Director of Cyber Threat Intelligence (CTI)
Company: AstraZeneca
Location: Montgomery Village
Posted on: February 17, 2026
|
|
|
Job Description:
AstraZeneca is a global, science-led, patient-focused
biopharmaceutical company dedicated to discovering, developing, and
commercialising prescription medicines for serious
disease.We’recommitted to being a Great Place to Work. About the
Role The Director of Cyber Threat Intelligence will lead a highly
technical CTI function withinAstraZeneca’sCybersecurity
Operationsdivision, managing a team of analysts to deliver
strategic, operational, and tactical intelligence that measurably
reduces risk acrossthe enterprise, includingmanufacturing, clinical
trial platforms, and R&D environments. This role anchors CTI to
“intel-to-action” outcomes, partnering closely with Vulnerability
Management, Detection Engineering, and Incident Response to harden
controls, prioritize patching, improve detections, and accelerate
response. Key Responsibilities Program Leadership and Strategy:
Define CTI vision, operating model, and roadmap aligned
toAstraZeneca’s cyber risk reduction strategy, with special
emphasis onmanufacturing continuity, clinical data integrity, and
R&D IP protection. Adversary Prioritization Framework: Design
andoperateascoring rubric that ranks actors based on
intent/capability/relevance, TTP emergence and prevalence,
organization-specific exposure to known vulnerabilities/CVEs, and
global “viral” events,maintainingdynamic watchlists and escalation
triggers. MTTI Metric and Analytics: Implement analytic methods to
estimate mean time-to-impact per adversary (frominitialaccess to
material businessimpact) using internal telemetry, historical
incidents, industry reporting, and confidence levels,
performingcomparisons with IR’s MTTC to drive control improvements.
Attack Path Modeling: Build and maintain end-to-end attack path
models from initial access to material impact across IT-to-OT
pivots, clinical platforms, and R&D environments,mappingsteps
to MITRE ATT&CK (Enterprise/ICS), identify control gaps and
choke points, derive detections-as-code and hunt hypotheses,
andsupportvalidationefforts includingpurple-team exercises and
adversary emulation to ensureenterprisehardening and measurable
risk reduction. Dark Web and Closed-Source Monitoring: Establish
collection and monitoring across dark web forums, marketplaces,
breach dumps, and closed channels to identify emerging TTPs,
credential leaks, data exposure, access-broker listings, and
targeting of manufacturing, clinical, or R&D
assets,integratingvalidated findings into TIP/SIEM pipelines,
trigger takedown requests where feasible, and deliver rapid
advisories with confidence ratings andspecific actionsfor
Vulnerability Management, Detection Engineering, and IR.
Third-Party and Ecosystem Intelligence: Deliver risk insights for
CROs/CMOs/logistics/technology vendors,monitorcredential leakage
and domain spoofing, and support/coordinate takedown operations
when needed. Structured Threat Actor Attribution (Diamond Model):
Lead disciplined attribution using the Diamond Model (adversary,
capability, infrastructure, victim) and complementary
frameworks,correlatingTTPs, tooling lineage, code-reuse,
infrastructure overlaps, and victimology with confidence levels and
analytic caveats,documentinghypotheses, alternative explanations,
and disconfirming evidence, andproducingreusable actor profiles and
pivot paths that inform prioritization, detections, hunts, and
incident response playbooks. Support Vulnerability Management:
Partner with Vulnerability Management to contextualize CVEs
(exploitability, weaponization, external scanning telemetry,
compensating controls) and deliver risk-based patching
prioritization across AstraZeneca’s estate including IT/OT,
clinical platforms, and lab environments. SupportDetection
Engineering: Develop detection use cases to feed our
detection-as-code pipeline and support detection ATT&CK
coverage mapping, content tuning, and false-positive reduction,
ensuring feedback loops from hunts and incidents continuously
improve detection quality. Support GSOC/Incident Response: Provide
real-time adversary context that is highly technical including
kill-chain reconstruction, containment recommendations, and
countermeasures, producing post-incident intelligence
retrospectives and detection/architecture improvements.
Operationaland Executive Reporting: Producedaily threat
intelligence highlights,threatactor/campaign profiles,quarterly
threat briefings,andother ad hoc intelligence products, ensuring
products includequantified risk narratives for senior
leadershipthat alsoalignfindings to regulatory expectations and
business impact. Tooling and Automation:Optimizeintegrations across
TIP, SIEM, EDR, case management, and telemetry; manage indicator
lifecycle, automate enrichment, and measure source fidelity/bias.
External Engagement: Lead participation with sector bodies (e.g.,
H-ISAC), peer sharing groups, and government/industry partners;
track and assess global events and rapidly translate into
actionable enterprise guidance. Team Leadership and Development:
Recruit, mentor, and grow a diverse team of CTI analysts; build
career paths, training plans, and knowledge-sharing practices;
foster a culture of technical excellence and clear, actionable
communication. Minimum Qualifications Leadership and Strategic
Impact: 10 years in cyber threat intelligence, detection
engineering, incident response, or related domains; 5 years leading
technical CTI teams in global enterprises. Demonstrated ability to
set vision, influence strategy, and deliver outcomes tied to
enterprise risk reduction. Decision Making and Accountability:
Proven ownership of adversary-centric CTI programs that directly
drive vulnerability prioritization, detections-as-code, hunts, and
incident response. Comfortable making data-driven decisions with
clear trade-offs and confidence levels. Technical Depth (ATT&CK
Enterprise/ICS): Deepexpertisemapping TTPs to MITRE ATT&CK,
defining coverage strategies, and translating gaps into
high-fidelity detections and hunt hypotheses; skilled in
industrial/OT contexts. Attack Path Modeling and Risk Translation:
Hands-on delivery of end-to-end attack paths across IT-to-OT
pivots, clinical platforms, and R&D environments; validation
via purple-team/adversary emulation; ability to convert findings
into prioritized control roadmaps and measurable risk reduction.
Adversary Prioritization and Scoring: Designed andoperatedtailored
actor scoring incorporating intent/capability, TTP
emergence/prevalence, org exposure to CVEs, and global/viral
events;maintaineddynamic watchlists and escalation triggers.
Structured Attribution Tradecraft: Applied the Diamond Model and
complementary frameworks with documented hypotheses, caveats,
disconfirming evidence, and confidence statements; produced
reusable actor profiles and pivot paths. Metrication (MTTI vs.
MTTC): Built mean time-to-impact metrics per actor and
operationalized comparisons to IRs mean time-to-containment to
guide control improvements and track program effectiveness.
Vulnerability Intelligence for Hardening: Delivered contextual CVE
analysis (exploitability, weaponization, external scanning
telemetry, compensating controls) and risk-based patch
recommendations across IT, OT/ICS, clinical, and lab environments.
Detection Engineering Collaboration: Co-developed
detections-as-code (e.g., Sigma, KQL, SPL), tuned content to reduce
false positives, and closed ATT&CK coverage gaps with feedback
loops from hunts/incidents. Incident Intelligence Support: Provided
real-time adversary context, kill-chain reconstruction, containment
recommendations, and post-incident retrospectives that inform
detection and architectural improvements. Collection, Tooling, and
Automation: Operated dark web/closed-source monitoring; integrated
findings into TIP/SIEM/EDR pipelines; managed indicator lifecycle,
automated enrichment, and measured source fidelity/bias.
Stakeholder Partnership and Communication: Clear, concise
communication of complex technical intelligence to executives and
cross-functional partners (Vulnerability Management, Detection
Engineering, SOC/IR, OT Security, Clinical Ops, Research IT);
ability to influence without authority. Education: Bachelors degree
in a relevant field (Computer Science, Information Security,
Intelligence Studies, or equivalent experience). Preferred
Qualifications Sector Experience and Regulatory Context: Experience
in pharmaceuticals, life sciences, healthcare, or manufacturing;
familiarity with GMP/CSV, clinical data obligations, and R&D IP
protection. OT/ICS and Critical Operations: Hands-on work with MES,
SCADA, PLC ecosystems; ATT&CK for ICS usage; understanding of
OT-safe response practices and production continuity implications.
Clinical/R&D Platforms: Exposure to CTMS, EDC, IRT, ELN, LIMS,
HPC, and data lake environments; experience safeguarding data
integrity and sensitive research/IP. Program Metrics and Outcomes:
Built dashboards tracking MTTI by actor, ATT&CK coverage
indices, intel-informed patch SLAs, hunter ROI, and executive risk
narratives; experiencepresenting tosenior leadership and risk
committees. Advanced Tooling/Automation: TIP administration,
SIEM/EDR content engineering, enrichment/orchestration pipelines,
case management integration, and indicator lifecycle automation at
enterprise scale. Threat Modeling and Quantification: Ability to
translate attack paths into quantified risk scenarios and
prioritized control investments aligned to businessobjectivesand
crown jewels. External Partnerships: Active engagement with
H-ISAC/ISAOs and government/industry partners;track recordof
rapidly converting global/viral cyber events into enterprise
defenses and executive guidance. Certifications: One ormore ofGCTI,
GREM, GRID, GCIH, CISSP, or equivalentdemonstratedexpertise. People
Leadership: Built diverse, high-performing teams; established
career paths, coaching frameworks, and a culture of analytic rigor,
technical excellence, and continuous improvement. Location and
Working Model Location: Gaithersburg, Maryland. Working Model:
Hybrid-three days per week in office, two days remote. Occasional
travel for key meetings, plant/partner engagements, conferences, or
incident support may berequired. WHY JOINUS ? We’rea network of
high-reaching self-starters who contribute to something far bigger.
We enable AstraZeneca to perform at its peak by delivering premier
technology and data solutions. We’renot afraid to take ownership
and run with it. Empowered with unrivalled freedom. Put
simply,it’sbecause we make a significant impact. Everything we do
matters. When we put unexpected teams in the same room, we unleash
bold thinking with the power to encourage life-changing medicines.
In-person working gives us the platform we need to connect, work at
pace and challengeperceptions.Thatswhy we work, on average, a
minimum of three days per week from the office. But
thatdoesntmeanwerenot flexible. We balance the expectation of being
in the office while respecting individual flexibility. Join us in
our unique and ambitious world. The annual base pay for this
position ranges from $162.536,00 - $243.804,00USD Annual. Hourly
and salaried non-exempt employees will also be paid overtime pay
when working qualifying overtime hours. Base pay offered may vary
depending on multiple individualized factors, including market
location, job-related knowledge, skills, and experience. In
addition, our positions offer a short-term incentive bonus
opportunity; eligibility toparticipatein our equity-based long-term
incentive program (salaried roles), to receive a retirement
contribution (hourly roles), and commission payment eligibility
(sales roles). Benefits offered included a qualified retirement
program [401(k) plan]; paid vacation and holidays; paid leaves;
and, health benefits including medical, prescription drug, dental,
and vision coveragein accordance withthe terms and conditions of
the applicable plans.Additionaldetails of participation in these
benefit plans will be provided if an employee receives an offer of
employment. If hired, employee will be in an “at-will position” and
the Company reserves the right to modify base pay (as well as any
other discretionary payment or compensation program) at any time,
including for reasons related to individual performance, Company or
individual department/team performance, and market factors.
Keywords: AstraZeneca, Bowie , Director of Cyber Threat Intelligence (CTI), IT / Software / Systems , Montgomery Village, Maryland
