Principal Researcher, Botnet & DDoS Threats
A10 Networks, Inc · San Francisco Bay Area · 1 wk ago
HybridAnalyst$200k–$215k/yrFull-time
What You Will Do
- Reverse engineer IoT botnet malware families (Mirai lineage, Go-based L7 flooders, multi-architecture binaries) to understand attack behavior at the implementation and network level.
- You will reconstruct command structures, decode obfuscation, recover control flows from stripped binaries, and build precise models of how attacks manifest on the wire.
- Perform dynamic malware analysis in sandboxed and purpose-built lab environments to validate static analysis and observe runtime behavior.
- Design and contribute to novel detection and mitigation approaches based on malware internals and traffic behavior.
- Collaborate with AI/ML teams to integrate automated analysis into research workflows. This is not passive tool usage—you will actively shape how automation is applied to real malware analysis problems.
- Partner with product engineering to translate research into shipped detection capabilities.
- Lead external-facing research: threat reports, technical blogs, and conference presentations. At principal level, you own the narrative and direction of research output.
- Engage directly with customers in post-incident analysis, architectural guidance, and strategic threat briefings—clearly explaining both attacker behavior and defensive actions.
- Work alongside senior researchers focused on IoT botnets and large-scale DDoS systems, contributing to and benefiting from a deeply technical peer environment.
What You Need
- Strong foundation in binary reverse engineering using tools such as Ghidra or IDA, including static analysis across multiple architectures and experience with stripped binaries and compiler-generated code; you should be comfortable working close to raw assembly and control flow, not dependent on tooling abstraction.
- Hands-on experience with dynamic malware analysis in sandbox or isolated lab environments, using runtime observation to validate and extend static findings.
- Working proficiency in Python and Go.
- Strong understanding of network protocols at the implementation level, including the ability to interpret PCAPs and reconstruct protocol behavior.
- Familiarity with DDoS botnet architectures (e.g., Mirai lineage or equivalent), ideally with direct analysis of binaries rather than secondary reporting. Experience tracking variant evolution across malware families is a strong plus.
- Ability to communicate complex technical findings clearly across engineering, product, and customer audiences; at this level, communication quality is a core part of technical impact.
Nice to have
- Experience with high-performance packet processing or mitigation systems at the network and transport layers.
- Experience analyzing Go binaries in depth.
- Exposure to malware source code.
- Experience applying ML-assisted or vector-based approaches to malware classification, clustering, or lineage attribution.
Tools & environment
- Ghidra (headless + GUI)
- Capstone
- GoReSym
- Python 3
- Go
- Scapy
- tshark
- Any.run
- Joe Sandbox
- Cuckoo (or equivalent) custom detonation lab infrastructure
- Honeypot infrastructure
- MalwareBazaar
- VirusTotal
- macOS or Linux
- AI Use Guidelines for Interviews