This list contains only the countries for which job offers have been published in the selected language (e.g., in the French version, only job offers written in French are displayed, and in the English version, only those in English).
The Pursuits team produces dark web and threat intelligence on prospects, the companies Cyble's sales and presales teams are trying to win. Early, validated intelligence shows a prospect what's exposed about it (access for sale, leaks, vulnerable assets) and demonstrates Cyble's offering in action. Our internal customers are sales and presales, and our work directly supports new-client growth. We cover the dark web (access sales, leaks, malicious tools, marketplaces) and threats from ransomware groups, extortion crews, hacktivists, and APTs, plus cloud storage exposures and other vulnerabilities. Our work is both proactive and driven by collaboration with other teams. You take on the hardest collection and the highest-stakes reporting, and you help run the function. You own the request queue, set the quality bar, and guide less experienced researchers. You also still do the work: run sources and threat-actor engagements, deanonymize actors, and write the advisories that reach prospects.
Job Responsibility
Monitor dark web forums, Telegram channels, and ransomware/extortion group sites daily for intelligence on prospects and notable events
Engage threat actors (TA engagement / HUMINT) to gather intel on private data leaks
Validate data leaks and TA claims to determine whether they're legitimate
Deanonymize threat actors: link aliases, accounts, and personas to real-world identities
Produce advisories and flash alerts for significant leads, and contribute blogs and quarterly reports
Map a prospect's real attack surface (subsidiaries, parent companies, subdomains, and vulnerable login portals)
Analyze raw breach datasets and corroborate findings before anything is published
Own the request queue: triage incoming requests, confirm scope, route them, and track deliverables against due dates
Review and quality-check the team's findings and reports before they reach stakeholders
Mentor junior researchers and raise the bar on tradecraft and writing
Run daily async standups and the weekly team review, and keep stakeholders informed
Coordinate with sales and relationship managers on what each account needs
Requirements
4+ years in threat intelligence, dark web research, OSINT, or intelligence operations, including senior or lead-level work
Deep hands-on familiarity with dark web forums, marketplaces, and Telegram-based trading of compromised data
Strong TA engagement / HUMINT experience, with sound operational security and source-handling discipline
Solid OSINT tradecraft: people and entity research, social media and search-operator (dork) techniques, and corroboration
Comfort with raw breach data: structure, validation, and victim mapping
A track record of impactful findings
Experience guiding or mentoring other researchers and owning a quality bar
Driven to keep learning and stay current on the latest research techniques and tools
Able to use AI tools effectively to speed up research, analysis, and writing
Strong communication, within the team, across other teams, and in writing
Familiarity with intelligence frameworks (MITRE ATT&CK, the intelligence cycle, analytic standards)
Experience supporting a SaaS CTI platform or a sales/POV motion
Basic scripting (Python/regex) for parsing and cleaning leaked datasets
Reading knowledge of a second language common in cybercrime forums (for example, Russian)
Nice to have
Familiarity with intelligence frameworks (MITRE ATT&CK, the intelligence cycle, analytic standards)
Experience supporting a SaaS CTI platform or a sales/POV motion
Basic scripting (Python/regex) for parsing and cleaning leaked datasets
Reading knowledge of a second language common in cybercrime forums (for example, Russian)