Security Engineer, Detection & Response - Monitoring & Triage

Security Engineer, Detection & Response - Monitoring & Triage

Block is one company built from many blocks, all united by the same purpose of economic empowerment. The blocks that form our foundational teams — People, Finance, Counsel, Hardware, Information Security, Platform Infrastructure Engineering, and more — provide support and guidance at the corporate level. They work across business groups and around the globe, spanning time zones and disciplines to develop inclusive People policies, forecast finances, give legal counsel, safeguard systems, nurture new initiatives, and more. Every challenge creates possibilities, and we need different perspectives to see them all. Bring yours to Block.

The Role

The Detection and Response Team (DART) identifies, investigates, and responds to threats across Block's endpoints, cloud infrastructure, identity systems, SaaS platforms, vendor environments, and products. We are an engineering-led team: we build detections, automate investigations and response workflows, and prioritize our work around real attacker behavior.

DART operates from an engineering-first, automation-first mindset. Our bar is simple: the alerts a human sees are the alerts a human has to see. We build investigation workflows and triage systems that resolve routine work before it becomes toil. The human work in this role centers on the alerts and investigations that require judgment: ambiguous signals, novel attacker behavior, high-impact incidents, and messy cross-environment investigations. You will help build that model by developing active and automated triage capabilities.

DART's Monitoring & Triage function is both the front line and the front door. You will own daily security intake and will often be the first person partners across Block talk to when something does not look right. That can mean a high-confidence endpoint detection, a walk-in concern from Legal or Compliance, or a critical vulnerability. You are expected to ask the right questions, scope the issue quickly, make sound decisions, and either drive the work to resolution or route it cleanly.

This is an operational security engineering role. The alert queue is your laboratory. The other half of this role is turning missing signal into better systems: sharper detections, richer context, stronger close-vs-escalate logic, and tighter responder-facing workflows. You're the right person for this role if you want to catch things, and then build things that catch things for you.

You Will

• Own daily security intake across alert queues, Slack channels, and walk-in escalations from teams across Block, acting as the welcoming front door for security ops.
• Investigate and drive resolution of security events end-to-end, including endpoint detections, cloud/SaaS alerts, malware, supply chain issues, and hands-on-keyboard activity.
• Pivot across endpoint, identity, cloud, SaaS, network, DNS, and application telemetry to build timelines, test hypotheses, determine scope, and assess impact.
• Run nuanced investigations across non-uniform environments where device posture, identity models, and telemetry differ significantly.
• Consistently turn recurring investigative patterns into durable improvements: recommend new detections, automate triage workflows, refine automation logic, and clarify escalation paths.
• Identify structural gaps surfaced during investigations (weak controls, missing telemetry, outdated runbooks) and push for durable fixes rather than one-off workarounds.
• Define containment criteria, organize investigation threads, coordinate responders, drive status updates, and follow through on lessons learned.
• Lead cross-team efforts that improve investigation quality, response readiness, and operational maturity; and present interesting findings to the broader team and participate in tabletop exercises and post-incident reviews.

You Have

• 5+ years of experience in detection and response, incident response, security engineering, or equivalent depth of hands-on investigative experience.
• Strong investigative judgment across endpoint, identity, cloud, SaaS, network, and application security signals; AWS and Kubernetes security fundamentals, cloud-native logging, networking, and Linux systems.
• Experience leading incidents end-to-end, including scoping, containment, evidence collection, impact assessment, and stakeholder communication.
• Strong SQL and log-query/analysis skills, with the ability to work effectively across large, messy telemetry sets without waiting for a perfect dashboard.
• Current, practical working knowledge of attacker TTPs across macOS, Windows, and Linux with live response and forensics.
• An established AI development workflow.
• Experience building, tuning, or maintaining detections, investigation workflows, or internal security tooling.
• An engineering mindset: you start looking for the detection, workflow, control, or automation change that will eliminate a manual pattern.
• The ability to work independently across time zones, managing competing priorities with empathy, patience, and curiosity.

Nice-to-have qualities that stand out

• Experience with threat intelligence and threat hunting.
• Experience with malware analysis, forensic artifact collection, or reversing.
• Experience working with human-in-the-loop automation or AI-assisted investigation systems

We're working to build a more inclusive economy where our customers have equal access to opportunity, and we strive to live by these same values in building our workplace. Block is a proud equal opportunity employer. We work hard to evaluate all employees and job applicants consistently, without regard to identity or other legally protected class. We believe in being fair, and are committed to an inclusive interview experience, including providing reasonable accommodations to disabled applicants throughout the recruitment process. We encourage applicants to share any needed accommodations with their recruiter, who will treat these requests as confidentially as possible.

Block, Inc. (NYSE: XYZ) builds technology to increase access to the global economy. Each of our brands unlocks different aspects of the economy for more people. Square makes commerce and financial services accessible to sellers. Cash App is the easy way to spend, send, and store money. Afterpay is transforming the way customers manage their spending over time. TIDAL is a music platform that empowers artists to thrive as entrepreneurs. Bitkey is a simple self-custody wallet built for bitcoin. Proto is a suite of bitcoin mining products and services. Together, we're helping build a financial system that is open to everyone.