.
- Provide L2 technical support for complex/adversarial cases and productize high-frequency steps discovered in real cases.
- Drive proactive risk discovery through case-informed hunting and data mining: generalize patterns from cases, run targeted hunts across multi-source telemetry, validate signals, and produce actionable findings.
- Convert investigation and hunting outcomes into reusable improvements: playbooks, dashboards, detection use cases, data quality requirements, logging gaps, and control/process recommendations.

Qualifications

Minimum Qualifications
- Hands-on scripting/engineering ability for automation (Python,Go)
- Experience working with enterprise telemetry at scale (querying, correlation, pivoting) across multiple sources (internal platform audit logs, identity/cloud logs, endpoint/server telemetry, network logs, DLP).
- Ability to design workflows that produce defensible outputs: clear reasoning, evidence traceability, repeatable analysis steps, and auditable metadata.
- Solid understanding of investigation/DFIR fundamentals and common investigation patterns (data access, staging, exfiltration/misuse, and scope assessment).