Connecting Talent to opportunity

Connecting Talent to opportunity

Threat Operations Manager


Job Description:

The Team

Many of HMRC’s IT services are delivered by Revenue & Customs Digital Technology Services (RCDTS), which was set up in 2016 as a subsidiary of HMRC’s Chief Digital & Information Officer (CDIO) Group. This RCDTS role sits within HMRC’s award-winning Cyber Security Team (CST) who manage and reduce cyber risk by offering world class capabilities to protect, detect and respond to cyber threats including opportunistic cyber threats or targeted intrusions, by undertaking extensive real time monitoring to benefit HMRC, our customers and Other Government Departments (OGD).​​​​​​​


Revenue & Customs Digital Technology Services (RCDTS) are working alongside HM Revenue & Customs (HMRC) and embarking on an ambitious and challenging digital transformation programme which will result in HMRC becoming one of the most digitally advanced tax authorities in the world.

RCDTS was set up in 2015 as a subsidiary of HMRC’s Chief Digital & Information Officer Group and has one of the largest customer bases in the world.

Our role sits within Chief Digital & Information Group (CDIO), we’re increasingly delivering in-

house through our growing network of digital delivery centres – hi-tech, state-of-the-art facilities across the UK.


We’re removing our dependence on data centres, as we increasingly virtualise our estate. We’re fundamentally restructuring the way we look after our IT and the way we work with partners across our ecosystem. But it’s not just about the tech. We’re building a deep understanding of our customers, working in agile ways, and implementing a DevOps approach.

We focus on our people, with clearly defined career pathways that are rewarding, fulfilling and achievable. We have flexible ways of working to help everyone manage their own work/life balance. And we’re creating an authentically diverse and inclusive workplace where everyone feels able to bring their whole self to work.



Role & Responsibilities

We are looking for a passionate and creative person to join our award winning Cyber Security Team and take forward our Threat Operations capability. This post will work alongside incident responders and threat intelligence analysts to hone and improve the organisation’s proactive detection capability.

Working as part of an award winning Cyber Security Team the post holder will:

  • Proactively examine HMRC network and endpoints to detect threats within our infrastructure.
  • Perform attack modelling and testing of HMRC’s Cyber Security controls to improve HMRCs security posture.
  • Perform analysis and forensics on network artefacts and malware samples to document attack capabilities, understand propagation characteristics and define signatures for detecting its presence.
  • Analyse audit and logging data, applying statistical analysis to detect anomalies across large data sets


Person Specification

The ideal candidate will have passion and aptitude for technical Cyber Security work with the motivation to develop and maintain subject matter expertise


The role will be tailored to the skills and experience of the successful candidate.  As such we do not expect candidates to have extensive knowledge in all of the below areas however we would expect in depth knowledge and skills in at least two of the criteria with the proficiency in the rest.

  • Experience of using a variety of analytical tools and methods to identify security compromises within large and complex data sets.


  • Understanding of the systems and high level architecture which underpin corporate IT systems and the techniques deployed to compromise these assets.


  • Experience developing specific detections based on Tactics, Techniques and Procedures (TTPs) obtained from threat intelligence


  • Demonstrable understanding of digital forensics, skills, techniques and tools to perform forensics and root cause analysis on enterprise IT systems


  • Utilise host and network based forensics capabilities to develop information regarding Indicators of Compromise and Tactics, Techniques and Procedures for threat actors and malware


  • Effective reporting, presentation skills with the ability to communicate technical issues to non-technical audience and explain the impact of technical vulnerabilities or threats in business focused language


In addition to the criteria above those candidates invited for interview will also be asked to demonstrate the following Civil Service Competencies.

  • Communicating and Influencing
  • Working Together


Essential criteria:

The post requires Security Check (SC) vetting ( If not already held we will sponsor, although this may take around three months before you can start.


Desirable criteria:

  • Industry recognised Information Security qualifications, relevant Bachelor’s Degree or equivalent experience.  SANS Course Attendance/Certifications of interest include GCIH (504), GCFE (FOR500), GCFA (FOR508), GNFA (FOR572)


Selection Process

A 1,000 word CV detailing work experience and qualifications.​​​​​​​

If you are successful at the sift stage, you will be invited to interview to demonstrate your suitability.