Detection Engineer
Tempus AI · Chicago, IL · 1 wk ago
HybridEngineering$100k–$140k/yrFull-time
About the role
The Security Operations Center is building the data foundation for threat detection—reliable pipelines that land security events in our SIEM platform. This is a software engineering role inside security: you will build in Python, integrate APIs, and test your work, with mentorship on SIEM usage, detection logic, and alert quality.
Responsibilities
- Build and maintain log ingestion pipelines that collect security events from internal and third-party sources and deliver them to our SIEM platform.
- Normalize and forward events using existing patterns for batching, sizing, and failure handling.
- Build tests and fix bugs using mocked APIs and team CI standards (lint, format, coverage).
- Operate pipelines reliably—monitor failures, tune ingestion windows and rate limits, and document configuration.
- Support detection engineering with guidance—validate that new data is queryable in the SIEM; assist with simple parser or field fixes; learn how detections map to adversary behavior.
- Help manage and improve our detection-as-code pipeline—versioned detection content in git, automated checks in CI, and review before changes reach production.
- Participate in code review.
Agentic SOC (incremental; human-in-the-loop)
- Build with agentic coding tools (e.g. Claude Code, Cursor) as part of daily development—direct, review, and test what you ship; do not rely on typing every line from scratch.
- Contribute incrementally to agentic workflows—enrichment scripts, structured handoffs into SOAR automations, and evaluation of AI-assisted summaries or drafts in non-production or human-reviewed paths before any autonomous response.
- Validate changes on historical data before production trust—rules, parsers, and automation earn approval through evidence, simulation or shadow mode, and defined rollback paths.
- Aid in building and maintaining SOAR automations (enrichment, triage steps, and documentation—with review before production changes).
Requirements
- Comfortable building Python—APIs and JSON, basic error handling, and tests in a managed project (Poetry or similar).
- Ability to integrate systems via APIs—OAuth or API keys, retries, and handling partial failures.
- Testing discipline—unit tests, readable failures, and fixing regressions you introduce before merge.
- Git and collaborative development—small, reviewable changes with clear descriptions of risk and rollout.
- Temperament for long-horizon work—you can focus on incremental pipeline quality while understanding it enables agentic SOC capabilities over time, not instead of them.
- Strong problem-solving skills and curiosity about security operations; willingness to learn detection concepts with mentorship.
Bonus Points For Experience
- With scheduled jobs or Docker.
- Hands-on SIEM exposure from coursework, CTFs, labs, or internships (e.g. Splunk, Google SecOps, Microsoft Sentinel).
- Experience with infrastructure as code (e.g. Terraform).
- Strong understanding of IAM principles in GCP (least privilege, service accounts, workload identity, and role bindings).
Pay
Chicago Base salary: $100,000-$140,000
The expected salary range above is applicable if the role is performed from Illinois and may vary for other locations (California, Colorado, New York). Actual salary may vary based on qualifications and experience.