Detection & Response, Security Engineer

WorkOS•San Francisco, CA

10h•Remote

About The Position

WorkOS builds modern developer tools and APIs that make it easy for companies to become Enterprise Ready, powering authentication, identity, authorization, and other critical infrastructure. The company recently raised a $100M Series C, valuing it at $2B, and powers enterprise features for many fast-growing AI companies like OpenAI, Cursor, Perplexity, Vercel, and Plaid. WorkOS is at the forefront of Human and Agent Authentication, Identity, and Access Control as AI reshapes software. The Security team at WorkOS is responsible for keeping customer data and identities secure, operating with a strong engineering mindset and applying lessons from across the industry. The team spans product security, cloud security, and GRC, partnering with an MDR provider for 24/7/365 detection and response coverage. This role is for a Detection & Response Security Engineer to enhance D&R capabilities. WorkOS has core security telemetry in place, and this role focuses on writing custom detections, building alerting pipelines, investigating incidents, and expanding coverage across corporate systems and the product platform. The engineer will own detection engineering and help lead incident response, designing, building, and continuously improving threat detections across WorkOS infrastructure, corporate systems, and the product. This is a zero-to-one role, shaping strategy, choosing approaches, and building systems, requiring both security practitioner and software engineer skills. It is a remote position open to candidates in Canada or the United States.

Requirements

A builder, not just an operator. You write detection logic, build pipelines, and create tools. You are not looking for a role where you triage alerts all day; you want to design the systems that generate and respond to them with high signal and low noise.
An engineer with a security focus. You want to understand problems before solving them, and you prefer durable fixes over quick patches. You are proficient in at least one programming language (Python, Go, or similar) and comfortable working with infrastructure-as-code, APIs, and CI/CD systems.
Experienced in detection engineering. You have designed, built, and tuned detections in a SIEM or similar platform. You understand how to translate threat intelligence and attacker TTPs into actionable detection logic.
Comfortable across corporate and cloud environments. You have experience with EDR, identity systems, cloud security (AWS), and network telemetry. You can investigate incidents across endpoints, SaaS applications, and cloud infrastructure.
Pragmatic about risk. You reason clearly about what matters, prioritize based on real-world threat models, and communicate risk to both technical and non-technical audiences.
Collaborative and autonomous. You work well with engineering, infrastructure, and IT teams. You can own projects end-to-end in a fast-moving startup environment without extensive direction.
5+ years of experience in security engineering, detection engineering, incident response, or a related technical security role.
Strong engineering fundamentals; ideally a computer science or engineering degree or equivalent industry experience (software engineering, SRE, network engineering).
Proficiency in Python, Go, or another general-purpose programming language.
Hands-on experience with SIEM platforms (Panther, Splunk, Elastic, or similar) — writing detection rules, building log pipelines, and investigating alerts.
Experience with EDR technologies (SentinelOne, CrowdStrike, or similar) and endpoint investigation.
Familiarity with cloud security fundamentals (AWS IAM, networking, Kubernetes basics).
Experience with incident response in production and/or corporate environments.
Strong written and verbal communication skills.

Nice To Haves

Experience with Detection-as-Code practices (version-controlled, tested detections).
Familiarity with SOAR platforms and security automation.
Experience with identity/authentication systems (Okta, SAML, OIDC) — highly relevant given our product domain.
Prior experience building a D&R function from scratch.
Experience at a developer tools, identity/auth, or infrastructure company.

Responsibilities

Build out our detection engineering capability. Design and implement detection logic across our SIEM, EDR, cloud security tools and identity systems. We want you to write detections as code — durable, tested, and version-controlled.
Own security incident response. Lead and support security incident investigations using data analytics, log analysis, and system forensics across corporate and production environments. Build playbooks and runbooks for repeatable response.
Extend detection into the product. Instrument additional application-level telemetry across the WorkOS platform to detect abuse patterns, anomalous authentication activity, and threats that target our customers' identities.
Build tooling and automation. Develop scripts, integrations, and SOAR workflows to automate detection, enrichment, and response activities. We value engineering solutions over manual processes.
Improve visibility and logging. Work with engineering and infrastructure teams to ensure the right logs are collected, normalized, and available. Identify gaps in monitoring coverage and close them.
Partner with our MDR provider. Collaborate to validate detections, tune rules, and coordinate on incidents. Grow our internal capability over time while maintaining the partnership.
Contribute to security operations maturity. Help build on-call rotation practices, tabletop exercises, post-incident reviews, and operational metrics for the security team.
Participate in a shared on-call rotation for security incidents, with occasional evening or weekend availability for critical events.