Senior Security Engineer, Detection & Response

About Rippling

Rippling gives businesses one place to run HR, IT, and Finance. It brings together all of the workforce systems that are normally scattered across a company, like payroll, expenses, benefits, and computers. For the first time ever, you can manage and automate every part of the employee lifecycle in a single system.

Take onboarding, for example. With Rippling, you can hire a new employee anywhere in the world and set up their payroll, corporate card, computer, benefits, and even third-party apps like Slack and Microsoft 365—all within 90 seconds.

Based in San Francisco, CA, Rippling has raised $1.4B+ from the world’s top investors—including Kleiner Perkins, Founders Fund, Sequoia, Greenoaks, and Bedrock—and was named one of America's best startup employers by Forbes.

We prioritize candidate safety. Please be aware that all official communication will only be sent from @Rippling.com addresses.

About The Role:

We are seeking a highly motivated and experienced Senior Security Engineer to become a pivotal member of our Detection and Response team (DART). The ideal candidate will be a hands-on engineer with a passion for automating security operations, a deep understanding of cloud security, and a proactive mindset in threat detection and incident response.

You will be at the forefront of our security efforts defending our customers, responsible for maturing our detection capabilities, automating response workflows, and ensuring the resilience of our environments. 

If you are an engineer who thrives on chasing down threats, enriching security data, and building automated solutions, we encourage you to apply!

What You'll Do:

• Automate and Innovate: Design, develop, and implement automation for daily DART tasks to enhance efficiency and response times.
• Expand Detection Coverage: Write and refine detection logic and rules to identify emerging threats across our corporate and cloud infrastructures.
• Cloud Security Operations: Gather, analyze, and leverage security data from our cloud systems, with a strong focus on AWS, to inform detection and response activities.
• Incident Response: Act as a key responder for security incidents, from initial triage of alerts to in-depth investigation and remediation. This includes responding to signals from our various security tools and cloud environments.
• Scripting and Development: Create and maintain Python scripts to automate security event workflows, develop new alerts and detections, and enrich security data.
• Threat Intelligence Operations: Design, build, and manage the infrastructure for collecting, processing, and disseminating threat intelligence. Automate the intelligence lifecycle to provide actionable data and strategic foresight to the entire security organization.
• Hypothesis-Driven Threat Hunting: Develop and execute hypothesis-driven threat hunts across our corporate and cloud environments. Use your knowledge of adversary tactics, techniques, and procedures (TTPs) to search for evidence of adversarial activity.
• Data Enrichment: Demonstrate a passion for pulling and correlating data from disparate sources to provide context and clarity during incident investigations, moving beyond simple alert triage.

What We're Looking For:

• Proven Experience: A minimum of 6 years of experience in a hands-on security engineering role, with a demonstrable focus on detection engineering and incident response.
• Cloud Incident Response Expertise: Extensive experience with incident response in cloud environments, particularly AWS.
• Strong Engineering and Coding Skills: Proficiency in scripting and programming, with a strong preference for Python. The ability to write clean, effective code for automation and tool development is essential.
• Investigative Nature: An inquisitive mindset and a desire to dig deep into data to uncover the full scope of a potential threat. You should be driven by curiosity and a need to find answers.
• Automation Mindset: A genuine passion for automating security workflows and a proven track record of doing so.
• Deep Detection and Response Knowledge: A thorough understanding of the incident response lifecycle, modern attack vectors, and the MITRE ATT&CK framework.
• Data-Driven Approach: A desire to go beyond surface-level triage and a keen interest in data enrichment to understand the full scope of a security event.
• Excellent Communication: The ability to clearly and concisely communicate technical findings and security risks to both technical and non-technical audiences.

Additional Information

Rippling is an equal opportunity employer. We are committed to building a diverse and inclusive workforce and do not discriminate based on race, religion, color, national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, veteran or military status, or any other legally protected characteristics, Rippling is committed to providing reasonable accommodations for candidates with disabilities who need assistance during the hiring process. To request a reasonable accommodation, please email accomodations@rippling.com

Rippling highly values having employees working in-office to foster a collaborative work environment and company culture. For office-based employees (employees who live within a defined radius of a Rippling office), Rippling considers working in the office, at least three days a week under current policy, to be an essential function of the employee's role.

This role will receive a competitive salary + benefits + equity. The salary for US-based employees will be aligned with one of the ranges below based on location; see which tier applies to your location here.

A variety of factors are considered when determining someone’s compensation–including a candidate’s professional background, experience, and location. Final offer amounts may vary from the amounts listed below.