Detection Engineer

About The Position

Requirements

• Comfortable building Python—APIs and JSON, basic error handling, and tests in a managed project (Poetry or similar).
• Ability to integrate systems via APIs—OAuth or API keys, retries, and handling partial failures.
• Testing discipline—unit tests, readable failures, and fixing regressions you introduce before merge.
• Git and collaborative development—small, reviewable changes with clear descriptions of risk and rollout.
• Temperament for long-horizon work—you can focus on incremental pipeline quality while understanding it enables agentic SOC capabilities over time, not instead of them.
• Strong problem-solving skills and curiosity about security operations; willingness to learn detection concepts with mentorship.

Nice To Haves

• Experience with scheduled jobs or Docker.
• Hands-on SIEM exposure from coursework, CTFs, labs, or internships (e.g. Splunk, Google SecOps, Microsoft Sentinel).
• Can navigate cloud primitives on GCP, Azure, or AWS (S3/GCS/Blob, Key Vault/Secret Manager/Secrets Manager, IAM roles and service principals).
• Experience with infrastructure as code (e.g. Terraform).
• Strong understanding of IAM principles in GCP (least privilege, service accounts, workload identity, and role bindings).

Responsibilities

• Build and maintain log ingestion pipelines that collect security events from internal and third-party sources and deliver them to our SIEM platform.
• Normalize and forward events using existing patterns for batching, sizing, and failure handling.
• Build tests and fix bugs using mocked APIs and team CI standards (lint, format, coverage).
• Operate pipelines reliably—monitor failures, tune ingestion windows and rate limits, and document configuration.
• Support detection engineering with guidance—validate that new data is queryable in the SIEM; assist with simple parser or field fixes; learn how detections map to adversary behavior.
• Help manage and improve our detection-as-code pipeline—versioned detection content in git, automated checks in CI, and review before changes reach production.
• Participate in code review.
• Build with agentic coding tools (e.g. Claude Code, Cursor) as part of daily development—direct, review, and test what you ship; do not rely on typing every line from scratch.
• Contribute incrementally to agentic workflows—enrichment scripts, structured handoffs into SOAR automations, and evaluation of AI-assisted summaries or drafts in non-production or human-reviewed paths before any autonomous response.
• Validate changes on historical data before production trust—rules, parsers, and automation earn approval through evidence, simulation or shadow mode, and defined rollback paths.
• Assist in building and maintaining SOAR automations (enrichment, triage steps, and documentation—with review before production changes).

Benefits

• incentive compensation
• restricted stock units
• medical and other benefits depending on the position