Job Description
About Rippling Rippling gives businesses one place to run HR, IT, and Finance. It brings together all of the workforce systems that are normally scattered across a company, like payroll, expenses, benefits, and computers. For the first time ever, you can manage and automate every part of the employee lifecycle in a single system. Take onboarding, for example. With Rippling, you can hire a new employee anywhere in the world and set up their payroll, corporate card, computer, benefits, and even third-party apps like Slack and Microsoft 365—all within 90 seconds. Based in San Francisco, CA, Rippling has raised $1.4B+ from the world’s top investors—including Kleiner Perkins, Founders Fund, Sequoia, Greenoaks, and Bedrock—and was named one of America's best startup employers by Forbes. We prioritize candidate safety. Please be aware that all official communication will only be sent from @Rippling.com addresses. About The Role We are seeking a Staff Security Engineer to join our Detection and Response team (DART). This role is for a security engineer with deep threat hunting instincts and the engineering skills to build AI-driven solutions that transform how security operations work. The ideal candidate lives at the intersection of adversary expertise and engineering. You know how to hunt for threats across cloud infrastructure, identity systems, and SaaS platforms - and when you find gaps or inefficiencies in how the team detects and responds, you build technical solutions to close them. You see AI as a tool in your engineering toolkit and you've already started applying it to security problems. You'll work across detection engineering, incident response, and threat hunting - with the expectation that you're constantly improving the systems and tooling that power all three. What You’ll Do: Hunt Threats Across the Enterprise: Apply deep adversary knowledge to proactively find security threats across our cloud, identity, endpoint, and SaaS environments. Develop hypotheses from threat intelligence, telemetry gaps, and adversary TTPs, and execute them across 140+ log sources. Turn findings into durable detections and improved response workflows. Build AI-Driven Security Solutions: Design and build LLM-powered systems that solve real security operations problems — automated alert triage, investigation acceleration, detection generation, and more. We already run an AI agent that triages every alert. You'll identify the next high-impact opportunities and build them. Engineer Detections at Scale: Write high-fidelity detection logic and build the frameworks, shared libraries, and tooling that raise the quality bar for every detection the team produces. Ensure detection coverage keeps pace with a rapidly evolving threat landscape. Automate Response Workflows: Replace manual, repetitive security workflows with code. Build enrichment pipelines, correlation tools, investigation automation, and response orchestration that make the team faster and more consistent. Investigate Complex Incidents: Serve as a senior responder for security incidents, driving investigations from initial signal through root cause and remediation. Bring deep expertise in cloud-native attack paths, particularly in AWS and SaaS environments. Elevate the Team: Raise engineering standards through better tooling, reusable patterns, and technical mentorship. Influence the team's technical direction by prototyping new approaches and evaluating emerging techniques. What We’re Looking For: Deep Security Experience: 8+ years in hands-on security engineering with significant depth across detection engineering, threat hunting, and incident response. Staff-level judgment in ambiguous, high-stakes situations. Threat Hunting Expertise: You have deep experience hunting for threats and security issues across complex environments. You think in adversary TTPs, develop hypotheses, and know how to work through large-scale security data to find what others miss. Builder Who Ships: You default to building. When you see a repetitive workflow, you automate it. When you see a gap, you write the tool. Strong proficiency in Python and SQL, with experience building production-grade tooling not just scripts. AI Applied to Security: Hands-on experience building AI-driven solutions for security problems — whether agents, automated triage pipelines, LLM-assisted investigation, or detection-as-code generation. You understand both the potential and the limitations, and you've shipped something real. Cloud-Native Security Depth: Extensive experience investigating threats in AWS and SaaS environments. Deep understanding of cloud attack paths, identity-based threats, and modern adversary techniques mapped to MITRE ATT&C