Company Summary
CSS Labs is building Praesidius, a deep-tech cybersecurity platform for behaviour-triggered lateral movement prevention in enterprise environments. Praesidius is designed for the assume-breach era: the operating assumption is that an attacker may already be inside the perimeter, and the job of the platform is to make their next move economically and operationally impossible.
The product uses virtual decoy assets called phantoms. Phantoms have no legitimate business purpose. Any interaction with a phantom is treated as malicious by construction. Signals are observed by watchdog agents, correlated by an on-prem control plane, and converted into containment actions through customer tooling such as Microsoft Defender for Endpoint, Microsoft Entra ID, Active Directory, Cisco Meraki and other security, identity, network and virtualisation platforms.
The immediate company milestone is to take Praesidius from concept and prototype into an enterprise proof of concept with academic/semi-academic support and enterprise design partner engagement. The first funded build is the on-prem version of the platform: a single-node customer-deployable system that proves discovery, phantom placement, malicious-touch detection, provenance mapping, response recommendation/execution and audit evidence generation.
What this person will build
- A repeatable adversary-emulation test plan that can be run with design partners and technical evaluators.
- Response workflows through Microsoft Defender for Endpoint, Entra ID/Active Directory and selected network controls where available.
- Provenance logic that identifies originating asset, source identity, source zone, target phantom and related activity.
- A simple but credible yellow/red alert model aligned to reconnaissance versus confirmed malicious behaviour.
- Detection logic for high-signal phantom interactions, including SMB enumeration, phantom share access, service touch, authentication attempt and phantom credential use.
- A first watchdog/observer capability for Windows-first environments, with Linux support where practical.
What this person will build
- Support customer/design-partner conversations with credible practitioner-level security knowledge.
- Produce technical evidence for the funding and design-partner process: time-to-detect, time-to-contain, false-positive analysis and evidence-bundle inputs.
- Build lab attack scenarios for discovery, credential use, share enumeration and lateral movement simulation.
- Integrate response actions such as Defender device isolation, Entra account disablement, Active Directory actions and network containment where available.
- Create provenance chain logic that links source asset, source identity, source zone, target phantom and response actions.
- Develop phantom interaction tests for SMB shares, identity objects and simple service endpoints.
- Implement yellow/red alert classification for the POC, with deterministic rules as the floor and AI-assisted context as an enhancement.
- Define signal schemas, normalisation logic and detection rules in collaboration with the platform engineer.
- Build or co-build the watchdog prototype that observes endpoint, identity, network and phantom signals at the edge.
- Design and implement the POC detection strategy for phantom interactions and lateral movement behaviours.
Required Experience
- Strong hands-on cybersecurity experience in threat hunting, detection engineering, incident response, purple teaming, EDR, NDR or SOC engineering.
- Practical experience with Microsoft Defender for Endpoint, Microsoft Sentinel, Microsoft Graph, Entra ID and/or Active Directory security
- Strong understanding of Windows enterprise environments, authentication flows, endpoint telemetry and common lateral movement techniques.
- Ability to write production-quality scripts/services in Python, PowerShell, Go, Rust, C# or similar. Python plus PowerShell is especially relevant for the POC.
- Ability to design detections that are explainable, testable and tied to concrete attacker behaviours.
- Comfortable working with logs, event pipelines, APIs, endpoint agents, test harnesses and lab environments.
- Good understanding of MITRE ATT&CK post-compromise tactics, especially Discovery, Credential Access and Lateral Movement.
- Strong judgement around containment risk: when to isolate automatically, when to recommend, when to require operator approval.
Desirable Experience
- Experience building or extending EDR/XDR/NDR products, not just using them.
- Red team or adversary simulation experience in enterprise Windows environments.
- Experience with Sysmon, ETW, Windows event logs, Defender Advanced Hunting, KQL and identity telemetry.
- Experience with deception technology, honeypots, honeytokens, decoy credentials or ransomware containment
- Experience with network controls such as Meraki, firewalls, NAC, host firewalls or segmentation platforms.
- Experience producing evidence for SOC 2, ISO 27001, NIS2 or regulated security reviews.
Pay: £80,000.00-£100,000.00 per year
Work Location: Hybrid remote in London