AI Engineer

About TryHackMe TryHackMe is a cybersecurity education platform used by 7 million+ security practitioners worldwide. We build the tools that help security teams learn, practise, and stay sharp - from foundational skills training through to enterprise-grade capability testing. Live Breach is our newest product: a high-fidelity breach simulation experience for enterprise security teams. We provision real cloud infrastructure, deploy realistic attack scenarios against it, and challenge the blue team to investigate, contain, and eradicate - end to end, in real time. The goal is to make it feel indistinguishable from a real incident. We're hiring a contractor to own the AI engineering at the core of this product.

The role You'll Build And Own The AI Systems That Make Live Breach Feel Like a Real Incident Rather Than a Scripted Exercise. That Centres On Two Interconnected Components The AI attacker agent - an autonomous LLM-powered agent that receives a threat actor profile, a network briefing, and a configured attack chain, then executes it against a live environment. The core engineering challenge is making this agent adaptive: when the defending team takes containment actions in real time, the attacker needs to recognise what has happened and respond — pivoting to new hosts, re-establishing persistence, or changing technique. The exercise orchestration layer - a parallel system that monitors the network during a live exercise, recognises which attack techniques have executed, listens for correct containment and eradication actions from participants, and surfaces investigation tasks tied to real attacker behaviour. This system needs precise, programmatic knowledge of what forensic artefacts each technique produces and what a valid defensive response looks like.

Alongside These Core Systems, You'll Also Work On Prompt engineering for both red and blue team agent components, in close collaboration with our content engineering team Integration with adversary emulation tooling for realistic technique execution User emulation and noise generation — simulating realistic background activity so participants must distinguish real attacker behaviour from normal log volume Documentation and architecture that allows the broader engineering team to operate and debug the AI layer without dependency on any single person.

What You'll Be Working On First The immediate priority is building the attacker agent from the ground up. You'll design and implement an autonomous LLM-powered agent that receives a threat actor profile, a network map, and a configured attack chain — and executes it against a live provisioned environment without human intervention. This means: scoping the agent architecture, choosing the right tooling and framework, building the planning and execution loop, and getting to a working demo where the agent autonomously compromises a target network end to end. A key part of this work will be using LLMs to analyse an attack chain and automatically configure the target network to be vulnerable in the right ways — introducing the misconfigurations, weak credentials, and exploitable conditions that the attack chain requires, without manual setup for each scenario. Speed matters here — we want to prove the core capability as quickly as possible so we can validate it with real clients.

Essential What we're looking for Hands-on experience building LLM-powered agents — planning loops, tool use, memory, state management Strong Python engineering; able to ship production-quality agentic systems, not just prototypes Ability to design prompts and agent architectures that are reliable and predictable under adversarial conditions Comfortable working autonomously on problems that aren't fully defined — you'll need to make good technical decisions with limited hand-holding Strong async communication; the team is distributed and documentation matters.

Strongly preferred Working familiarity with cybersecurity concepts — attack techniques, MITRE ATT&CK, network fundamentals (Active Directory, lateral movement, persistence). You don't need to be a penetration tester, but you need enough domain fluency to build realistic attack logic Experience with adversary emulation frameworks (MITRE CALDERA or similar) Experience building event-driven systems that monitor and react to real-time state changes Familiarity with cloud infrastructure (we provision VMs and networks dynamically per exercise).

Nice to have Prior work in the cyber range, red team tooling, or security simulation space Experience with multi-agent architectures where agents observe and react to each other.

What You Won't Own To set clear expectations: cloud infrastructure provisioning is owned by our backend engineers. Domain validation - confirming that attack chains are realistic and forensic artefacts are correct - is owned by our content engineering team. Your scope is the AI orchestration and agent layer that sits on top of the provisioned environment.

The Team And How We Work You'll join a small, senior team working directly on this product. We work async-first with regular syncs and occasional in-person build sprints in London. We move fast, communicate directly, and expect contractors to raise risks early. What you build will go in front of enterprise clients quickly - the quality bar is real.

Contract details Remote, with occasional travel to London for in-person build sprints Initial engagement: 3–6 months