← Back to Jobs
TikTok logo

DFIR Automation Engineer - Global Security Organization

TikTok
3.3(321)
👥10k+
Software Engineering
London
1 month ago
💻 Open Source
Apply →

Explicitly calls out "vibe coding" and AI-assisted development for rapid prototyping of security tooling and automation.

About the Role

Join TikTok's Global Forensics team to build and maintain automation and tooling that scale digital investigations and threat hunting. The role uses scripting and AI-assisted development to accelerate data retrieval, timeline reconstruction, evidence packaging, and conversion of findings into reusable playbooks while ensuring defensible, auditable outputs.

Job Description

Role

TikTok’s Global Forensics team seeks a DFIR Automation Engineer focused on investigation enablement and threat hunting. The role designs and implements tooling, automation, and AI-assisted engineering to accelerate cross-domain investigations (data retrieval, correlation, timeline reconstruction, evidence packaging, and report drafting) while preserving audit-ready, defensible evidence chains.

Key Responsibilities

  • Build and maintain investigation enablement tooling and automation: data retrieval/export, enrichment, correlation, entity normalization, timeline generation, evidence indexing, and report skeleton drafting.
  • Apply AI-assisted development (referred to as “vibe coding”) for rapid prototyping of scripts and tools, while enforcing engineering guardrails (human review, tests, change control, and auditability).
  • Engineer scenario-based playbooks, templates, and query packs to standardize cross-domain investigations and reduce manual work.
  • Provide L2 technical support for complex or adversarial cases and productize high-frequency steps discovered in cases.
  • Drive proactive risk discovery through case-informed hunting and data mining across multiple telemetry sources; validate signals and produce actionable findings.
  • Convert investigation and hunting outcomes into reusable improvements: playbooks, dashboards, detection use cases, data quality requirements, logging gap identifications, and control/process recommendations.

Requirements

Minimum Qualifications

  • Hands-on scripting/engineering ability for automation (explicitly mentions Python and Go).
  • Experience working with enterprise telemetry at scale (querying, correlation, pivoting) across multiple sources such as internal platform audit logs, identity/cloud logs, endpoint/server telemetry, and network logs.
  • Ability to design workflows that produce defensible outputs: clear reasoning, evidence traceability, repeatable analysis steps, and auditable metadata.
  • Solid understanding of investigation/DFIR fundamentals and common investigation patterns (data access, staging, exfiltration/misuse, and scope assessment).

Preferred Qualifications

  • Background in DFIR, incident response engineering, security automation/SOAR, threat hunting, detection engineering, security data engineering, or technical investigations.
  • Experience building investigation/forensics tooling or automation that reduces manual effort and improves consistency (e.g., one-click exports, auto-timeline, evidence index generation, report drafting).
  • Experience with AI-assisted engineering workflows for building security tooling, with strong discipline around code review, testing, and change control.
  • Familiarity with evidence defensibility requirements in regulated environments (audit support, evidence requests, privacy constraints, minimization).
  • Experience with cross-domain investigations combining DLP, identity/cloud, endpoint/EDR/HIDS, network telemetry, and internal platform audit logs.

Tech Stack

PythonGoSOARDLPEDRHIDS

Skills

ScriptingAutomationDigital Forensics (DFIR)Threat HuntingIncident ResponseSecurity AutomationData CorrelationTelemetry AnalysisInvestigation WorkflowsPlaybook DevelopmentAI-assisted DevelopmentTesting and Change ControlAuditability and Evidence HandlingTechnical Support (L2)Data Mining

Experience Level

Senior