Threat Intelligence Researcher- CTI

Every nation has data. Few can protect it. Fewer still can act on it.

Dream is the sovereign AI and national cyber-defense company for governments.

We help nations secure their most critical systems, connect fragmented information at a national scale, and turn their most sensitive data into decisions, all fully sovereign.

This is more than a job. It's a Dream job, where you'll work at a global scale alongside some of the best AI researchers, cyber operators, and government experts in the world.

We defend nations against the most advanced threats in the world with a national security suite that offers AI-native resilience against APTs with visibility, insights and mediation across Posture, CTI, and Detection & Response, all fully sovereign.

We are on an expedition to find you, someone who is passionate about turning research into reliable, production-grade capabilities. You’ll play a major role in building and shaping our next-gen CTI platform across attribution, pivoting, infrastructure prediction, EASM, and the STIX/OpenCTI knowledge base.

• Execute the CTI research roadmap across attribution, infra prediction, EASM, and the STIX knowledge base. 
• Design and implement graph-pivoting, attribution heuristics, and temporal/link models (sequence/survival/Hawkes-style). 
• Build high-signal EASM detectors: passive discovery and safe active probing per ROE; capture reproducible evidence. 
• Normalize, enrich, and deduplicate intel into STIX 2.1 aligned to our ontology; maintain/enhance TAXII/OpenCTI/MISP connectors. 
• Ship detectors/models and enrichment services with AI/Platform teams; contribute tests, docs, and runbooks. 
• Curate datasets, define ground truth, and evaluate KPIs (coverage, lead-time, precision/recall, FPR); iterate to improve signal-to-noise. 
• Produce watchlists, concise briefs, and early-warning hypotheses for stakeholders and priority investigations. 
• Uphold governance, ethics, provenance, and data-quality standards. 

• 4-7+ years in CTI/EASM/offensive research or adversary-infra analysis. 
• DNS, BGP/ASNs, TLS/PKI & CT logs, hosting/CDN/cloud patterns, domain lifecycle, phishing ecosystems. 
• Communities/embeddings/clustering; temporal/link modeling and practical evaluation. 
• Passive discovery and safe active probing; evidence discipline and noise reduction. 
• STIX 2.1, ATT&CK, TAXII; advantage for OpenCTI/MISP; ontology alignment and validation. 
• Python (pandas, notebooks, scikit-learn, networkx/igraph); Neo4j/Elasticsearch; Kafka/SQS/Redis; Docker/Kubernetes. 
• Prompting/tool-use for extraction/normalization; agentic patterns with guardrails and sanity checks. 
• Analytical writing; collaborative, version-controlled workflow (Git); documentation rigor. 

If you think this role doesn’t fully match your skills but are eager to grow and break glass ceilings, we’d love to hear from you!