DFIR Automation Engineer - Global Security Organization

Role

TikTok’s Global Forensics team is hiring a DFIR Automation Engineer focused on investigation enablement and threat hunting. The role centers on developing tooling, automation, and AI-assisted engineering to accelerate cross-domain investigations while ensuring defensible, auditable evidence chains.

Key Responsibilities

• Build and maintain investigation enablement tooling and automation for data retrieval/export, enrichment, correlation, entity normalization, timeline generation, evidence indexing, and report skeleton drafting.
• Apply AI-assisted development (“vibe coding”) for rapid prototyping of scripts and tools while enforcing engineering guardrails: human review, tests, change control, and auditability.
• Engineer scenario-based playbooks, templates, and query packs to standardize investigations and reduce repetitive work.
• Provide L2 technical support for complex or adversarial cases and productize high-frequency steps discovered in cases.
• Drive proactive risk discovery via case-informed threat hunting and data mining across multi-source telemetry; validate signals and produce actionable findings.
• Convert investigation and hunting outcomes into reusable improvements such as playbooks, dashboards, detection use cases, data quality requirements, logging gap identification, and control/process recommendations.

Requirements

Minimum Qualifications

• Hands-on scripting/engineering ability for automation (Python, Go).
• Experience working with enterprise telemetry at scale across multiple sources (internal platform audit logs, identity/cloud logs, endpoint/server telemetry, network logs, DLP).
• Ability to design workflows that produce defensible outputs with evidence traceability, repeatable analysis steps, and auditable metadata.
• Solid understanding of DFIR fundamentals and common investigation patterns (data access, staging, exfiltration/misuse, scope assessment).

Preferred Qualifications

• Background in DFIR, incident response engineering, security automation/SOAR, threat hunting, detection engineering, security data engineering, or technical investigations.
• Experience building investigation/forensics tooling or automation that measurably reduces manual effort (e.g., one-click exports, auto-timeline, evidence index generation, report drafting).
• Experience with AI-assisted engineering workflows for building security tooling, including code generation, refactoring, test generation, and documentation, with disciplined code review and change control.
• Familiarity with evidence defensibility requirements in regulated environments (audit support, evidence requests, privacy constraints).
• Experience with cross-domain investigations combining DLP, identity/cloud, endpoint/EDR/HIDS, network telemetry, and internal platform audit logs.

Compensation & Benefits

• Base salary range for San Jose: $136,800 - $259,200 annually.
• Role may be eligible for discretionary bonuses/incentives and restricted stock units.
• Day-one access to medical, dental, and vision insurance; 401(k) savings plan with company match; paid parental leave; short-term and long-term disability coverage; life insurance; and wellbeing benefits.
• Time off: 10 paid holidays per year, 10 paid sick days per year, and 17 days of Paid Personal Time (prorated with accruals by tenure).