Principal Researcher, Botnet & DDoS Threats
Job Description
The DDoS threat landscape has crossed a threshold. Botnets like Aisuru and Kimwolf—comprising millions of compromised Android TV and IoT devices and capable of attacks exceeding 24 Tbps and 9 billion packets per second—are no longer edge cases. They are the baseline.
Defeating these threats requires more than external observation. It requires deep visibility into how they are built, how they execute on the wire, and what that means for the systems designed to stop them.
This role sits at the intersection of binary exploitation research and real-world defensive impact. You will reverse engineer active IoT botnet malware, translate findings into detection logic and packet-level attack signatures, and work across engineering, product, and research to ensure insights directly improve detection and customer defense.
What you will do
Reverse engineer IoT botnet malware families (Mirai lineage, Go-based L7 flooders, multi-architecture binaries) to understand attack behavior at the implementation and network level. You will reconstruct command structures, decode obfuscation, recover control flows from stripped binaries, and build precise models of how attacks manifest on the wire
Perform dynamic malware analysis in sandboxed and purpose-built lab environments to validate static analysis and observe runtime behavior
Design and contribute to novel detection and mitigation approaches based on malware internals and traffic behavior
Collaborate with AI/ML teams to integrate automated analysis into research workflows. This is not passive tool usage—you will actively shape how automation is applied to real malware analysis problems
Partner with product engineering to translate research into shipped detection capabilities
Lead external-facing research: threat reports, technical blogs, and conference presentations. At principal level, you own the narrative and direction of research output
Engage directly with customers in post-incident analysis, architectural guidance, and strategic threat briefings—clearly explaining both attacker behavior and defensive actions
Work alongside senior researchers focused on IoT botnets and large-scale DDoS systems, contributing to and benefiting from a deeply technical peer environment
What you need
Strong foundation in binary reverse engineering using tools such as Ghidra or IDA, including static analysis across multiple architectures and experience with stripped binaries and compiler-generated code; you should be comfortable working close to raw assembly and control flow, not dependent on tooling abstraction
Hands-on experience with dynamic malware analysis in sandbox or isolated lab environments, using runtime observation to validate and extend static findings
Working proficiency in Python and Go
Strong understanding of network protocols at the implementation level, including the ability to interpret PCAPs and reconstruct protocol behavior
Familiarity with DDoS botnet architectures (e.g., Mirai lineage or equivalent), ideally with direct analysis of binaries rather than secondary reporting. Experience tracking variant evolution across malware families is a strong plus
Ability to communicate complex technical findings clearly across engineering, product, and customer audiences; at this level, communication quality is a core part of technical impact
Nice to have
Experience with high-performance packet processing or mitigation systems at the network and transport layers
Experience analyzing Go binaries in depth
Exposure to malware source code
Experience applying ML-assisted or vector-based approaches to malware classification, clustering, or lineage attribution
Tools & environment
Ghidra (headless + GUI), Capstone, GoReSym · Python 3, Go, Scapy, tshark · Any.run, Joe Sandbox, Cuckoo (or equivalent) · custom detonation lab infrastructure · honeypot infrastructure · MalwareBazaar, VirusTotal · macOS or Linux