Holistic Resilience is seeking a Principal Threat Researcher to lead the analytical work behind one of the most focused Iran-specific threat intelligence programs in civil society. The Iranian government has built a domestic surveillance apparatus that is systematic, technically sophisticated, and largely underdocumented in real time — spanning mandatory spyware, compromised communications infrastructure, and targeted device exploitation of activists and journalists. Most of it gets surfaced after harm is already done. Our program exists to change that timeline. We've invested in building serious technical infrastructure to support this work, and we're at the stage where we need a researcher who can drive what it produces. This role is about turning rigorous technical analysis — of mobile apps, compromised devices, state-sponsored malware, and threat actor infrastructure — into intelligence that civil society, journalists, and policymakers can act on. We publish through WIRED, ZDF, NPR, the New York Times, and Iran International, and we work with established partners across the research and civil society space. Compensation will take location in to consideration.

Key Responsibilities

You'll lead technical analysis across our core research areas: Iranian surveillance tools and policy, mobile application security, and forensic examination of compromised devices. You'll triage and develop findings from partner referrals and your own proactive research. You'll structure intelligence in our CTI platform, track Iranian state-affiliated threat actors and their associated contractor networks through TTPs rather than ephemeral IOCs, and own the reports from initial finding to publication. You'll also bring the analyst judgment needed to validate and extend what our tooling produces — the layer that keeps the work accurate as it scales.

Required Qualifications

• Deep Android/iOS Malware Analytics skills: static (Jadx, Ghidra), dynamic (Frida, MobSF), traffic (MITMProxy, Arkime)
• Mobile forensics experience: finding compromise, spyware, and exfiltration on devices used by at-risk people
• STIX 2.1, MITRE ATT&CK, and hands-on CTI platform experience
• A track record of published research: you can translate technical findings into journalism-ready writing
• Real familiarity with the Iranian digital threat landscape: NIN, SIAM, domestic app ecosystem, the relevant APT clusters
• Agentic AI and automation/scripting using mainstream tools
• Farsi/Persian proficiency is a significant advantage: much of what we analyze is only legible in Persian

Preferred Qualifications

Prior experience in human rights, civil society, or digital rights contexts matters. So does personal OPSEC discipline, the people we research take this work seriously, and we do too.

Our Benefits

• Competitive compensation commensurate with experience
• Flexible working hours and fully remote work
• Professional development opportunities, including training programs and conferences
• Paid Time Off, Paid Holidays, Paid Leave for US-based employees
• Medical, dental, and vision insurance with enhanced 401(k) matching for US-based employees

About Holistic Resilience

Holistic Resilience is a nonprofit that builds tools and infrastructure to protect internet freedom, privacy, and civil liberties in repressive environments. We work across countries to support activists, journalists, and civil society with secure access to information, surveillance monitoring, and digital safety tools. Our projects include VPNs, alternative internet systems, and threat intelligence, all grounded in real-world needs and local partnerships.

Holistic Resilience is an equal opportunity employer. We encourage applicants from all backgrounds to apply.

Pay: From $40,000.00 per year

Benefits:

• Flexible schedule

Application Question(s):

• 1. Experience snapshot:

Years of hands-on Android/iOS malware analysis, and the tools you reach for first in static, dynamic, and traffic analysis.

• 2. Published research:

1-3 links to technical research you authored or co-authored. If your strongest work is non-public, describe one piece and the audience it reached.

• 3. Persian proficiency:

None / reading-only / conversational / native. Can you read a Persian privacy policy or forum post without machine translation?

• 4. Iran landscape:

In 2-4 sentences, explain what SIAM is, why it matters for at-risk people’s safety, and one way it would shape how you analyze an Iranian banking app.

• 5. Pipeline triage:

A user has flagged an APK as suspicious. Walk through your first hour of validation; what you check, in what order, and what would make you escalate vs. dismiss.

• 6. TTPs over IOCs:

Pick one Iran-nexus cluster you've tracked (Charming Kitten, APT42, MuddyWater, FARAJA-linked, etc.). Name 2-3 TTPs you'd pivot on instead of IOCs, and why they've held up.

• 7. Finding to publication:

A time you took a technical finding from raw analysis to a piece that reached a non-technical audience. What got cut, what got kept, and how you handled the gap between what you knew and what you could prove publicly.

• 8. OPSEC & fit:

Briefly explain your personal OPSEC posture (enough to gauge discipline, not enough to compromise it), and what draws you to this position specifically vs. a vendor CTI team or academic research.

Work Location: Remote