Security Engineer, Detection & Response - Monitoring & Triage

About the role

The Detection and Response Team (DART) identifies, investigates, and responds to threats across Block's endpoints, cloud infrastructure, identity systems, SaaS platforms, vendor environments, and products. We are an engineering-led team: we build detections, automate investigations and response workflows, and prioritize our work around real attacker behavior. DART operates from an engineering-first, automation-first mindset. Our bar is simple: the alerts a human sees are the alerts a human has to see. We build investigation workflows and triage systems that resolve routine work before it becomes toil. The human work in this role centers on the alerts and investigations that require judgment: ambiguous signals, novel attacker behavior, high-impact incidents, and messy cross-environment investigations. You will help build that model by developing active and automated triage capabilities. DART's Monitoring & Triage function is both the front line and the front door. You will own daily security intake and will often be the first person partners across Block talk to when something does not look right. That can mean a high-confidence endpoint detection, a walk-in concern from Legal or Compliance, or a critical vulnerability. You are expected to ask the right questions, scope the issue quickly, make sound decisions, and either drive the work to resolution or route it cleanly. This is an operational security engineering role. The alert queue is your laboratory. The other half of this role is turning missing signal into better systems: sharper detections, richer context, stronger close-vs-escalate logic, and tighter responder-facing workflows. You're the right person for this role if you want to catch things, and then build things that catch things for you. You Will Own daily security intake across alert queues, Slack channels, and walk-in escalations from teams across Block, acting as the welcoming front door for security ops. Investigate and drive resolution of security events end-to-end, including endpoint detections, cloud/SaaS alerts, malware, supply chain issues, and hands-on-keyboard activity. Pivot across endpoint, identity, cloud, SaaS, network, DNS, and application telemetry to build timelines, test hypotheses, determine scope, and assess impact. Run nuanced investigations across non-uniform environments where device posture, identity models, and telemetry differ significantly. Consistently turn recurring investigative patterns into durable improvements: recommend new detections, automate triage workflows, refine automation logic, and clarify escalation paths. Identify structural gaps surfaced during investigations (weak controls, missing telemetry, outdated runbooks) and push for durable fixes rather than one-off workarounds. Define containment criteria, organize investigation threads, coordinate responders, drive status updates, and follow through on lessons learned. Lead cross-team efforts that improve investigation quality, response readiness, and operational maturity; and present interesting findings to the broader team and participate in tabletop exercises and post-incident reviews. You Have 5+ years of experience in detection and response, incident response, security engineering, or equivalent depth of hands-on investigative experience. Strong investigative judgment across endpoint, identity, cloud, SaaS, network, and application security signals; AWS and Kubernetes security fundamentals, cloud-native logging, networking, and Linux systems. Experience leading incidents end-to-end, including scoping, containment, evidence collection, impact assessment, and stakeholder communication. Strong SQL and log-query/analysis skills, with the ability to work effectively across large, messy telemetry sets without waiting for a perfect dashboard. Current, practical working knowledge of attacker TTPs across macOS, Windows, and Linux with live response and forensics. An established AI development workflow. Experience building, tuning, or maintaining detections, investigation workflows, or internal security tooling. An engineering mindset: you start looking for the detection, workflow, control, or automation change that will eliminate a manual pattern. The ability to work independently across time zones, managing competing priorities with empathy, patien

Additional Information

Block is one company built from many blocks, all united by the same purpose of economic empowerment. The blocks that form our foundational teams - People, Finance, Counsel, Hardware, Information Security, Platform Infrastructure Engineering, and more - provide support and guidance at the corporate level. They work across business groups and around the globe, spanning time zones and disciplines to develop inclusive People policies, forecast finances, give legal counsel, safeguard systems, nurture new initiatives, and more. Every challenge creates possibilities, and we need different perspectives to see them all. Bring yours to Block.

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Block? Share your experience