
Detection & Response, Security Engineer
Detection & Response (D&R) Security Engineer role on the Security team at WorkOS, a developer-tools and API company responsible for keeping the data and identities of hundreds of millions of users secure. The team spans product security, cloud security and GRC, and partners with an MDR provider for 24/7/365 coverage. With core security telemetry already in place across SIEM, EDR, cloud and identity, the role focuses on writing custom detections tuned to the environment, building alerting pipelines, investigating incidents in depth and expanding coverage across corporate systems and the product platform. This is a zero-to-one role: the engineer shapes the strategy, chooses the approach and builds the systems, being equal parts security practitioner and software engineer. The position is remote and open to candidates based in Canada or the United States.
Stack
Responsibilities
- ▹Build out the detection engineering capability: design and implement detection logic across SIEM, EDR, cloud security tools and identity systems, writing detections as code (durable, tested, version-controlled)
- ▹Own security incident response: lead and support investigations using data analytics, log analysis and system forensics across corporate and production environments; build playbooks and runbooks
- ▹Extend detection into the product: instrument additional application-level telemetry to detect abuse patterns, anomalous authentication activity and threats targeting customers' identities
- ▹Build tooling and automation: develop scripts, integrations and SOAR workflows to automate detection, enrichment and response
- ▹Improve visibility and logging: work with engineering and infrastructure teams to ensure logs are collected, normalized and available, and close monitoring gaps
- ▹Partner with the MDR provider to validate detections, tune rules and coordinate on incidents while growing internal capability
- ▹Contribute to security operations maturity: help build on-call rotation practices, tabletop exercises, post-incident reviews and operational metrics
- ▹Participate in a shared on-call rotation for security incidents, with occasional evening or weekend availability for critical events
Requirements
- ▹5+ years of experience in security engineering, detection engineering, incident response or a related technical security role
- ▹Strong engineering fundamentals; ideally a computer science or engineering degree or equivalent industry experience (software engineering, SRE, network engineering)
- ▹Proficiency in Python, Go or another general-purpose programming language
- ▹Hands-on experience with SIEM platforms (Panther, Splunk, Elastic or similar): writing detection rules, building log pipelines and investigating alerts
- ▹Experience with EDR technologies (SentinelOne, CrowdStrike or similar) and endpoint investigation
- ▹Familiarity with cloud security fundamentals (AWS IAM, networking, Kubernetes basics)
- ▹Experience with incident response in production and/or corporate environments
- ▹Strong written and verbal communication skills
Nice to have
- ▹Experience with Detection-as-Code practices (version-controlled, tested detections)
- ▹Familiarity with SOAR platforms and security automation
- ▹Experience with identity/authentication systems (Okta, SAML, OIDC)
- ▹Prior experience building a D&R function from scratch
- ▹Experience at a developer tools, identity/auth or infrastructure company
Soft skills
What we offer
- ▹Competitive pay
- ▹Substantial equity grants
- ▹Healthcare insurance (medical, dental and vision) for you and your family
- ▹401k matching
- ▹Wellness and fitness monthly allowances
- ▹PTO, paid holidays and unlimited sick leave
- ▹Parental leave
- ▹Fully remote working arrangements
- ▹Benefits and perks listed apply to US-based employees