Staff Security Engineer- Detection and ResponseEngineeringSan Francisco, CA

Staff Security Engineer

We are seeking a Staff Security Engineer to join our Detection and Response team (DART). This role is for a security engineer with deep threat hunting instincts and the engineering skills to build AI-driven solutions that transform how security operations work.

The ideal candidate lives at the intersection of adversary expertise and engineering. You know how to hunt for threats across cloud infrastructure, identity systems, and SaaS platforms - and when you find gaps or inefficiencies in how the team detects and responds, you build technical solutions to close them. You see AI as a tool in your engineering toolkit and you've already started applying it to security problems.

You'll work across detection engineering, incident response, and threat hunting - with the expectation that you're constantly improving the systems and tooling that power all three.

What You'll Do:

• Hunt Threats Across the Enterprise: Apply deep adversary knowledge to proactively find security threats across our cloud, identity, endpoint, and SaaS environments. Develop hypotheses from threat intelligence, telemetry gaps, and adversary TTPs, and execute them across 140+ log sources. Turn findings into durable detections and improved response workflows.
• Build AI-Driven Security Solutions: Design and build LLM-powered systems that solve real security operations problems — automated alert triage, investigation acceleration, detection generation, and more. We already run an AI agent that triages every alert. You'll identify the next high-impact opportunities and build them.
• Engineer Detections at Scale: Write high-fidelity detection logic and build the frameworks, shared libraries, and tooling that raise the quality bar for every detection the team produces. Ensure detection coverage keeps pace with a rapidly evolving threat landscape.
• Automate Response Workflows: Replace manual, repetitive security workflows with code. Build enrichment pipelines, correlation tools, investigation automation, and response orchestration that make the team faster and more consistent.
• Investigate Complex Incidents: Serve as a senior responder for security incidents, driving investigations from initial signal through root cause and remediation. Bring deep expertise in cloud-native attack paths, particularly in AWS and SaaS environments.
• Elevate the Team: Raise engineering standards through better tooling, reusable patterns, and technical mentorship. Influence the team's technical direction by prototyping new approaches and evaluating emerging techniques.

What We're Looking For:

• Deep Security Experience: 8+ years in hands-on security engineering with significant depth across detection engineering, threat hunting, and incident response. Staff-level judgment in ambiguous, high-stakes situations.
• Threat Hunting Expertise: You have deep experience hunting for threats and security issues across complex environments. You think in adversary TTPs, develop hypotheses, and know how to work through large-scale security data to find what others miss.
• Builder Who Ships: You default to building. When you see a repetitive workflow, you automate it. When you see a gap, you write the tool. Strong proficiency in Python and SQL, with experience building production-grade tooling not just scripts.
• AI Applied to Security: Hands-on experience building AI-driven solutions for security problems — whether agents, automated triage pipelines, LLM-assisted investigation, or detection-as-code generation. You understand both the potential and the limitations, and you've shipped something real.
• Cloud-Native Security Depth: Extensive experience investigating threats in AWS and SaaS environments. Deep understanding of cloud attack paths, identity-based threats, and modern adversary techniques mapped to MITRE ATT&CK.
• Data Fluency: Comfort working with large-scale security data in SQL-based environments. You enrich, correlate, and query across disparate sources to build a complete picture - not just react to individual alerts.
• Technical Leadership: Ability to set technical direction and elevate a team without formal authority. Strong communication skills for conveying complex findings to both technical and non-technical audiences.

Additional Information

Rippling is an equal opportunity employer. We are committed to building a diverse and inclusive workforce and do not discriminate based on race, religion, color, national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, veteran or military status, or any other legally protected characteristics. Rippling is committed to providing reasonable accommodations for candidates with disabilities who need assistance during the hiring process. To request a reasonable accommodation, please email View email address on click.appcast.io.

Rippling highly values having employees working in-office to foster a collaborative work environment and company culture. For office-based employees (employees who live within a defined radius of a Rippling office), Rippling considers working in the office, at least three days a week under current policy, to be an essential function of the employee's role.

This role will receive a competitive salary + benefits + equity. The salary for US-based employees will be aligned with one of the ranges below based on location; see which tier applies to your location here. A variety of factors are considered when determining someone's compensation–including a candidate's professional background, experience, and location. Final offer amounts may vary from the amounts listed below.