Security Engineer - Threat Detection

Job Description

You will design, build, and maintain detections that identify malicious activity across Stripe's infrastructure, applications, and cloud environments.

Responsibilities

• Design, build, and tune high-fidelity detections across modern SIEM platforms, covering adversary TTPs across the full attack lifecycle
• Develop detection hypotheses by researching TTPs, identifying evidence sources, and determining detection opportunities across available telemetry
• Conduct hypothesis-driven threat hunts to identify malicious activity, uncover detection gaps, and validate security controls
• Perform malware analysis and reverse engineering to extract indicators and inform detection strategies
• Build network-based detections (flow, pcap, protocol analysis) and endpoint-based detections (event logs, EDR telemetry, memory/file artifacts) across Windows, Linux, and macOS
• Partner with Threat Intelligence to operationalize intel reports into detections, hunting leads, and enrichment logic
• Collaborate with IR, SOC, and offensive security teams to validate and refine detections based on real-world incidents and red team exercises
• Build data pipelines, automation, and tooling that enable detection-as-code practices and scalable deployment
• Map detection coverage to MITRE ATT&CK, identifying and prioritizing gaps across key attack surfaces
• Lead projects, mentor teammates, and champion quality standards within the team

Requirements

• 5+ years of experience in detection engineering, threat hunting, or security operations
• Demonstrated experience writing detection logic in modern SIEM platforms (e.g., Splunk, Chronicle, Elastic, CrowdStrike NG-SIEM, Panther, Microsoft Sentinel)
• Strong understanding of adversary tradecraft across the attack lifecycle: initial access, privilege escalation, lateral movement, defense evasion, persistence, and exfiltration
• Ability to extract TTPs from threat intelligence reports and translate them into detection opportunities
• Experience developing network-based and endpoint-based detections across multiple OS platforms (Windows, Linux, macOS)
• Experience analyzing telemetry across endpoint, network, cloud (AWS/GCP/Azure), identity, and application log sources
• Proficiency in detection/query languages (SPL, KQL, EQL, YARA-L, SQL) and programming (Python or similar)
• Strong communication skills with the ability to document detection logic and explain findings to technical and non-technical audiences
• Adversarial mindset , understanding how attackers operate to build detections that catch real-world threats

Preferred Qualifications

• Experience in detection engineering or threat hunting within fintech, financial services, or highly regulated environments
• Background in malware analysis, reverse engineering, or threat research
• Experience with purple team operations , collaborating with offensive security to validate detections
• Familiarity with big data platforms (Databricks, Trino, PySpark) for large-scale log analysis
• Proficiency with AI/LLM-assisted development tools (Claude Code, Cursor, GitHub Copilot) applied to detection workflows
• Interest in agentic automation , using LLMs to augment hunting, tuning, or triage
• Experience with detection validation tools (Atomic Red Team, ATT&CK Evaluations)
• Contributions to open-source detection content, research, or conference presentations
• Relevant certifications such as HTB CDSA, GCIH, GCFA, GNFA, OSCP, TCM PMAT, or GREM