Security Engineer I

About The Position

Requirements

• Working knowledge of incident response frameworks (NIST 800-61, SANS PICERL) and a developing understanding of modern attacker TTPs, malware behavior, and MITRE ATT&CK.
• Familiarity with operating system fundamentals (Windows, Linux, macOS), networking protocols, identity systems, and at least one major cloud platform (AWS, Azure, or GCP) with preference of Azure.
• Awareness of malware analysis and digital forensics concepts.
• Analytical mindset - reads network, host, identity, and cloud logs, asks the right questions, and reaches sound conclusions under time pressure with senior support.
• Clear written and verbal communication; tailors messaging to technical and non-technical audiences and produces documentation suitable for review.
• Sound escalation judgment - recognizes when scope or severity exceeds current experience and engages senior support early; brings curiosity, critical thinking, and willingness to learn the differences between commercial and FedRAMP operating procedures.
• Foundational scripting in Python, PowerShell, Bash, or Node plus developing proficiency in Microsoft KQL or similar query analytics languages; comfortable in terminal-first workflows with utilities such as grep, jq, awk, sed, curl, and git.
• Comfortable using coding agents (Claude Code, Copilot, Cursor) and LLM-based tools to accelerate investigation and reporting - with the discipline to validate generated code, recognize hallucination risk, handle sensitive data carefully, and escalate rather than ship unreviewed output.
• Minimum 1 year of experience in a Security Operations role (SOC analyst, junior incident responder, detection engineer, or equivalent), internship, or relevant academic/lab work.
• Hands-on exposure to at least one major SIEM (Sentinel, Splunk, Chronicle, Elastic) and at least one EDR (Defender XDR, CrowdStrike, SentinelOne).
• Developing ability to write and run KQL queries (or willingness to ramp quickly).
• Practical experience using coding agents and/or LLM tooling, with judgment about when to validate or escalate.
• US citizen or US lawful permanent resident (green card holder).
• Able to work from our Bellevue, WA office a minimum of 3 days per week.
• Ability to successfully complete a background investigation appropriate to a FedRAMP Moderate environment.
• Familiarity with NIST SP 800-53 and NIST SP 800-61 concepts (or commitment to develop working knowledge within the first 90 days) to support work inside the FedRAMP boundary.
• Awareness of FedRAMP Moderate, authorization boundary concepts, and federal incident reporting expectations - or eagerness to learn them quickly.

Nice To Haves

• Exposure to incidents in cloud environments (Azure / AWS / GCP) and SaaS platforms.
• Exposure to detection-as-code or SOAR-as-code workflows.
• Familiarity with digital forensics tooling (Velociraptor, KAPE, Volatility) or malware triage concepts.
• Entry-to-mid certifications such as Security+, CySA+, SC-200, AZ-500, GSEC, GCIH, or equivalent.
• Bachelor's degree in Computer Science, Information Security, or related field - or equivalent practical experience.
• Prior exposure to a FedRAMP, IL4/IL5, StateRAMP, CMMC, CJIS, or IRS Pub. 1075 environment in any capacity (intern, junior analyst, audit support).
• Exposure to Azure Government, AWS GovCloud (US), or Google Cloud Assured Workloads
• Awareness of 3PAO assessment activities, ConMon, POA&Ms, and SSPs.
• Active or recently active US government clearance (e.g., Public Trust, Secret) is a plus but not required.

Responsibilities

• Triage and investigate incidents across SIEM, EDR, network, identity, and cloud telemetry; support containment, eradication, and incident communications under senior guidance.
• Contribute to root cause analysis and close the loop with Threat Intelligence and Detection Engineering to produce durable detections, controls, or playbook updates.
• Participate in proactive threat hunting across enterprise and cloud telemetry under the direction of senior analysts.
• Help maintain IR playbooks and runbooks and participate in drills and tabletop exercises.
• Recommend and help tune the detection and response tooling stack (SIEM, EDR, SOAR, case management) in both environments
• Actively seek mentorship from senior IR engineers and grow toward independent ownership of incidents over time.
• Follow strict procedures and requirements for but not limited to the authorized IR Plan, NIST 800-53 IR controls, CISA notifications, chain of custody, data classification handling, and event classification and reporting requirements.

Benefits

• Life at UiPath