Jobs · Analyst · California

Principal Researcher, Botnet & DDoS Threats

A10 Networks, Inc · San Francisco Bay Area · 1 wk ago
HybridAnalyst$200k–$215k/yrFull-time

What You Will Do

  • Reverse engineer IoT botnet malware families (Mirai lineage, Go-based L7 flooders, multi-architecture binaries) to understand attack behavior at the implementation and network level.
  • You will reconstruct command structures, decode obfuscation, recover control flows from stripped binaries, and build precise models of how attacks manifest on the wire.
  • Perform dynamic malware analysis in sandboxed and purpose-built lab environments to validate static analysis and observe runtime behavior.
  • Design and contribute to novel detection and mitigation approaches based on malware internals and traffic behavior.
  • Collaborate with AI/ML teams to integrate automated analysis into research workflows. This is not passive tool usage—you will actively shape how automation is applied to real malware analysis problems.
  • Partner with product engineering to translate research into shipped detection capabilities.
  • Lead external-facing research: threat reports, technical blogs, and conference presentations. At principal level, you own the narrative and direction of research output.
  • Engage directly with customers in post-incident analysis, architectural guidance, and strategic threat briefings—clearly explaining both attacker behavior and defensive actions.
  • Work alongside senior researchers focused on IoT botnets and large-scale DDoS systems, contributing to and benefiting from a deeply technical peer environment.

What You Need

  • Strong foundation in binary reverse engineering using tools such as Ghidra or IDA, including static analysis across multiple architectures and experience with stripped binaries and compiler-generated code; you should be comfortable working close to raw assembly and control flow, not dependent on tooling abstraction.
  • Hands-on experience with dynamic malware analysis in sandbox or isolated lab environments, using runtime observation to validate and extend static findings.
  • Working proficiency in Python and Go.
  • Strong understanding of network protocols at the implementation level, including the ability to interpret PCAPs and reconstruct protocol behavior.
  • Familiarity with DDoS botnet architectures (e.g., Mirai lineage or equivalent), ideally with direct analysis of binaries rather than secondary reporting. Experience tracking variant evolution across malware families is a strong plus.
  • Ability to communicate complex technical findings clearly across engineering, product, and customer audiences; at this level, communication quality is a core part of technical impact.

Nice to have

  • Experience with high-performance packet processing or mitigation systems at the network and transport layers.
  • Experience analyzing Go binaries in depth.
  • Exposure to malware source code.
  • Experience applying ML-assisted or vector-based approaches to malware classification, clustering, or lineage attribution.

Tools & environment

  • Ghidra (headless + GUI)
  • Capstone
  • GoReSym
  • Python 3
  • Go
  • Scapy
  • tshark
  • Any.run
  • Joe Sandbox
  • Cuckoo (or equivalent) custom detonation lab infrastructure
  • Honeypot infrastructure
  • MalwareBazaar
  • VirusTotal
  • macOS or Linux
  • AI Use Guidelines for Interviews

Similar jobs